我的书签
添加书签
移除书签Traefik & Kubernetes
The Kubernetes Ingress Controller, The Custom Resource Way.
Configuration Examples
Configuring KubernetesCRD and Deploying/Exposing Services
Resource Definition
# All resources definition must be declared---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: ingressroutes.traefik.iospec:group: traefik.ionames:kind: IngressRoutelistKind: IngressRouteListplural: ingressroutessingular: ingressroutescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: IngressRoute is the CRD implementation of a Traefik HTTP Router.properties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: IngressRouteSpec defines the desired state of IngressRoute.properties:entryPoints:description: |-EntryPoints defines the list of entry point names to bind to.Entry points have to be configured in the static configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/Default: all.items:type: stringtype: arrayroutes:description: Routes defines the list of routes.items:description: Route holds the HTTP route configuration.properties:kind:description: |-Kind defines the kind of the route.Rule is the only supported kind.enum:- Ruletype: stringmatch:description: |-Match defines the router's rule.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#ruletype: stringmiddlewares:description: |-Middlewares defines the list of references to Middleware resources.More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-middlewareitems:description: MiddlewareRef is a reference to a Middlewareresource.properties:name:description: Name defines the name of the referenced Middlewareresource.type: stringnamespace:description: Namespace defines the namespace of the referencedMiddleware resource.type: stringrequired:- nametype: objecttype: arraypriority:description: |-Priority defines the router's priority.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#prioritytype: integerservices:description: |-Services defines the list of Service.It can contain any combination of TraefikService and/or reference to a Kubernetes Service.items:description: Service defines an upstream HTTP service to proxytraffic to.properties:healthCheck:description: Healthcheck defines health checks for ExternalNameservices.properties:followRedirects:description: |-FollowRedirects defines whether redirects should be followed during the health check calls.Default: truetype: booleanheaders:additionalProperties:type: stringdescription: Headers defines custom headers to besent to the health check endpoint.type: objecthostname:description: Hostname defines the value of hostnamein the Host header of the health check request.type: stringinterval:anyOf:- type: integer- type: stringdescription: |-Interval defines the frequency of the health check calls.Default: 30sx-kubernetes-int-or-string: truemethod:description: Method defines the healthcheck method.type: stringmode:description: |-Mode defines the health check mode.If defined to grpc, will use the gRPC health check protocol to probe the server.Default: httptype: stringpath:description: Path defines the server URL path forthe health check endpoint.type: stringport:description: Port defines the server URL port forthe health check endpoint.type: integerscheme:description: Scheme replaces the server URL schemefor the health check endpoint.type: stringstatus:description: Status defines the expected HTTP statuscode of the response to the health check request.type: integertimeout:anyOf:- type: integer- type: stringdescription: |-Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.Default: 5sx-kubernetes-int-or-string: truetype: objectkind:description: Kind defines the kind of the Service.enum:- Service- TraefikServicetype: stringname:description: |-Name defines the name of the referenced Kubernetes Service or TraefikService.The differentiation between the two is specified in the Kind field.type: stringnamespace:description: Namespace defines the namespace of the referencedKubernetes Service or TraefikService.type: stringnativeLB:description: |-NativeLB controls, when creating the load-balancer,whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.The Kubernetes Service itself does load-balance to the pods.By default, NativeLB is false.type: booleannodePortLB:description: |-NodePortLB controls, when creating the load-balancer,whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.By default, NodePortLB is false.type: booleanpassHostHeader:description: |-PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.By default, passHostHeader is true.type: booleanport:anyOf:- type: integer- type: stringdescription: |-Port defines the port of a Kubernetes Service.This can be a reference to a named port.x-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding defines how Traefik forwardsthe response from the upstream Kubernetes Service tothe client.properties:flushInterval:description: |-FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.A negative value means to flush immediately after each write to the client.This configuration is ignored when ReverseProxy recognizes a response as a streaming response;for such responses, writes are flushed to the client immediately.Default: 100mstype: stringtype: objectscheme:description: |-Scheme defines the scheme to use for the request to the upstream Kubernetes Service.It defaults to https when Kubernetes Service port is 443, http otherwise.type: stringserversTransport:description: |-ServersTransport defines the name of ServersTransport resource to use.It allows to configure the transport between Traefik and your servers.Can only be used on a Kubernetes Service.type: stringsticky:description: |-Sticky defines the sticky sessions configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessionsproperties:cookie:description: Cookie defines the sticky cookie configuration.properties:httpOnly:description: HTTPOnly defines whether the cookiecan be accessed by client-side APIs, such asJavaScript.type: booleanmaxAge:description: |-MaxAge indicates the number of seconds until the cookie expires.When set to a negative number, the cookie expires immediately.When set to zero, the cookie never expires.type: integername:description: Name defines the Cookie name.type: stringsameSite:description: |-SameSite defines the same site policy.More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSitetype: stringsecure:description: Secure defines whether the cookiecan only be transmitted over an encrypted connection(i.e. HTTPS).type: booleantype: objecttype: objectstrategy:description: |-Strategy defines the load balancing strategy between the servers.RoundRobin is the only supported value at the moment.type: stringweight:description: |-Weight defines the weight and should only be specified when Name references a TraefikService object(and to be precise, one that embeds a Weighted Round Robin).type: integerrequired:- nametype: objecttype: arraysyntax:description: |-Syntax defines the router's rule syntax.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntaxtype: stringrequired:- kind- matchtype: objecttype: arraytls:description: |-TLS defines the TLS configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tlsproperties:certResolver:description: |-CertResolver defines the name of the certificate resolver to use.Cert resolvers have to be configured in the static configuration.More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolverstype: stringdomains:description: |-Domains defines the list of domains that will be used to issue certificates.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domainsitems:description: Domain holds a domain name with SANs.properties:main:description: Main defines the main domain name.type: stringsans:description: SANs defines the subject alternative domainnames.items:type: stringtype: arraytype: objecttype: arrayoptions:description: |-Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.If not defined, the `default` TLSOption is used.More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-optionsproperties:name:description: |-Name defines the name of the referenced TLSOption.More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoptiontype: stringnamespace:description: |-Namespace defines the namespace of the referenced TLSOption.More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsoptiontype: stringrequired:- nametype: objectsecretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringstore:description: |-Store defines the reference to the TLSStore, that will be used to store certificates.Please note that only `default` TLSStore can be used.properties:name:description: |-Name defines the name of the referenced TLSStore.More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstoretype: stringnamespace:description: |-Namespace defines the namespace of the referenced TLSStore.More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-tlsstoretype: stringrequired:- nametype: objecttype: objectrequired:- routestype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: ingressroutetcps.traefik.iospec:group: traefik.ionames:kind: IngressRouteTCPlistKind: IngressRouteTCPListplural: ingressroutetcpssingular: ingressroutetcpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router.properties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP.properties:entryPoints:description: |-EntryPoints defines the list of entry point names to bind to.Entry points have to be configured in the static configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/Default: all.items:type: stringtype: arrayroutes:description: Routes defines the list of routes.items:description: RouteTCP holds the TCP route configuration.properties:match:description: |-Match defines the router's rule.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rule_1type: stringmiddlewares:description: Middlewares defines the list of references to MiddlewareTCPresources.items:description: ObjectReference is a generic reference to a Traefikresource.properties:name:description: Name defines the name of the referenced Traefikresource.type: stringnamespace:description: Namespace defines the namespace of the referencedTraefik resource.type: stringrequired:- nametype: objecttype: arraypriority:description: |-Priority defines the router's priority.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#priority_1type: integerservices:description: Services defines the list of TCP services.items:description: ServiceTCP defines an upstream TCP service toproxy traffic to.properties:name:description: Name defines the name of the referenced KubernetesService.type: stringnamespace:description: Namespace defines the namespace of the referencedKubernetes Service.type: stringnativeLB:description: |-NativeLB controls, when creating the load-balancer,whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.The Kubernetes Service itself does load-balance to the pods.By default, NativeLB is false.type: booleannodePortLB:description: |-NodePortLB controls, when creating the load-balancer,whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.By default, NodePortLB is false.type: booleanport:anyOf:- type: integer- type: stringdescription: |-Port defines the port of a Kubernetes Service.This can be a reference to a named port.x-kubernetes-int-or-string: trueproxyProtocol:description: |-ProxyProtocol defines the PROXY protocol configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#proxy-protocolproperties:version:description: Version defines the PROXY Protocol versionto use.type: integertype: objectserversTransport:description: |-ServersTransport defines the name of ServersTransportTCP resource to use.It allows to configure the transport between Traefik and your servers.Can only be used on a Kubernetes Service.type: stringterminationDelay:description: |-TerminationDelay defines the deadline that the proxy sets, after one of its connected peers indicatesit has closed the writing capability of its connection, to close the reading capability as well,hence fully terminating the connection.It is a duration in milliseconds, defaulting to 100.A negative value means an infinite deadline (i.e. the reading capability is never closed).Deprecated: TerminationDelay will not be supported in future APIVersions, please use ServersTransport to configure the TerminationDelay instead.type: integertls:description: TLS determines whether to use TLS when dialingwith the backend.type: booleanweight:description: Weight defines the weight used when balancingrequests between multiple Kubernetes Service.type: integerrequired:- name- porttype: objecttype: arraysyntax:description: |-Syntax defines the router's rule syntax.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#rulesyntax_1type: stringrequired:- matchtype: objecttype: arraytls:description: |-TLS defines the TLS configuration on a layer 4 / TCP Route.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#tls_1properties:certResolver:description: |-CertResolver defines the name of the certificate resolver to use.Cert resolvers have to be configured in the static configuration.More info: https://doc.traefik.io/traefik/v3.2/https/acme/#certificate-resolverstype: stringdomains:description: |-Domains defines the list of domains that will be used to issue certificates.More info: https://doc.traefik.io/traefik/v3.2/routing/routers/#domainsitems:description: Domain holds a domain name with SANs.properties:main:description: Main defines the main domain name.type: stringsans:description: SANs defines the subject alternative domainnames.items:type: stringtype: arraytype: objecttype: arrayoptions:description: |-Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.If not defined, the `default` TLSOption is used.More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-optionsproperties:name:description: Name defines the name of the referenced Traefikresource.type: stringnamespace:description: Namespace defines the namespace of the referencedTraefik resource.type: stringrequired:- nametype: objectpassthrough:description: Passthrough defines whether a TLS router will terminatethe TLS connection.type: booleansecretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringstore:description: |-Store defines the reference to the TLSStore, that will be used to store certificates.Please note that only `default` TLSStore can be used.properties:name:description: Name defines the name of the referenced Traefikresource.type: stringnamespace:description: Namespace defines the namespace of the referencedTraefik resource.type: stringrequired:- nametype: objecttype: objectrequired:- routestype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: ingressrouteudps.traefik.iospec:group: traefik.ionames:kind: IngressRouteUDPlistKind: IngressRouteUDPListplural: ingressrouteudpssingular: ingressrouteudpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router.properties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.properties:entryPoints:description: |-EntryPoints defines the list of entry point names to bind to.Entry points have to be configured in the static configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/entrypoints/Default: all.items:type: stringtype: arrayroutes:description: Routes defines the list of routes.items:description: RouteUDP holds the UDP route configuration.properties:services:description: Services defines the list of UDP services.items:description: ServiceUDP defines an upstream UDP service toproxy traffic to.properties:name:description: Name defines the name of the referenced KubernetesService.type: stringnamespace:description: Namespace defines the namespace of the referencedKubernetes Service.type: stringnativeLB:description: |-NativeLB controls, when creating the load-balancer,whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.The Kubernetes Service itself does load-balance to the pods.By default, NativeLB is false.type: booleannodePortLB:description: |-NodePortLB controls, when creating the load-balancer,whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.By default, NodePortLB is false.type: booleanport:anyOf:- type: integer- type: stringdescription: |-Port defines the port of a Kubernetes Service.This can be a reference to a named port.x-kubernetes-int-or-string: trueweight:description: Weight defines the weight used when balancingrequests between multiple Kubernetes Service.type: integerrequired:- name- porttype: objecttype: arraytype: objecttype: arrayrequired:- routestype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: middlewares.traefik.iospec:group: traefik.ionames:kind: MiddlewarelistKind: MiddlewareListplural: middlewaressingular: middlewarescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: |-Middleware is the CRD implementation of a Traefik Middleware.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/overview/properties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: MiddlewareSpec defines the desired state of a Middleware.properties:addPrefix:description: |-AddPrefix holds the add prefix middleware configuration.This middleware updates the path of a request before forwarding it.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/addprefix/properties:prefix:description: |-Prefix is the string to add before the current path in the requested URL.It should include a leading slash (/).type: stringtype: objectbasicAuth:description: |-BasicAuth holds the basic auth middleware configuration.This middleware restricts access to your services to known users.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/properties:headerField:description: |-HeaderField defines a header field to store the authenticated user.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfieldtype: stringrealm:description: |-Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.Default: traefik.type: stringremoveHeader:description: |-RemoveHeader sets the removeHeader option to true to remove the authorization header before forwarding the request to your service.Default: false.type: booleansecret:description: Secret is the name of the referenced Kubernetes Secretcontaining user credentials.type: stringtype: objectbuffering:description: |-Buffering holds the buffering middleware configuration.This middleware retries or limits the size of requests that can be forwarded to backends.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#maxrequestbodybytesproperties:maxRequestBodyBytes:description: |-MaxRequestBodyBytes defines the maximum allowed body size for the request (in bytes).If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a 413 (Request Entity Too Large) response.Default: 0 (no maximum).format: int64type: integermaxResponseBodyBytes:description: |-MaxResponseBodyBytes defines the maximum allowed response size from the service (in bytes).If the response exceeds the allowed size, it is not forwarded to the client. The client gets a 500 (Internal Server Error) response instead.Default: 0 (no maximum).format: int64type: integermemRequestBodyBytes:description: |-MemRequestBodyBytes defines the threshold (in bytes) from which the request will be buffered on disk instead of in memory.Default: 1048576 (1Mi).format: int64type: integermemResponseBodyBytes:description: |-MemResponseBodyBytes defines the threshold (in bytes) from which the response will be buffered on disk instead of in memory.Default: 1048576 (1Mi).format: int64type: integerretryExpression:description: |-RetryExpression defines the retry conditions.It is a logical combination of functions with operators AND (&&) and OR (||).More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/buffering/#retryexpressiontype: stringtype: objectchain:description: |-Chain holds the configuration of the chain middleware.This middleware enables to define reusable combinations of other pieces of middleware.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/chain/properties:middlewares:description: Middlewares is the list of MiddlewareRef which composesthe chain.items:description: MiddlewareRef is a reference to a Middleware resource.properties:name:description: Name defines the name of the referenced Middlewareresource.type: stringnamespace:description: Namespace defines the namespace of the referencedMiddleware resource.type: stringrequired:- nametype: objecttype: arraytype: objectcircuitBreaker:description: CircuitBreaker holds the circuit breaker configuration.properties:checkPeriod:anyOf:- type: integer- type: stringdescription: CheckPeriod is the interval between successive checksof the circuit breaker condition (when in standby state).x-kubernetes-int-or-string: trueexpression:description: Expression is the condition that triggers the trippedstate.type: stringfallbackDuration:anyOf:- type: integer- type: stringdescription: FallbackDuration is the duration for which the circuitbreaker will wait before trying to recover (from a tripped state).x-kubernetes-int-or-string: truerecoveryDuration:anyOf:- type: integer- type: stringdescription: RecoveryDuration is the duration for which the circuitbreaker will try to recover (as soon as it is in recoveringstate).x-kubernetes-int-or-string: trueresponseCode:description: ResponseCode is the status code that the circuitbreaker will return while it is in the open state.type: integertype: objectcompress:description: |-Compress holds the compress middleware configuration.This middleware compresses responses before sending them to the client, using gzip, brotli, or zstd compression.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/compress/properties:defaultEncoding:description: DefaultEncoding specifies the default encoding ifthe `Accept-Encoding` header is not in the request or containsa wildcard (`*`).type: stringencodings:description: Encodings defines the list of supported compressionalgorithms.items:type: stringtype: arrayexcludedContentTypes:description: |-ExcludedContentTypes defines the list of content types to compare the Content-Type header of the incoming requests and responses before compressing.`application/grpc` is always excluded.items:type: stringtype: arrayincludedContentTypes:description: IncludedContentTypes defines the list of contenttypes to compare the Content-Type header of the responses beforecompressing.items:type: stringtype: arrayminResponseBodyBytes:description: |-MinResponseBodyBytes defines the minimum amount of bytes a response body must have to be compressed.Default: 1024.type: integertype: objectcontentType:description: |-ContentType holds the content-type middleware configuration.This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.properties:autoDetect:description: |-AutoDetect specifies whether to let the `Content-Type` header, if it has not been set by the backend,be automatically set to a value derived from the contents of the response.Deprecated: AutoDetect option is deprecated, Content-Type middleware is only meant to be used to enable the content-type detection, please remove any usage of this option.type: booleantype: objectdigestAuth:description: |-DigestAuth holds the digest auth middleware configuration.This middleware restricts access to your services to known users.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/digestauth/properties:headerField:description: |-HeaderField defines a header field to store the authenticated user.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/basicauth/#headerfieldtype: stringrealm:description: |-Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.Default: traefik.type: stringremoveHeader:description: RemoveHeader defines whether to remove the authorizationheader before forwarding the request to the backend.type: booleansecret:description: Secret is the name of the referenced Kubernetes Secretcontaining user credentials.type: stringtype: objecterrors:description: |-ErrorPage holds the custom error middleware configuration.This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/properties:query:description: |-Query defines the URL for the error page (hosted by service).The {status} variable can be used in order to insert the status code in the URL.type: stringservice:description: |-Service defines the reference to a Kubernetes Service that will serve the error page.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/errorpages/#serviceproperties:healthCheck:description: Healthcheck defines health checks for ExternalNameservices.properties:followRedirects:description: |-FollowRedirects defines whether redirects should be followed during the health check calls.Default: truetype: booleanheaders:additionalProperties:type: stringdescription: Headers defines custom headers to be sentto the health check endpoint.type: objecthostname:description: Hostname defines the value of hostname inthe Host header of the health check request.type: stringinterval:anyOf:- type: integer- type: stringdescription: |-Interval defines the frequency of the health check calls.Default: 30sx-kubernetes-int-or-string: truemethod:description: Method defines the healthcheck method.type: stringmode:description: |-Mode defines the health check mode.If defined to grpc, will use the gRPC health check protocol to probe the server.Default: httptype: stringpath:description: Path defines the server URL path for thehealth check endpoint.type: stringport:description: Port defines the server URL port for thehealth check endpoint.type: integerscheme:description: Scheme replaces the server URL scheme forthe health check endpoint.type: stringstatus:description: Status defines the expected HTTP status codeof the response to the health check request.type: integertimeout:anyOf:- type: integer- type: stringdescription: |-Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.Default: 5sx-kubernetes-int-or-string: truetype: objectkind:description: Kind defines the kind of the Service.enum:- Service- TraefikServicetype: stringname:description: |-Name defines the name of the referenced Kubernetes Service or TraefikService.The differentiation between the two is specified in the Kind field.type: stringnamespace:description: Namespace defines the namespace of the referencedKubernetes Service or TraefikService.type: stringnativeLB:description: |-NativeLB controls, when creating the load-balancer,whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.The Kubernetes Service itself does load-balance to the pods.By default, NativeLB is false.type: booleannodePortLB:description: |-NodePortLB controls, when creating the load-balancer,whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.By default, NodePortLB is false.type: booleanpassHostHeader:description: |-PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.By default, passHostHeader is true.type: booleanport:anyOf:- type: integer- type: stringdescription: |-Port defines the port of a Kubernetes Service.This can be a reference to a named port.x-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding defines how Traefik forwardsthe response from the upstream Kubernetes Service to theclient.properties:flushInterval:description: |-FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.A negative value means to flush immediately after each write to the client.This configuration is ignored when ReverseProxy recognizes a response as a streaming response;for such responses, writes are flushed to the client immediately.Default: 100mstype: stringtype: objectscheme:description: |-Scheme defines the scheme to use for the request to the upstream Kubernetes Service.It defaults to https when Kubernetes Service port is 443, http otherwise.type: stringserversTransport:description: |-ServersTransport defines the name of ServersTransport resource to use.It allows to configure the transport between Traefik and your servers.Can only be used on a Kubernetes Service.type: stringsticky:description: |-Sticky defines the sticky sessions configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessionsproperties:cookie:description: Cookie defines the sticky cookie configuration.properties:httpOnly:description: HTTPOnly defines whether the cookie canbe accessed by client-side APIs, such as JavaScript.type: booleanmaxAge:description: |-MaxAge indicates the number of seconds until the cookie expires.When set to a negative number, the cookie expires immediately.When set to zero, the cookie never expires.type: integername:description: Name defines the Cookie name.type: stringsameSite:description: |-SameSite defines the same site policy.More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSitetype: stringsecure:description: Secure defines whether the cookie canonly be transmitted over an encrypted connection(i.e. HTTPS).type: booleantype: objecttype: objectstrategy:description: |-Strategy defines the load balancing strategy between the servers.RoundRobin is the only supported value at the moment.type: stringweight:description: |-Weight defines the weight and should only be specified when Name references a TraefikService object(and to be precise, one that embeds a Weighted Round Robin).type: integerrequired:- nametype: objectstatus:description: |-Status defines which status or range of statuses should result in an error page.It can be either a status code as a number (500),as multiple comma-separated numbers (500,502),as ranges by separating two codes with a dash (500-599),or a combination of the two (404,418,500-599).items:type: stringtype: arraytype: objectforwardAuth:description: |-ForwardAuth holds the forward auth middleware configuration.This middleware delegates the request authentication to a Service.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/properties:addAuthCookiesToResponse:description: AddAuthCookiesToResponse defines the list of cookiesto copy from the authentication server response to the response.items:type: stringtype: arrayaddress:description: Address defines the authentication server address.type: stringauthRequestHeaders:description: |-AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server.If not set or empty then all request headers are passed.items:type: stringtype: arrayauthResponseHeaders:description: AuthResponseHeaders defines the list of headers tocopy from the authentication server response and set on forwardedrequest, replacing any existing conflicting headers.items:type: stringtype: arrayauthResponseHeadersRegex:description: |-AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/forwardauth/#authresponseheadersregextype: stringtls:description: TLS defines the configuration used to secure theconnection to the authentication server.properties:caOptional:description: 'Deprecated: TLS client authentication is a serverside option (see https://github.com/golang/go/blob/740a490f71d026bb7d2d13cb8fa2d6d6e0572b70/src/crypto/tls/common.go#L634).'type: booleancaSecret:description: |-CASecret is the name of the referenced Kubernetes Secret containing the CA to validate the server certificate.The CA certificate is extracted from key `tls.ca` or `ca.crt`.type: stringcertSecret:description: |-CertSecret is the name of the referenced Kubernetes Secret containing the client certificate.The client certificate is extracted from the keys `tls.crt` and `tls.key`.type: stringinsecureSkipVerify:description: InsecureSkipVerify defines whether the servercertificates should be validated.type: booleantype: objecttrustForwardHeader:description: 'TrustForwardHeader defines whether to trust (ie:forward) all X-Forwarded-* headers.'type: booleantype: objectgrpcWeb:description: |-GrpcWeb holds the gRPC web middleware configuration.This middleware converts a gRPC web request to an HTTP/2 gRPC request.properties:allowOrigins:description: |-AllowOrigins is a list of allowable origins.Can also be a wildcard origin "*".items:type: stringtype: arraytype: objectheaders:description: |-Headers holds the headers middleware configuration.This middleware manages the requests and responses headers.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/headers/#customrequestheadersproperties:accessControlAllowCredentials:description: AccessControlAllowCredentials defines whether therequest can include user credentials.type: booleanaccessControlAllowHeaders:description: AccessControlAllowHeaders defines the Access-Control-Request-Headersvalues sent in preflight response.items:type: stringtype: arrayaccessControlAllowMethods:description: AccessControlAllowMethods defines the Access-Control-Request-Methodvalues sent in preflight response.items:type: stringtype: arrayaccessControlAllowOriginList:description: AccessControlAllowOriginList is a list of allowableorigins. Can also be a wildcard origin "*".items:type: stringtype: arrayaccessControlAllowOriginListRegex:description: AccessControlAllowOriginListRegex is a list of allowableorigins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).items:type: stringtype: arrayaccessControlExposeHeaders:description: AccessControlExposeHeaders defines the Access-Control-Expose-Headersvalues sent in preflight response.items:type: stringtype: arrayaccessControlMaxAge:description: AccessControlMaxAge defines the time that a preflightrequest may be cached.format: int64type: integeraddVaryHeader:description: AddVaryHeader defines whether the Vary header isautomatically added/updated when the AccessControlAllowOriginListis set.type: booleanallowedHosts:description: AllowedHosts defines the fully qualified list ofallowed domain names.items:type: stringtype: arraybrowserXssFilter:description: BrowserXSSFilter defines whether to add the X-XSS-Protectionheader with the value 1; mode=block.type: booleancontentSecurityPolicy:description: ContentSecurityPolicy defines the Content-Security-Policyheader value.type: stringcontentSecurityPolicyReportOnly:description: ContentSecurityPolicyReportOnly defines the Content-Security-Policy-Report-Onlyheader value.type: stringcontentTypeNosniff:description: ContentTypeNosniff defines whether to add the X-Content-Type-Optionsheader with the nosniff value.type: booleancustomBrowserXSSValue:description: |-CustomBrowserXSSValue defines the X-XSS-Protection header value.This overrides the BrowserXssFilter option.type: stringcustomFrameOptionsValue:description: |-CustomFrameOptionsValue defines the X-Frame-Options header value.This overrides the FrameDeny option.type: stringcustomRequestHeaders:additionalProperties:type: stringdescription: CustomRequestHeaders defines the header names andvalues to apply to the request.type: objectcustomResponseHeaders:additionalProperties:type: stringdescription: CustomResponseHeaders defines the header names andvalues to apply to the response.type: objectfeaturePolicy:description: 'Deprecated: FeaturePolicy option is deprecated,please use PermissionsPolicy instead.'type: stringforceSTSHeader:description: ForceSTSHeader defines whether to add the STS headereven when the connection is HTTP.type: booleanframeDeny:description: FrameDeny defines whether to add the X-Frame-Optionsheader with the DENY value.type: booleanhostsProxyHeaders:description: HostsProxyHeaders defines the header keys that mayhold a proxied hostname value for the request.items:type: stringtype: arrayisDevelopment:description: |-IsDevelopment defines whether to mitigate the unwanted effects of the AllowedHosts, SSL, and STS options when developing.Usually testing takes place using HTTP, not HTTPS, and on localhost, not your production domain.If you would like your development environment to mimic production with complete Host blocking, SSL redirects,and STS headers, leave this as false.type: booleanpermissionsPolicy:description: |-PermissionsPolicy defines the Permissions-Policy header value.This allows sites to control browser features.type: stringpublicKey:description: PublicKey is the public key that implements HPKPto prevent MITM attacks with forged certificates.type: stringreferrerPolicy:description: |-ReferrerPolicy defines the Referrer-Policy header value.This allows sites to control whether browsers forward the Referer header to other sites.type: stringsslForceHost:description: 'Deprecated: SSLForceHost option is deprecated, pleaseuse RedirectRegex instead.'type: booleansslHost:description: 'Deprecated: SSLHost option is deprecated, pleaseuse RedirectRegex instead.'type: stringsslProxyHeaders:additionalProperties:type: stringdescription: |-SSLProxyHeaders defines the header keys with associated values that would indicate a valid HTTPS request.It can be useful when using other proxies (example: "X-Forwarded-Proto": "https").type: objectsslRedirect:description: 'Deprecated: SSLRedirect option is deprecated, pleaseuse EntryPoint redirection or RedirectScheme instead.'type: booleansslTemporaryRedirect:description: 'Deprecated: SSLTemporaryRedirect option is deprecated,please use EntryPoint redirection or RedirectScheme instead.'type: booleanstsIncludeSubdomains:description: STSIncludeSubdomains defines whether the includeSubDomainsdirective is appended to the Strict-Transport-Security header.type: booleanstsPreload:description: STSPreload defines whether the preload flag is appendedto the Strict-Transport-Security header.type: booleanstsSeconds:description: |-STSSeconds defines the max-age of the Strict-Transport-Security header.If set to 0, the header is not set.format: int64type: integertype: objectinFlightReq:description: |-InFlightReq holds the in-flight request middleware configuration.This middleware limits the number of requests being processed and served concurrently.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/properties:amount:description: |-Amount defines the maximum amount of allowed simultaneous in-flight request.The middleware responds with HTTP 429 Too Many Requests if there are already amount requests in progress (based on the same sourceCriterion strategy).format: int64type: integersourceCriterion:description: |-SourceCriterion defines what criterion is used to group requests as originating from a common source.If several strategies are defined at the same time, an error will be raised.If none are set, the default is to use the requestHost.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/inflightreq/#sourcecriterionproperties:ipStrategy:description: |-IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategyproperties:depth:description: Depth tells Traefik to use the X-Forwarded-Forheader and take the IP located at the depth position(starting from the right).type: integerexcludedIPs:description: ExcludedIPs configures Traefik to scan theX-Forwarded-For header and select the first IP not inthe list.items:type: stringtype: arrayipv6Subnet:description: IPv6Subnet configures Traefik to considerall IPv6 addresses from the defined subnet as originatingfrom the same IP. Applies to RemoteAddrStrategy andDepthStrategy.type: integertype: objectrequestHeaderName:description: RequestHeaderName defines the name of the headerused to group incoming requests.type: stringrequestHost:description: RequestHost defines whether to consider the requestHost as the source.type: booleantype: objecttype: objectipAllowList:description: |-IPAllowList holds the IP allowlist middleware configuration.This middleware limits allowed requests based on the client IP.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/properties:ipStrategy:description: |-IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategyproperties:depth:description: Depth tells Traefik to use the X-Forwarded-Forheader and take the IP located at the depth position (startingfrom the right).type: integerexcludedIPs:description: ExcludedIPs configures Traefik to scan the X-Forwarded-Forheader and select the first IP not in the list.items:type: stringtype: arrayipv6Subnet:description: IPv6Subnet configures Traefik to consider allIPv6 addresses from the defined subnet as originating fromthe same IP. Applies to RemoteAddrStrategy and DepthStrategy.type: integertype: objectrejectStatusCode:description: |-RejectStatusCode defines the HTTP status code used for refused requests.If not set, the default is 403 (Forbidden).type: integersourceRange:description: SourceRange defines the set of allowed IPs (or rangesof allowed IPs by using CIDR notation).items:type: stringtype: arraytype: objectipWhiteList:description: 'Deprecated: please use IPAllowList instead.'properties:ipStrategy:description: |-IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategyproperties:depth:description: Depth tells Traefik to use the X-Forwarded-Forheader and take the IP located at the depth position (startingfrom the right).type: integerexcludedIPs:description: ExcludedIPs configures Traefik to scan the X-Forwarded-Forheader and select the first IP not in the list.items:type: stringtype: arrayipv6Subnet:description: IPv6Subnet configures Traefik to consider allIPv6 addresses from the defined subnet as originating fromthe same IP. Applies to RemoteAddrStrategy and DepthStrategy.type: integertype: objectsourceRange:description: SourceRange defines the set of allowed IPs (or rangesof allowed IPs by using CIDR notation). Required.items:type: stringtype: arraytype: objectpassTLSClientCert:description: |-PassTLSClientCert holds the pass TLS client cert middleware configuration.This middleware adds the selected data from the passed client TLS certificate to a header.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/passtlsclientcert/properties:info:description: Info selects the specific client certificate detailsyou want to add to the X-Forwarded-Tls-Client-Cert-Info header.properties:issuer:description: Issuer defines the client certificate issuerdetails to add to the X-Forwarded-Tls-Client-Cert-Info header.properties:commonName:description: CommonName defines whether to add the organizationalUnitinformation into the issuer.type: booleancountry:description: Country defines whether to add the countryinformation into the issuer.type: booleandomainComponent:description: DomainComponent defines whether to add thedomainComponent information into the issuer.type: booleanlocality:description: Locality defines whether to add the localityinformation into the issuer.type: booleanorganization:description: Organization defines whether to add the organizationinformation into the issuer.type: booleanprovince:description: Province defines whether to add the provinceinformation into the issuer.type: booleanserialNumber:description: SerialNumber defines whether to add the serialNumberinformation into the issuer.type: booleantype: objectnotAfter:description: NotAfter defines whether to add the Not Afterinformation from the Validity part.type: booleannotBefore:description: NotBefore defines whether to add the Not Beforeinformation from the Validity part.type: booleansans:description: Sans defines whether to add the Subject AlternativeName information from the Subject Alternative Name part.type: booleanserialNumber:description: SerialNumber defines whether to add the clientserialNumber information.type: booleansubject:description: Subject defines the client certificate subjectdetails to add to the X-Forwarded-Tls-Client-Cert-Info header.properties:commonName:description: CommonName defines whether to add the organizationalUnitinformation into the subject.type: booleancountry:description: Country defines whether to add the countryinformation into the subject.type: booleandomainComponent:description: DomainComponent defines whether to add thedomainComponent information into the subject.type: booleanlocality:description: Locality defines whether to add the localityinformation into the subject.type: booleanorganization:description: Organization defines whether to add the organizationinformation into the subject.type: booleanorganizationalUnit:description: OrganizationalUnit defines whether to addthe organizationalUnit information into the subject.type: booleanprovince:description: Province defines whether to add the provinceinformation into the subject.type: booleanserialNumber:description: SerialNumber defines whether to add the serialNumberinformation into the subject.type: booleantype: objecttype: objectpem:description: PEM sets the X-Forwarded-Tls-Client-Cert header withthe certificate.type: booleantype: objectplugin:additionalProperties:x-kubernetes-preserve-unknown-fields: truedescription: |-Plugin defines the middleware plugin configuration.More info: https://doc.traefik.io/traefik/plugins/type: objectrateLimit:description: |-RateLimit holds the rate limit configuration.This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ratelimit/properties:average:description: |-Average is the maximum rate, by default in requests/s, allowed for the given source.It defaults to 0, which means no rate limiting.The rate is actually defined by dividing Average by Period. So for a rate below 1req/s,one needs to define a Period larger than a second.format: int64type: integerburst:description: |-Burst is the maximum number of requests allowed to arrive in the same arbitrarily small period of time.It defaults to 1.format: int64type: integerperiod:anyOf:- type: integer- type: stringdescription: |-Period, in combination with Average, defines the actual maximum rate, such as:r = Average / Period. It defaults to a second.x-kubernetes-int-or-string: truesourceCriterion:description: |-SourceCriterion defines what criterion is used to group requests as originating from a common source.If several strategies are defined at the same time, an error will be raised.If none are set, the default is to use the request's remote address field (as an ipStrategy).properties:ipStrategy:description: |-IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/ipallowlist/#ipstrategyproperties:depth:description: Depth tells Traefik to use the X-Forwarded-Forheader and take the IP located at the depth position(starting from the right).type: integerexcludedIPs:description: ExcludedIPs configures Traefik to scan theX-Forwarded-For header and select the first IP not inthe list.items:type: stringtype: arrayipv6Subnet:description: IPv6Subnet configures Traefik to considerall IPv6 addresses from the defined subnet as originatingfrom the same IP. Applies to RemoteAddrStrategy andDepthStrategy.type: integertype: objectrequestHeaderName:description: RequestHeaderName defines the name of the headerused to group incoming requests.type: stringrequestHost:description: RequestHost defines whether to consider the requestHost as the source.type: booleantype: objecttype: objectredirectRegex:description: |-RedirectRegex holds the redirect regex middleware configuration.This middleware redirects a request using regex matching and replacement.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectregex/#regexproperties:permanent:description: Permanent defines whether the redirection is permanent(301).type: booleanregex:description: Regex defines the regex used to match and captureelements from the request URL.type: stringreplacement:description: Replacement defines how to modify the URL to havethe new target URL.type: stringtype: objectredirectScheme:description: |-RedirectScheme holds the redirect scheme middleware configuration.This middleware redirects requests from a scheme/port to another.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/redirectscheme/properties:permanent:description: Permanent defines whether the redirection is permanent(301).type: booleanport:description: Port defines the port of the new URL.type: stringscheme:description: Scheme defines the scheme of the new URL.type: stringtype: objectreplacePath:description: |-ReplacePath holds the replace path middleware configuration.This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepath/properties:path:description: Path defines the path to use as replacement in therequest URL.type: stringtype: objectreplacePathRegex:description: |-ReplacePathRegex holds the replace path regex middleware configuration.This middleware replaces the path of a URL using regex matching and replacement.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/replacepathregex/properties:regex:description: Regex defines the regular expression used to matchand capture the path from the request URL.type: stringreplacement:description: Replacement defines the replacement path format,which can include captured variables.type: stringtype: objectretry:description: |-Retry holds the retry middleware configuration.This middleware reissues requests a given number of times to a backend server if that server does not reply.As soon as the server answers, the middleware stops retrying, regardless of the response status.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/retry/properties:attempts:description: Attempts defines how many times the request shouldbe retried.type: integerinitialInterval:anyOf:- type: integer- type: stringdescription: |-InitialInterval defines the first wait time in the exponential backoff series.The maximum interval is calculated as twice the initialInterval.If unspecified, requests will be retried immediately.The value of initialInterval should be provided in seconds or as a valid duration format,see https://pkg.go.dev/time#ParseDuration.x-kubernetes-int-or-string: truetype: objectstripPrefix:description: |-StripPrefix holds the strip prefix middleware configuration.This middleware removes the specified prefixes from the URL path.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefix/properties:forceSlash:description: |-Deprecated: ForceSlash option is deprecated, please remove any usage of this option.ForceSlash ensures that the resulting stripped path is not the empty string, by replacing it with / when necessary.Default: true.type: booleanprefixes:description: Prefixes defines the prefixes to strip from the requestURL.items:type: stringtype: arraytype: objectstripPrefixRegex:description: |-StripPrefixRegex holds the strip prefix regex middleware configuration.This middleware removes the matching prefixes from the URL path.More info: https://doc.traefik.io/traefik/v3.2/middlewares/http/stripprefixregex/properties:regex:description: Regex defines the regular expression to match thepath prefix from the request URL.items:type: stringtype: arraytype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: middlewaretcps.traefik.iospec:group: traefik.ionames:kind: MiddlewareTCPlistKind: MiddlewareTCPListplural: middlewaretcpssingular: middlewaretcpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: |-MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.More info: https://doc.traefik.io/traefik/v3.2/middlewares/overview/properties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.properties:inFlightConn:description: InFlightConn defines the InFlightConn middleware configuration.properties:amount:description: |-Amount defines the maximum amount of allowed simultaneous connections.The middleware closes the connection if there are already amount connections opened.format: int64type: integertype: objectipAllowList:description: |-IPAllowList defines the IPAllowList middleware configuration.This middleware accepts/refuses connections based on the client IP.More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipallowlist/properties:sourceRange:description: SourceRange defines the allowed IPs (or ranges ofallowed IPs by using CIDR notation).items:type: stringtype: arraytype: objectipWhiteList:description: |-IPWhiteList defines the IPWhiteList middleware configuration.This middleware accepts/refuses connections based on the client IP.Deprecated: please use IPAllowList instead.More info: https://doc.traefik.io/traefik/v3.2/middlewares/tcp/ipwhitelist/properties:sourceRange:description: SourceRange defines the allowed IPs (or ranges ofallowed IPs by using CIDR notation).items:type: stringtype: arraytype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: serverstransports.traefik.iospec:group: traefik.ionames:kind: ServersTransportlistKind: ServersTransportListplural: serverstransportssingular: serverstransportscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: |-ServersTransport is the CRD implementation of a ServersTransport.If no serversTransport is specified, the default@internal will be used.The default@internal serversTransport is created from the static configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_1properties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: ServersTransportSpec defines the desired state of a ServersTransport.properties:certificatesSecrets:description: CertificatesSecrets defines a list of secret storingclient certificates for mTLS.items:type: stringtype: arraydisableHTTP2:description: DisableHTTP2 disables HTTP/2 for connections with backendservers.type: booleanforwardingTimeouts:description: ForwardingTimeouts defines the timeouts for requestsforwarded to the backend servers.properties:dialTimeout:anyOf:- type: integer- type: stringdescription: DialTimeout is the amount of time to wait until aconnection to a backend server can be established.x-kubernetes-int-or-string: trueidleConnTimeout:anyOf:- type: integer- type: stringdescription: IdleConnTimeout is the maximum period for which anidle HTTP keep-alive connection will remain open before closingitself.x-kubernetes-int-or-string: truepingTimeout:anyOf:- type: integer- type: stringdescription: PingTimeout is the timeout after which the HTTP/2connection will be closed if a response to ping is not received.x-kubernetes-int-or-string: truereadIdleTimeout:anyOf:- type: integer- type: stringdescription: ReadIdleTimeout is the timeout after which a healthcheck using ping frame will be carried out if no frame is receivedon the HTTP/2 connection.x-kubernetes-int-or-string: trueresponseHeaderTimeout:anyOf:- type: integer- type: stringdescription: ResponseHeaderTimeout is the amount of time to waitfor a server's response headers after fully writing the request(including its body, if any).x-kubernetes-int-or-string: truetype: objectinsecureSkipVerify:description: InsecureSkipVerify disables SSL certificate verification.type: booleanmaxIdleConnsPerHost:description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)to keep per-host.type: integerpeerCertURI:description: PeerCertURI defines the peer cert URI used to match againstSAN URI during the peer certificate verification.type: stringrootCAsSecrets:description: RootCAsSecrets defines a list of CA secret used to validateself-signed certificate.items:type: stringtype: arrayserverName:description: ServerName defines the server name used to contact theserver.type: stringspiffe:description: Spiffe defines the SPIFFE configuration.properties:ids:description: IDs defines the allowed SPIFFE IDs (takes precedenceover the SPIFFE TrustDomain).items:type: stringtype: arraytrustDomain:description: TrustDomain defines the allowed SPIFFE trust domain.type: stringtype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: serverstransporttcps.traefik.iospec:group: traefik.ionames:kind: ServersTransportTCPlistKind: ServersTransportTCPListplural: serverstransporttcpssingular: serverstransporttcpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: |-ServersTransportTCP is the CRD implementation of a TCPServersTransport.If no tcpServersTransport is specified, a default one named default@internal will be used.The default@internal tcpServersTransport can be configured in the static configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#serverstransport_3properties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: ServersTransportTCPSpec defines the desired state of a ServersTransportTCP.properties:dialKeepAlive:anyOf:- type: integer- type: stringdescription: DialKeepAlive is the interval between keep-alive probesfor an active network connection. If zero, keep-alive probes aresent with a default value (currently 15 seconds), if supported bythe protocol and operating system. Network protocols or operatingsystems that do not support keep-alives ignore this field. If negative,keep-alive probes are disabled.x-kubernetes-int-or-string: truedialTimeout:anyOf:- type: integer- type: stringdescription: DialTimeout is the amount of time to wait until a connectionto a backend server can be established.x-kubernetes-int-or-string: trueterminationDelay:anyOf:- type: integer- type: stringdescription: TerminationDelay defines the delay to wait before fullyterminating the connection, after one connected peer has closedits writing capability.x-kubernetes-int-or-string: truetls:description: TLS defines the TLS configurationproperties:certificatesSecrets:description: CertificatesSecrets defines a list of secret storingclient certificates for mTLS.items:type: stringtype: arrayinsecureSkipVerify:description: InsecureSkipVerify disables TLS certificate verification.type: booleanpeerCertURI:description: |-MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.type: stringrootCAsSecrets:description: RootCAsSecrets defines a list of CA secret used tovalidate self-signed certificates.items:type: stringtype: arrayserverName:description: ServerName defines the server name used to contactthe server.type: stringspiffe:description: Spiffe defines the SPIFFE configuration.properties:ids:description: IDs defines the allowed SPIFFE IDs (takes precedenceover the SPIFFE TrustDomain).items:type: stringtype: arraytrustDomain:description: TrustDomain defines the allowed SPIFFE trustdomain.type: stringtype: objecttype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: tlsoptions.traefik.iospec:group: traefik.ionames:kind: TLSOptionlistKind: TLSOptionListplural: tlsoptionssingular: tlsoptionscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: |-TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.More info: https://doc.traefik.io/traefik/v3.2/https/tls/#tls-optionsproperties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: TLSOptionSpec defines the desired state of a TLSOption.properties:alpnProtocols:description: |-ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.More info: https://doc.traefik.io/traefik/v3.2/https/tls/#alpn-protocolsitems:type: stringtype: arraycipherSuites:description: |-CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.More info: https://doc.traefik.io/traefik/v3.2/https/tls/#cipher-suitesitems:type: stringtype: arrayclientAuth:description: ClientAuth defines the server's policy for TLS ClientAuthentication.properties:clientAuthType:description: ClientAuthType defines the client authenticationtype to apply.enum:- NoClientCert- RequestClientCert- RequireAnyClientCert- VerifyClientCertIfGiven- RequireAndVerifyClientCerttype: stringsecretNames:description: SecretNames defines the names of the referenced KubernetesSecret storing certificate details.items:type: stringtype: arraytype: objectcurvePreferences:description: |-CurvePreferences defines the preferred elliptic curves in a specific order.More info: https://doc.traefik.io/traefik/v3.2/https/tls/#curve-preferencesitems:type: stringtype: arraymaxVersion:description: |-MaxVersion defines the maximum TLS version that Traefik will accept.Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.Default: None.type: stringminVersion:description: |-MinVersion defines the minimum TLS version that Traefik will accept.Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.Default: VersionTLS10.type: stringpreferServerCipherSuites:description: |-PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.It is enabled automatically when minVersion or maxVersion is set.Deprecated: https://github.com/golang/go/issues/45430type: booleansniStrict:description: SniStrict defines whether Traefik allows connectionsfrom clients connections that do not specify a server_name extension.type: booleantype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: tlsstores.traefik.iospec:group: traefik.ionames:kind: TLSStorelistKind: TLSStoreListplural: tlsstoressingular: tlsstorescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: |-TLSStore is the CRD implementation of a Traefik TLS Store.For the time being, only the TLSStore named default is supported.This means that you cannot have two stores that are named default in different Kubernetes namespaces.More info: https://doc.traefik.io/traefik/v3.2/https/tls/#certificates-storesproperties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: TLSStoreSpec defines the desired state of a TLSStore.properties:certificates:description: Certificates is a list of secret names, each secret holdinga key/certificate pair to add to the store.items:description: Certificate holds a secret name for the TLSStore resource.properties:secretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringrequired:- secretNametype: objecttype: arraydefaultCertificate:description: DefaultCertificate defines the default certificate configuration.properties:secretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringrequired:- secretNametype: objectdefaultGeneratedCert:description: DefaultGeneratedCert defines the default generated certificateconfiguration.properties:domain:description: Domain is the domain definition for the DefaultCertificate.properties:main:description: Main defines the main domain name.type: stringsans:description: SANs defines the subject alternative domain names.items:type: stringtype: arraytype: objectresolver:description: Resolver is the name of the resolver that will beused to issue the DefaultCertificate.type: stringtype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: true---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.16.1name: traefikservices.traefik.iospec:group: traefik.ionames:kind: TraefikServicelistKind: TraefikServiceListplural: traefikservicessingular: traefikservicescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: |-TraefikService is the CRD implementation of a Traefik Service.TraefikService object allows to:- Apply weight to Services on load-balancing- Mirror traffic on servicesMore info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#kind-traefikserviceproperties:apiVersion:description: |-APIVersion defines the versioned schema of this representation of an object.Servers should convert recognized schemas to the latest internal value, andmay reject unrecognized values.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resourcestype: stringkind:description: |-Kind is a string value representing the REST resource this object represents.Servers may infer this from the endpoint the client submits requests to.Cannot be updated.In CamelCase.More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kindstype: stringmetadata:type: objectspec:description: TraefikServiceSpec defines the desired state of a TraefikService.properties:mirroring:description: Mirroring defines the Mirroring service configuration.properties:healthCheck:description: Healthcheck defines health checks for ExternalNameservices.properties:followRedirects:description: |-FollowRedirects defines whether redirects should be followed during the health check calls.Default: truetype: booleanheaders:additionalProperties:type: stringdescription: Headers defines custom headers to be sent tothe health check endpoint.type: objecthostname:description: Hostname defines the value of hostname in theHost header of the health check request.type: stringinterval:anyOf:- type: integer- type: stringdescription: |-Interval defines the frequency of the health check calls.Default: 30sx-kubernetes-int-or-string: truemethod:description: Method defines the healthcheck method.type: stringmode:description: |-Mode defines the health check mode.If defined to grpc, will use the gRPC health check protocol to probe the server.Default: httptype: stringpath:description: Path defines the server URL path for the healthcheck endpoint.type: stringport:description: Port defines the server URL port for the healthcheck endpoint.type: integerscheme:description: Scheme replaces the server URL scheme for thehealth check endpoint.type: stringstatus:description: Status defines the expected HTTP status codeof the response to the health check request.type: integertimeout:anyOf:- type: integer- type: stringdescription: |-Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.Default: 5sx-kubernetes-int-or-string: truetype: objectkind:description: Kind defines the kind of the Service.enum:- Service- TraefikServicetype: stringmaxBodySize:description: |-MaxBodySize defines the maximum size allowed for the body of the request.If the body is larger, the request is not mirrored.Default value is -1, which means unlimited size.format: int64type: integermirrorBody:description: |-MirrorBody defines whether the body of the request should be mirrored.Default value is true.type: booleanmirrors:description: Mirrors defines the list of mirrors where Traefikwill duplicate the traffic.items:description: MirrorService holds the mirror configuration.properties:healthCheck:description: Healthcheck defines health checks for ExternalNameservices.properties:followRedirects:description: |-FollowRedirects defines whether redirects should be followed during the health check calls.Default: truetype: booleanheaders:additionalProperties:type: stringdescription: Headers defines custom headers to be sentto the health check endpoint.type: objecthostname:description: Hostname defines the value of hostnamein the Host header of the health check request.type: stringinterval:anyOf:- type: integer- type: stringdescription: |-Interval defines the frequency of the health check calls.Default: 30sx-kubernetes-int-or-string: truemethod:description: Method defines the healthcheck method.type: stringmode:description: |-Mode defines the health check mode.If defined to grpc, will use the gRPC health check protocol to probe the server.Default: httptype: stringpath:description: Path defines the server URL path for thehealth check endpoint.type: stringport:description: Port defines the server URL port for thehealth check endpoint.type: integerscheme:description: Scheme replaces the server URL scheme forthe health check endpoint.type: stringstatus:description: Status defines the expected HTTP statuscode of the response to the health check request.type: integertimeout:anyOf:- type: integer- type: stringdescription: |-Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.Default: 5sx-kubernetes-int-or-string: truetype: objectkind:description: Kind defines the kind of the Service.enum:- Service- TraefikServicetype: stringname:description: |-Name defines the name of the referenced Kubernetes Service or TraefikService.The differentiation between the two is specified in the Kind field.type: stringnamespace:description: Namespace defines the namespace of the referencedKubernetes Service or TraefikService.type: stringnativeLB:description: |-NativeLB controls, when creating the load-balancer,whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.The Kubernetes Service itself does load-balance to the pods.By default, NativeLB is false.type: booleannodePortLB:description: |-NodePortLB controls, when creating the load-balancer,whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.By default, NodePortLB is false.type: booleanpassHostHeader:description: |-PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.By default, passHostHeader is true.type: booleanpercent:description: |-Percent defines the part of the traffic to mirror.Supported values: 0 to 100.type: integerport:anyOf:- type: integer- type: stringdescription: |-Port defines the port of a Kubernetes Service.This can be a reference to a named port.x-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding defines how Traefik forwardsthe response from the upstream Kubernetes Service to theclient.properties:flushInterval:description: |-FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.A negative value means to flush immediately after each write to the client.This configuration is ignored when ReverseProxy recognizes a response as a streaming response;for such responses, writes are flushed to the client immediately.Default: 100mstype: stringtype: objectscheme:description: |-Scheme defines the scheme to use for the request to the upstream Kubernetes Service.It defaults to https when Kubernetes Service port is 443, http otherwise.type: stringserversTransport:description: |-ServersTransport defines the name of ServersTransport resource to use.It allows to configure the transport between Traefik and your servers.Can only be used on a Kubernetes Service.type: stringsticky:description: |-Sticky defines the sticky sessions configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessionsproperties:cookie:description: Cookie defines the sticky cookie configuration.properties:httpOnly:description: HTTPOnly defines whether the cookiecan be accessed by client-side APIs, such as JavaScript.type: booleanmaxAge:description: |-MaxAge indicates the number of seconds until the cookie expires.When set to a negative number, the cookie expires immediately.When set to zero, the cookie never expires.type: integername:description: Name defines the Cookie name.type: stringsameSite:description: |-SameSite defines the same site policy.More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSitetype: stringsecure:description: Secure defines whether the cookie canonly be transmitted over an encrypted connection(i.e. HTTPS).type: booleantype: objecttype: objectstrategy:description: |-Strategy defines the load balancing strategy between the servers.RoundRobin is the only supported value at the moment.type: stringweight:description: |-Weight defines the weight and should only be specified when Name references a TraefikService object(and to be precise, one that embeds a Weighted Round Robin).type: integerrequired:- nametype: objecttype: arrayname:description: |-Name defines the name of the referenced Kubernetes Service or TraefikService.The differentiation between the two is specified in the Kind field.type: stringnamespace:description: Namespace defines the namespace of the referencedKubernetes Service or TraefikService.type: stringnativeLB:description: |-NativeLB controls, when creating the load-balancer,whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.The Kubernetes Service itself does load-balance to the pods.By default, NativeLB is false.type: booleannodePortLB:description: |-NodePortLB controls, when creating the load-balancer,whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.By default, NodePortLB is false.type: booleanpassHostHeader:description: |-PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.By default, passHostHeader is true.type: booleanport:anyOf:- type: integer- type: stringdescription: |-Port defines the port of a Kubernetes Service.This can be a reference to a named port.x-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding defines how Traefik forwards theresponse from the upstream Kubernetes Service to the client.properties:flushInterval:description: |-FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.A negative value means to flush immediately after each write to the client.This configuration is ignored when ReverseProxy recognizes a response as a streaming response;for such responses, writes are flushed to the client immediately.Default: 100mstype: stringtype: objectscheme:description: |-Scheme defines the scheme to use for the request to the upstream Kubernetes Service.It defaults to https when Kubernetes Service port is 443, http otherwise.type: stringserversTransport:description: |-ServersTransport defines the name of ServersTransport resource to use.It allows to configure the transport between Traefik and your servers.Can only be used on a Kubernetes Service.type: stringsticky:description: |-Sticky defines the sticky sessions configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessionsproperties:cookie:description: Cookie defines the sticky cookie configuration.properties:httpOnly:description: HTTPOnly defines whether the cookie can beaccessed by client-side APIs, such as JavaScript.type: booleanmaxAge:description: |-MaxAge indicates the number of seconds until the cookie expires.When set to a negative number, the cookie expires immediately.When set to zero, the cookie never expires.type: integername:description: Name defines the Cookie name.type: stringsameSite:description: |-SameSite defines the same site policy.More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSitetype: stringsecure:description: Secure defines whether the cookie can onlybe transmitted over an encrypted connection (i.e. HTTPS).type: booleantype: objecttype: objectstrategy:description: |-Strategy defines the load balancing strategy between the servers.RoundRobin is the only supported value at the moment.type: stringweight:description: |-Weight defines the weight and should only be specified when Name references a TraefikService object(and to be precise, one that embeds a Weighted Round Robin).type: integerrequired:- nametype: objectweighted:description: Weighted defines the Weighted Round Robin configuration.properties:services:description: Services defines the list of Kubernetes Service and/orTraefikService to load-balance, with weight.items:description: Service defines an upstream HTTP service to proxytraffic to.properties:healthCheck:description: Healthcheck defines health checks for ExternalNameservices.properties:followRedirects:description: |-FollowRedirects defines whether redirects should be followed during the health check calls.Default: truetype: booleanheaders:additionalProperties:type: stringdescription: Headers defines custom headers to be sentto the health check endpoint.type: objecthostname:description: Hostname defines the value of hostnamein the Host header of the health check request.type: stringinterval:anyOf:- type: integer- type: stringdescription: |-Interval defines the frequency of the health check calls.Default: 30sx-kubernetes-int-or-string: truemethod:description: Method defines the healthcheck method.type: stringmode:description: |-Mode defines the health check mode.If defined to grpc, will use the gRPC health check protocol to probe the server.Default: httptype: stringpath:description: Path defines the server URL path for thehealth check endpoint.type: stringport:description: Port defines the server URL port for thehealth check endpoint.type: integerscheme:description: Scheme replaces the server URL scheme forthe health check endpoint.type: stringstatus:description: Status defines the expected HTTP statuscode of the response to the health check request.type: integertimeout:anyOf:- type: integer- type: stringdescription: |-Timeout defines the maximum duration Traefik will wait for a health check request before considering the server unhealthy.Default: 5sx-kubernetes-int-or-string: truetype: objectkind:description: Kind defines the kind of the Service.enum:- Service- TraefikServicetype: stringname:description: |-Name defines the name of the referenced Kubernetes Service or TraefikService.The differentiation between the two is specified in the Kind field.type: stringnamespace:description: Namespace defines the namespace of the referencedKubernetes Service or TraefikService.type: stringnativeLB:description: |-NativeLB controls, when creating the load-balancer,whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.The Kubernetes Service itself does load-balance to the pods.By default, NativeLB is false.type: booleannodePortLB:description: |-NodePortLB controls, when creating the load-balancer,whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort.It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes.By default, NodePortLB is false.type: booleanpassHostHeader:description: |-PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.By default, passHostHeader is true.type: booleanport:anyOf:- type: integer- type: stringdescription: |-Port defines the port of a Kubernetes Service.This can be a reference to a named port.x-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding defines how Traefik forwardsthe response from the upstream Kubernetes Service to theclient.properties:flushInterval:description: |-FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.A negative value means to flush immediately after each write to the client.This configuration is ignored when ReverseProxy recognizes a response as a streaming response;for such responses, writes are flushed to the client immediately.Default: 100mstype: stringtype: objectscheme:description: |-Scheme defines the scheme to use for the request to the upstream Kubernetes Service.It defaults to https when Kubernetes Service port is 443, http otherwise.type: stringserversTransport:description: |-ServersTransport defines the name of ServersTransport resource to use.It allows to configure the transport between Traefik and your servers.Can only be used on a Kubernetes Service.type: stringsticky:description: |-Sticky defines the sticky sessions configuration.More info: https://doc.traefik.io/traefik/v3.2/routing/services/#sticky-sessionsproperties:cookie:description: Cookie defines the sticky cookie configuration.properties:httpOnly:description: HTTPOnly defines whether the cookiecan be accessed by client-side APIs, such as JavaScript.type: booleanmaxAge:description: |-MaxAge indicates the number of seconds until the cookie expires.When set to a negative number, the cookie expires immediately.When set to zero, the cookie never expires.type: integername:description: Name defines the Cookie name.type: stringsameSite:description: |-SameSite defines the same site policy.More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSitetype: stringsecure:description: Secure defines whether the cookie canonly be transmitted over an encrypted connection(i.e. HTTPS).type: booleantype: objecttype: objectstrategy:description: |-Strategy defines the load balancing strategy between the servers.RoundRobin is the only supported value at the moment.type: stringweight:description: |-Weight defines the weight and should only be specified when Name references a TraefikService object(and to be precise, one that embeds a Weighted Round Robin).type: integerrequired:- nametype: objecttype: arraysticky:description: |-Sticky defines whether sticky sessions are enabled.More info: https://doc.traefik.io/traefik/v3.2/routing/providers/kubernetes-crd/#stickiness-and-load-balancingproperties:cookie:description: Cookie defines the sticky cookie configuration.properties:httpOnly:description: HTTPOnly defines whether the cookie can beaccessed by client-side APIs, such as JavaScript.type: booleanmaxAge:description: |-MaxAge indicates the number of seconds until the cookie expires.When set to a negative number, the cookie expires immediately.When set to zero, the cookie never expires.type: integername:description: Name defines the Cookie name.type: stringsameSite:description: |-SameSite defines the same site policy.More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSitetype: stringsecure:description: Secure defines whether the cookie can onlybe transmitted over an encrypted connection (i.e. HTTPS).type: booleantype: objecttype: objecttype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: true
RBAC
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- secrets
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.io
resources:
- middlewares
- middlewaretcps
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
- serverstransports
- serverstransporttcps
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: default
Traefik
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v3.2
args:
- --log.level=DEBUG
- --api
- --api.insecure
- --entryPoints.web.address=:80
- --entryPoints.tcpep.address=:8000
- --entryPoints.udpep.address=:9000/udp
- --providers.kubernetescrd
ports:
- name: web
containerPort: 80
- name: admin
containerPort: 8080
- name: tcpep
containerPort: 8000
- name: udpep
containerPort: 9000
---
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
type: LoadBalancer
selector:
app: traefik
ports:
- protocol: TCP
port: 80
name: web
targetPort: 80
- protocol: TCP
port: 8080
name: admin
targetPort: 8080
- protocol: TCP
port: 8000
name: tcpep
targetPort: 8000
---
apiVersion: v1
kind: Service
metadata:
name: traefikudp
spec:
type: LoadBalancer
selector:
app: traefik
ports:
- protocol: UDP
port: 9000
name: udpep
targetPort: 9000
IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: myingressroute
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`foo`) && PathPrefix(`/bar`)
kind: Rule
services:
- name: whoami
port: 80
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: ingressroute.tcp
namespace: default
spec:
entryPoints:
- tcpep
routes:
- match: HostSNI(`bar`)
services:
- name: whoamitcp
port: 8080
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: ingressroute.udp
namespace: default
spec:
entryPoints:
- udpep
routes:
- services:
- name: whoamiudp
port: 8080
Whoami
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoami
namespace: default
labels:
app: traefiklabs
name: whoami
spec:
replicas: 2
selector:
matchLabels:
app: traefiklabs
task: whoami
template:
metadata:
labels:
app: traefiklabs
task: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: default
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: whoami
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoamitcp
namespace: default
labels:
app: traefiklabs
name: whoamitcp
spec:
replicas: 2
selector:
matchLabels:
app: traefiklabs
task: whoamitcp
template:
metadata:
labels:
app: traefiklabs
task: whoamitcp
spec:
containers:
- name: whoamitcp
image: traefik/whoamitcp
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: whoamitcp
namespace: default
spec:
ports:
- protocol: TCP
port: 8080
selector:
app: traefiklabs
task: whoamitcp
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoamiudp
namespace: default
labels:
app: traefiklabs
name: whoamiudp
spec:
replicas: 2
selector:
matchLabels:
app: traefiklabs
task: whoamiudp
template:
metadata:
labels:
app: traefiklabs
task: whoamiudp
spec:
containers:
- name: whoamiudp
image: traefik/whoamiudp:latest
ports:
- containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
name: whoamiudp
namespace: default
spec:
ports:
- port: 8080
selector:
app: traefiklabs
task: whoamiudp
Routing Configuration
Custom Resource Definition (CRD)
- You can find an exhaustive list, generated from Traefik’s source code, of the custom resources and their attributes in the reference page.
- Validate that the prerequisites are fulfilled before using the Traefik custom resources.
- Traefik CRDs are building blocks that you can assemble according to your needs.
You can find an excerpt of the available custom resources in the table below:
| Kind | Purpose | Concept Behind |
|---|---|---|
| IngressRoute | HTTP Routing | HTTP router |
| Middleware | Tweaks the HTTP requests before they are sent to your service | HTTP Middlewares |
| TraefikService | Abstraction for HTTP loadbalancing/mirroring | HTTP service |
| IngressRouteTCP | TCP Routing | TCP router |
| MiddlewareTCP | Tweaks the TCP requests before they are sent to your service | TCP Middlewares |
| IngressRouteUDP | UDP Routing | UDP router |
| TLSOptions | Allows to configure some parameters of the TLS connection | TLSOptions |
| TLSStores | Allows to configure the default TLS store | TLSStores |
| ServersTransport | Allows to configure the transport between Traefik and the backends | ServersTransport |
| ServersTransportTCP | Allows to configure the transport between Traefik and the backends | TCP ServersTransport |
Kind: IngressRoute
IngressRoute is the CRD implementation of a Traefik HTTP router.
Register the IngressRoute kind in the Kubernetes cluster before creating IngressRoute objects.
IngressRoute Attributes
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: foo
namespace: bar
spec:
entryPoints: # [1]
- foo
routes: # [2]
- kind: Rule
match: Host(`test.example.com`) # [3]
priority: 10 # [4]
middlewares: # [5]
- name: middleware1 # [6]
namespace: default # [7]
services: # [8]
- kind: Service
name: foo
namespace: default
passHostHeader: true
port: 80 # [9]
responseForwarding:
flushInterval: 1ms
scheme: https
serversTransport: transport # [10]
healthCheck: # [11]
path: /health
interval: 15s
sticky:
cookie:
httpOnly: true
name: cookie
secure: true
sameSite: none
maxAge: 42
strategy: RoundRobin
weight: 10
nativeLB: true # [12]
nodePortLB: true # [13]
tls: # [14]
secretName: supersecret # [15]
options: # [16]
name: opt # [17]
namespace: default # [18]
certResolver: foo # [19]
domains: # [20]
- main: example.net # [21]
sans: # [22]
- a.example.net
- b.example.net
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | entryPoints | List of entry points names |
| [2] | routes | List of routes |
| [3] | routes[n].match | Defines the rule corresponding to an underlying router. |
| [4] | routes[n].priority | Defines the priority to disambiguate rules of the same length, for route matching |
| [5] | routes[n].middlewares | List of reference to Middleware |
| [6] | middlewares[n].name | Defines the Middleware name |
| [7] | middlewares[n].namespace | Defines the Middleware namespace. It can be omitted when the Middleware is in the IngressRoute namespace. |
| [8] | routes[n].services | List of any combination of TraefikService and reference to a Kubernetes service (See below for ExternalName Service setup) |
| [9] | services[n].port | Defines the port of a Kubernetes service. This can be a reference to a named port. |
| [10] | services[n].serversTransport | Defines the reference to a ServersTransport. The ServersTransport namespace is assumed to be the Kubernetes service namespace (see ServersTransport reference). |
| [11] | services[n].healthCheck | Defines the HealthCheck when service references a Kubernetes service of type ExternalName. |
| [12] | services[n].nativeLB | Controls, when creating the load-balancer, whether the LB’s children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. |
| [13] | services[n].nodePortLB | Controls, when creating the load-balancer, whether the LB’s children are directly the nodes internal IPs using the nodePort when the service type is NodePort. |
| [14] | tls | Defines TLS certificate configuration |
| [15] | tls.secretName | Defines the secret name used to store the certificate (in the IngressRoute namespace) |
| [16] | tls.options | Defines the reference to a TLSOption |
| [17] | options.name | Defines the TLSOption name |
| [18] | options.namespace | Defines the TLSOption namespace |
| [19] | tls.certResolver | Defines the reference to a CertResolver |
| [20] | tls.domains | List of domains |
| [21] | domains[n].main | Defines the main domain name |
| [22] | domains[n].sans | List of SANs (alternative domains) |
Declaring an IngressRoute
IngressRoute
# All resources definition must be declared
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: test-name
namespace: default
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`test.example.com`)
middlewares:
- name: middleware1
namespace: default
priority: 10
services:
- kind: Service
name: foo
namespace: default
passHostHeader: true
port: 80
responseForwarding:
flushInterval: 1ms
scheme: https
sticky:
cookie:
httpOnly: true
name: cookie
secure: true
strategy: RoundRobin
weight: 10
tls:
certResolver: foo
domains:
- main: example.net
sans:
- a.example.net
- b.example.net
options:
name: opt
namespace: default
secretName: supersecret
Middlewares
# All resources definition must be declared
# Prefixing with /foo
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: middleware1
namespace: default
spec:
addPrefix:
prefix: /foo
TLSOption
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: opt
namespace: default
spec:
minVersion: VersionTLS12
Secret
apiVersion: v1
kind: Secret
metadata:
name: supersecret
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
Configuring Backend Protocol
There are 3 ways to configure the backend protocol for communication between Traefik and your pods:
- Setting the scheme explicitly (http/https/h2c)
- Configuring the name of the kubernetes service port to start with https (https)
- Setting the kubernetes service port to use port 443 (https)
If you do not configure the above, Traefik will assume an http connection.
Using Kubernetes ExternalName Service
Traefik backends creation needs a port to be set, however Kubernetes ExternalName Service could be defined without any port. Accordingly, Traefik supports defining a port in two ways:
- only on
IngressRouteservice - on both sides, you’ll be warned if the ports don’t match, and the
IngressRouteservice port is used
Thus, in case of two sides port definition, Traefik expects a match between ports.
Examples
IngressRoute
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- match: Host(`example.net`)
kind: Rule
services:
- name: external-svc
port: 80
---
apiVersion: v1
kind: Service
metadata:
name: external-svc
namespace: default
spec:
externalName: external.domain
type: ExternalName
ExternalName Service
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- match: Host(`example.net`)
kind: Rule
services:
- name: external-svc
---
apiVersion: v1
kind: Service
metadata:
name: external-svc
namespace: default
spec:
externalName: external.domain
type: ExternalName
ports:
- port: 80
Both sides
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- match: Host(`example.net`)
kind: Rule
services:
- name: external-svc
port: 80
---
apiVersion: v1
kind: Service
metadata:
name: external-svc
namespace: default
spec:
externalName: external.domain
type: ExternalName
ports:
- port: 80
Load Balancing
More information in the dedicated server load balancing section.
Declaring and using Kubernetes Service Load Balancing
IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/foo`)
kind: Rule
services:
- name: svc1
namespace: default
- name: svc2
namespace: default
K8s Service
apiVersion: v1
kind: Service
metadata:
name: svc1
namespace: default
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: app1
---
apiVersion: v1
kind: Service
metadata:
name: svc2
namespace: default
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: app2
Kubernetes Service Native Load-Balancing
To avoid creating the server load-balancer with the pods IPs and use Kubernetes Service clusterIP directly, one should set the service NativeLB option to true. Please note that, by default, Traefik reuses the established connections to the backends for performance purposes. This can prevent the requests load balancing between the replicas from behaving as one would expect when the option is set. By default, NativeLB is false.
Example
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- match: Host(`example.net`)
kind: Rule
services:
- name: svc
port: 80
# Here, nativeLB instructs to build the servers load balancer with the Kubernetes Service clusterIP only.
nativeLB: true
---
apiVersion: v1
kind: Service
metadata:
name: svc
namespace: default
spec:
type: ClusterIP
...
Kind: Middleware
Middleware is the CRD implementation of a Traefik middleware.
Register the Middleware kind in the Kubernetes cluster before creating Middleware objects or referencing middlewares in the IngressRoute objects.
Declaring and Referencing a Middleware
Middleware
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: stripprefix
namespace: foo
spec:
stripPrefix:
prefixes:
- /stripit
IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/stripit`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: stripprefix
namespace: foo
Cross-provider namespace
As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource (in the reference to the middleware) with the provider namespace, when the definition of the middleware comes from another provider. In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored. Additionally, when you want to reference a Middleware from the CRD Provider, you have to append the namespace of the resource in the resource-name as Traefik appends the namespace internally automatically.
More information about available middlewares in the dedicated middlewares section.
Kind: TraefikService
TraefikService is the CRD implementation of a “Traefik Service”.
Register the TraefikService kind in the Kubernetes cluster before creating TraefikService objects, referencing services in the IngressRoute objects, or recursively in others TraefikService objects.
Disambiguate Traefik and Kubernetes Services
As the field name can reference different types of objects, use the field kind to avoid any ambiguity.
The field kind allows the following values:
Service(default value): to reference a Kubernetes ServiceTraefikService: to reference another Traefik Service
TraefikService object allows to use any (valid) combinations of:
- Weighted Round Robin load balancing.
- Mirroring.
Weighted Round Robin
More information in the dedicated Weighted Round Robin service load balancing section.
Declaring and Using Weighted Round Robin
IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/foo`)
kind: Rule
services:
- name: wrr1
namespace: default
kind: TraefikService
Weighted Round Robin
apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
name: wrr1
namespace: default
spec:
weighted:
services:
- name: svc1
port: 80
weight: 1
- name: wrr2
kind: TraefikService
weight: 1
- name: mirror1
kind: TraefikService
weight: 1
---
apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
name: wrr2
namespace: default
spec:
weighted:
services:
- name: svc2
port: 80
weight: 1
- name: svc3
port: 80
weight: 1
K8s Service
apiVersion: v1
kind: Service
metadata:
name: svc1
namespace: default
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: app1
---
apiVersion: v1
kind: Service
metadata:
name: svc2
namespace: default
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: app2
---
apiVersion: v1
kind: Service
metadata:
name: svc3
namespace: default
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: app3
Mirroring
More information in the dedicated mirroring service section.
Declaring and Using Mirroring
IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/foo`)
kind: Rule
services:
- name: mirror1
namespace: default
kind: TraefikService
Mirroring k8s Service
# Mirroring from a k8s Service
apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
name: mirror1
namespace: default
spec:
mirroring:
name: svc1 # svc1 receives 100% of the traffic
port: 80
mirrors:
- name: svc2 # svc2 receives a copy of 20% of this traffic
port: 80
percent: 20
- name: svc3 # svc3 receives a copy of 15% of this traffic
kind: TraefikService
percent: 15
Mirroring Traefik Service
# Mirroring from a Traefik Service
apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
name: mirror1
namespace: default
spec:
mirroring:
name: wrr1 # wrr1 receives 100% of the traffic
kind: TraefikService
mirrors:
- name: svc2 # svc2 receives a copy of 20% of this traffic
port: 80
percent: 20
- name: svc3 # svc3 receives a copy of 10% of this traffic
kind: TraefikService
percent: 10
K8s Service
apiVersion: v1
kind: Service
metadata:
name: svc1
namespace: default
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: app1
---
apiVersion: v1
kind: Service
metadata:
name: svc2
namespace: default
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: app2
References and namespaces
If the optional namespace attribute is not set, the configuration will be applied with the namespace of the current resource.
Additionally, when the definition of the TraefikService is from another provider, the cross-provider syntax (service@provider) should be used to refer to the TraefikService, just as in the middleware case.
Specifying a namespace attribute in this case would not make any sense, and will be ignored (except if the provider is kubernetescrd).
Stickiness and load-balancing
As explained in the section about Sticky sessions, for stickiness to work all the way, it must be specified at each load-balancing level.
For instance, in the example below, there is a first level of load-balancing because there is a (Weighted Round Robin) load-balancing of the two whoami services, and there is a second level because each whoami service is a replicaset and is thus handled as a load-balancer of servers.
Stickiness on two load-balancing levels
IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/foo`)
kind: Rule
services:
- name: wrr1
namespace: default
kind: TraefikService
Weighted Round Robin
apiVersion: traefik.io/v1alpha1
kind: TraefikService
metadata:
name: wrr1
namespace: default
spec:
weighted:
services:
- name: whoami1
kind: Service
port: 80
weight: 1
sticky:
cookie:
name: lvl2
- name: whoami2
kind: Service
weight: 1
port: 80
sticky:
cookie:
name: lvl2
sticky:
cookie:
name: lvl1
K8s Service
apiVersion: v1
kind: Service
metadata:
name: whoami1
spec:
ports:
- protocol: TCP
name: web
port: 80
selector:
app: whoami1
---
apiVersion: v1
kind: Service
metadata:
name: whoami2
spec:
ports:
- protocol: TCP
name: web
port: 80
selector:
app: whoami2
Deployment (to illustrate replicas)
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: whoami1
labels:
app: whoami1
spec:
replicas: 2
selector:
matchLabels:
app: whoami1
template:
metadata:
labels:
app: whoami1
spec:
containers:
- name: whoami1
image: traefik/whoami
ports:
- name: web
containerPort: 80
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: whoami2
labels:
app: whoami2
spec:
replicas: 2
selector:
matchLabels:
app: whoami2
template:
metadata:
labels:
app: whoami2
spec:
containers:
- name: whoami2
image: traefik/whoami
ports:
- name: web
containerPort: 80
To keep a session open with the same server, the client would then need to specify the two levels within the cookie for each request, e.g. with curl:
curl -H Host:example.com -b "lvl1=default-whoami1-80; lvl2=http://10.42.0.6:80" http://localhost:8000/foo
assuming 10.42.0.6 is the IP address of one of the replicas (a pod then) of the whoami1 service.
Kind: IngressRouteTCP
IngressRouteTCP is the CRD implementation of a Traefik TCP router.
Register the IngressRouteTCP kind in the Kubernetes cluster before creating IngressRouteTCP objects.
IngressRouteTCP Attributes
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: ingressroutetcpfoo
spec:
entryPoints: # [1]
- footcp
routes: # [2]
- match: HostSNI(`*`) # [3]
priority: 10 # [4]
middlewares:
- name: middleware1 # [5]
namespace: default # [6]
services: # [7]
- name: foo # [8]
port: 8080 # [9]
weight: 10 # [10]
proxyProtocol: # [11]
version: 1 # [12]
serversTransport: transport # [13]
nativeLB: true # [14]
nodePortLB: true # [15]
tls: # [16]
secretName: supersecret # [17]
options: # [18]
name: opt # [19]
namespace: default # [20]
certResolver: foo # [21]
domains: # [22]
- main: example.net # [23]
sans: # [24]
- a.example.net
- b.example.net
passthrough: false # [25]
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | entryPoints | List of entrypoints names |
| [2] | routes | List of routes |
| [3] | routes[n].match | Defines the rule of the underlying router |
| [4] | routes[n].priority | Defines the priority to disambiguate rules of the same length, for route matching |
| [5] | middlewares[n].name | Defines the MiddlewareTCP name |
| [6] | middlewares[n].namespace | Defines the MiddlewareTCP namespace |
| [7] | routes[n].services | List of Kubernetes service definitions (See below for ExternalName Service setup) |
| [8] | services[n].name | Defines the name of a Kubernetes service |
| [9] | services[n].port | Defines the port of a Kubernetes service. This can be a reference to a named port. |
| [10] | services[n].weight | Defines the weight to apply to the server load balancing |
| [11] | services[n].proxyProtocol | Defines the PROXY protocol configuration |
| [12] | services[n].proxyProtocol.version | Defines the PROXY protocol version |
| [13] | services[n].serversTransport | Defines the reference to a ServersTransportTCP. The ServersTransport namespace is assumed to be the Kubernetes service namespace (see ServersTransport reference). |
| [14] | services[n].nativeLB | Controls, when creating the load-balancer, whether the LB’s children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. |
| [15] | services[n].nodePortLB | Controls, when creating the load-balancer, whether the LB’s children are directly the nodes internal IPs using the nodePort when the service type is |
| [16] | tls | Defines TLS certificate configuration |
| [17] | tls.secretName | Defines the secret name used to store the certificate (in the IngressRoute namespace) |
| [18] | tls.options | Defines the reference to a TLSOption |
| [19] | tls.options.name | Defines the TLSOption name |
| [20] | tls.options.namespace | Defines the TLSOption namespace |
| [21] | tls.certResolver | Defines the reference to a CertResolver |
| [22] | tls.domains | List of domains |
| [23] | tls.domains[n].main | Defines the main domain name |
| [24] | tls.domains[n].sans | List of SANs (alternative domains) |
| [25] | tls.passthrough | If true, delegates the TLS termination to the backend |
Declaring an IngressRouteTCP
IngressRouteTCP
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: ingressroutetcpfoo
spec:
entryPoints:
- footcp
routes:
# Match is the rule corresponding to an underlying router.
- match: HostSNI(`*`)
priority: 10
services:
- name: foo
port: 8080
weight: 10
- name: bar
port: 8081
weight: 10
tls:
certResolver: foo
domains:
- main: example.net
sans:
- a.example.net
- b.example.net
options:
name: opt
namespace: default
secretName: supersecret
passthrough: false
TLSOption
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: opt
namespace: default
spec:
minVersion: VersionTLS12
Secret
apiVersion: v1
kind: Secret
metadata:
name: supersecret
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
Using Kubernetes ExternalName Service
Traefik backends creation needs a port to be set, however Kubernetes ExternalName Service could be defined without any port. Accordingly, Traefik supports defining a port in two ways:
- only on
IngressRouteTCPservice - on both sides, you’ll be warned if the ports don’t match, and the
IngressRouteTCPservice port is used
Thus, in case of two sides port definition, Traefik expects a match between ports.
Examples
Only on IngressRouteTCP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- match: HostSNI(`*`)
services:
- name: external-svc
port: 80
---
apiVersion: v1
kind: Service
metadata:
name: external-svc
namespace: default
spec:
externalName: external.domain
type: ExternalName
On both sides
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- match: HostSNI(`*`)
services:
- name: external-svc
port: 80
---
apiVersion: v1
kind: Service
metadata:
name: external-svc
namespace: default
spec:
externalName: external.domain
type: ExternalName
ports:
- port: 80
Kubernetes Service Native Load-Balancing
To avoid creating the server load-balancer with the pods IPs and use Kubernetes Service clusterIP directly, one should set the TCP service NativeLB option to true. By default, NativeLB is false.
Examples
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- match: HostSNI(`*`)
services:
- name: svc
port: 80
# Here, nativeLB instructs to build the servers load balancer with the Kubernetes Service clusterIP only.
nativeLB: true
---
apiVersion: v1
kind: Service
metadata:
name: svc
namespace: default
spec:
type: ClusterIP
...
Kind: MiddlewareTCP
MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
Register the MiddlewareTCP kind in the Kubernetes cluster before creating MiddlewareTCP objects or referencing TCP middlewares in the IngressRouteTCP objects.
Declaring and Referencing a MiddlewareTCP
Middleware
apiVersion: traefik.io/v1alpha1
kind: MiddlewareTCP
metadata:
name: ipallowlist
spec:
ipAllowList:
sourceRange:
- 127.0.0.1/32
- 192.168.1.7
IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/allowlist`)
kind: Rule
services:
- name: whoami
port: 80
middlewares:
- name: ipallowlist
namespace: foo
Cross-provider namespace
As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource (in the reference to the middleware) with the provider namespace, when the definition of the TCP middleware comes from another provider. In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored. Additionally, when you want to reference a MiddlewareTCP from the CRD Provider, you have to append the namespace of the resource in the resource-name as Traefik appends the namespace internally automatically.
More information about available TCP middlewares in the dedicated middlewares section.
Kind: IngressRouteUDP
IngressRouteUDP is the CRD implementation of a Traefik UDP router.
Register the IngressRouteUDP kind in the Kubernetes cluster before creating IngressRouteUDP objects.
IngressRouteUDP Attributes
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: ingressrouteudpfoo
spec:
entryPoints: # [1]
- fooudp
routes: # [2]
- services: # [3]
- name: foo # [4]
port: 8080 # [5]
weight: 10 # [6]
nativeLB: true # [7]
nodePortLB: true # [8]
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | entryPoints | List of entrypoints names |
| [2] | routes | List of routes |
| [3] | routes[n].services | List of Kubernetes service definitions (See below for ExternalName Service setup) |
| [4] | services[n].name | Defines the name of a Kubernetes service |
| [5] | services[n].port | Defines the port of a Kubernetes service. This can be a reference to a named port. |
| [6] | services[n].weight | Defines the weight to apply to the server load balancing |
| [7] | services[n].nativeLB | Controls, when creating the load-balancer, whether the LB’s children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. |
| [8] | services[n].nodePortLB | Controls, when creating the load-balancer, whether the LB’s children are directly the nodes internal IPs using the nodePort when the service type is NodePort. |
Declaring an IngressRouteUDP
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: ingressrouteudpfoo
spec:
entryPoints:
- fooudp
routes:
- services:
- name: foo
port: 8080
weight: 10
- name: bar
port: 8081
weight: 10
Using Kubernetes ExternalName Service
Traefik backends creation needs a port to be set, however Kubernetes ExternalName Service could be defined without any port. Accordingly, Traefik supports defining a port in two ways:
- only on
IngressRouteUDPservice - on both sides, you’ll be warned if the ports don’t match, and the
IngressRouteUDPservice port is used
Thus, in case of two sides port definition, Traefik expects a match between ports.
Examples
IngressRouteUDP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- services:
- name: external-svc
port: 80
---
apiVersion: v1
kind: Service
metadata:
name: external-svc
namespace: default
spec:
externalName: external.domain
type: ExternalName
ExternalName Service
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- services:
- name: external-svc
---
apiVersion: v1
kind: Service
metadata:
name: external-svc
namespace: default
spec:
externalName: external.domain
type: ExternalName
ports:
- port: 80
Both sides
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- services:
- name: external-svc
port: 80
---
apiVersion: v1
kind: Service
metadata:
name: external-svc
namespace: default
spec:
externalName: external.domain
type: ExternalName
ports:
- port: 80
Kubernetes Service Native Load-Balancing
To avoid creating the server load-balancer with the pods IPs and use Kubernetes Service clusterIP directly, one should set the UDP service NativeLB option to true. By default, NativeLB is false.
Example
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteUDP
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- services:
- name: svc
port: 80
# Here, nativeLB instructs to build the servers load balancer with the Kubernetes Service clusterIP only.
nativeLB: true
---
apiVersion: v1
kind: Service
metadata:
name: svc
namespace: default
spec:
type: ClusterIP
...
Kind: TLSOption
TLSOption is the CRD implementation of a Traefik “TLS Option”.
Register the TLSOption kind in the Kubernetes cluster before creating TLSOption objects or referencing TLS options in the IngressRoute / IngressRouteTCP objects.
TLSOption Attributes
TLSOption
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: mytlsoption # [1]
namespace: default
spec:
minVersion: VersionTLS12 # [2]
maxVersion: VersionTLS13 # [3]
curvePreferences: # [4]
- CurveP521
- CurveP384
cipherSuites: # [5]
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
clientAuth: # [6]
secretNames: # [7]
- secret-ca1
- secret-ca2
clientAuthType: VerifyClientCertIfGiven # [8]
sniStrict: true # [9]
alpnProtocols: # [10]
- foobar
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | name | Defines the name of the TLSOption resource. One can use default as name to redefine the default TLSOption. |
| [2] | minVersion | Defines the minimum TLS version that is acceptable. |
| [3] | maxVersion | Defines the maximum TLS version that is acceptable. |
| [4] | cipherSuites | list of supported cipher suites for TLS versions up to TLS 1.2. |
| [5] | curvePreferences | List of the elliptic curves references that will be used in an ECDHE handshake, in preference order. |
| [6] | clientAuth | determines the server’s policy for TLS Client Authentication. |
| [7] | clientAuth.secretNames | list of names of the referenced Kubernetes Secrets (in TLSOption namespace). The secret must contain a certificate under either a tls.ca or a ca.crt key. |
| [8] | clientAuth.clientAuthType | defines the client authentication type to apply. The available values are: NoClientCert, RequestClientCert, VerifyClientCertIfGiven and RequireAndVerifyClientCert. |
| [9] | sniStrict | if true, Traefik won’t allow connections from clients connections that do not specify a server_name extension. |
| [10] | alpnProtocols | List of supported application level protocols for the TLS handshake, in order of preference. |
CA Secret
The CA secret must contain a base64 encoded certificate under either a tls.ca or a ca.crt key.
Declaring and referencing a TLSOption
TLSOption
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: mytlsoption
namespace: default
spec:
minVersion: VersionTLS12
sniStrict: true
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_GCM_SHA384
clientAuth:
secretNames:
- secret-ca1
- secret-ca2
clientAuthType: VerifyClientCertIfGiven
IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`) && PathPrefix(`/stripit`)
kind: Rule
services:
- name: whoami
port: 80
tls:
options:
name: mytlsoption
namespace: default
Secrets
apiVersion: v1
kind: Secret
metadata:
name: secret-ca1
namespace: default
data:
# Must contain a certificate under either a `tls.ca` or a `ca.crt` key.
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
---
apiVersion: v1
kind: Secret
metadata:
name: secret-ca2
namespace: default
data:
# Must contain a certificate under either a `tls.ca` or a `ca.crt` key.
tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
References and namespaces
If the optional namespace attribute is not set, the configuration will be applied with the namespace of the IngressRoute.
Additionally, when the definition of the TLS option is from another provider, the cross-provider syntax (middlewarename@provider) should be used to refer to the TLS option. Specifying a namespace attribute in this case would not make any sense, and will be ignored.
Kind: TLSStore
TLSStore is the CRD implementation of a Traefik “TLS Store”.
Register the TLSStore kind in the Kubernetes cluster before creating TLSStore objects.
Default TLS Store
Traefik currently only uses the TLS Store named “default”. This default TLSStore should be in a namespace discoverable by Traefik. Since it is used by default on IngressRoute and IngressRouteTCP objects, there never is a need to actually reference it. This means that you cannot have two stores that are named default in different Kubernetes namespaces. As a consequence, with respect to TLS stores, the only change that makes sense (and only if needed) is to configure the default TLSStore.
TLSStore Attributes
TLSStore
apiVersion: traefik.io/v1alpha1
kind: TLSStore
metadata:
name: default
spec:
certificates: # [1]
- secretName: foo
- secretName: bar
defaultCertificate: # [2]
secretName: secret
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | certificates | List of Kubernetes Secrets, each of them holding a key/certificate pair to add to the store. |
| [2] | defaultCertificate | Name of a Kubernetes Secret that holds the default key/certificate pair for the store. |
Declaring and referencing a TLSStore
TLSStore
apiVersion: traefik.io/v1alpha1
kind: TLSStore
metadata:
name: default
spec:
defaultCertificate:
secretName: supersecret
IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutebar
spec:
entryPoints:
- websecure
routes:
- match: Host(`example.com`) && PathPrefix(`/stripit`)
kind: Rule
services:
- name: whoami
port: 80
tls: {}
Secret
apiVersion: v1
kind: Secret
metadata:
name: supersecret
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
Kind: ServersTransport
ServersTransport is the CRD implementation of a ServersTransport.
Default serversTransport
If no serversTransport is specified, the default@internal will be used. The default@internal serversTransport is created from the static configuration.
ServersTransport Attributes
ServersTransport
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: mytransport
namespace: default
spec:
serverName: foobar # [1]
insecureSkipVerify: true # [2]
rootCAsSecrets: # [3]
- foobar
- foobar
certificatesSecrets: # [4]
- foobar
- foobar
maxIdleConnsPerHost: 1 # [5]
forwardingTimeouts: # [6]
dialTimeout: 42s # [7]
responseHeaderTimeout: 42s # [8]
idleConnTimeout: 42s # [9]
peerCertURI: foobar # [10]
disableHTTP2: true # [11]
spiffe: # [12]
ids: # [13]
- spiffe://trust-domain/id1
- spiffe://trust-domain/id2
trustDomain: "spiffe://trust-domain" # [14]
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | serverName | ServerName used to contact the server. |
| [2] | insecureSkipVerify | Controls whether the server’s certificate chain and host name is verified. |
| [3] | rootCAsSecrets | Defines the set of root certificate authorities to use when verifying server certificates. The secret must contain a certificate under either a tls.ca or a ca.crt key. |
| [4] | certificatesSecrets | Certificates to present to the server for mTLS. |
| [5] | maxIdleConnsPerHost | Controls the maximum idle (keep-alive) connections to keep per-host. If zero, defaultMaxIdleConnsPerHost is used. |
| [6] | forwardingTimeouts | Timeouts for requests forwarded to the servers. |
| [7] | dialTimeout | The amount of time to wait until a connection to a server can be established. If zero, no timeout exists. |
| [8] | responseHeaderTimeout | The amount of time to wait for a server’s response headers after fully writing the request (including its body, if any). If zero, no timeout exists. |
| [9] | idleConnTimeout | The maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout exists. |
| [10] | peerCertURI | URI used to match against SAN URIs during the server’s certificate verification. |
| [11] | disableHTTP2 | Disables HTTP/2 for connections with servers. |
| [12] | spiffe | The spiffe configuration. |
| [13] | ids | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). |
| [14] | trustDomain | Defines the allowed SPIFFE trust domain. |
CA Secret
The CA secret must contain a base64 encoded certificate under either a tls.ca or a ca.crt key.
Declaring and referencing a ServersTransport
ServersTransport
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: mytransport
namespace: default
spec:
serverName: example.org
insecureSkipVerify: true
IngressRoute
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: testroute
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`example.com`)
kind: Rule
services:
- name: whoami
port: 80
serversTransport: mytransport
ServersTransport reference
By default, the referenced ServersTransport CRD must be defined in the same Kubernetes service namespace.
To reference a ServersTransport CRD from another namespace, the value must be of form namespace-name@kubernetescrd, and the allowCrossNamespace option must be enabled.
If the ServersTransport CRD is defined in another provider the cross-provider format name@provider should be used.
Kind: ServersTransportTCP
ServersTransportTCP is the CRD implementation of a ServersTransportTCP.
Default serversTransportTCP
If no serversTransportTCP is specified, the default@internal will be used. The default@internal serversTransportTCP is created from the static configuration.
ServersTransportTCP Attributes
ServersTransportTCP
apiVersion: traefik.io/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: default
spec:
dialTimeout: 42s # [1]
dialKeepAlive: 42s # [2]
terminationDelay: 42s # [3]
tls: # [4]
serverName: foobar # [5]
insecureSkipVerify: true # [6]
peerCertURI: foobar # [7]
rootCAsSecrets: # [8]
- foobar
- foobar
certificatesSecrets: # [9]
- foobar
- foobar
spiffe: # [10]
ids: # [11]
- spiffe://trust-domain/id1
- spiffe://trust-domain/id2
trustDomain: "spiffe://trust-domain" # [12]
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | dialTimeout | The amount of time to wait until a connection to a server can be established. If zero, no timeout exists. |
| [2] | dialKeepAlive | The interval between keep-alive probes for an active network connection. If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are disabled. |
| [3] | terminationDelay | Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. |
| [4] | tls | The TLS configuration. |
| [5] | serverName | ServerName used to contact the server. |
| [6] | insecureSkipVerify | Controls whether the server’s certificate chain and host name is verified. |
| [7] | peerCertURI | URI used to match against SAN URIs during the server’s certificate verification. |
| [8] | rootCAsSecrets | Defines the set of root certificate authorities to use when verifying server certificates. The secret must contain a certificate under either a tls.ca or a ca.crt key. |
| [9] | certificatesSecrets | Certificates to present to the server for mTLS. |
| [10] | spiffe | The SPIFFE configuration. |
| [11] | ids | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). |
| [12] | trustDomain | Defines the allowed SPIFFE trust domain. |
CA Secret
The CA secret must contain a base64 encoded certificate under either a tls.ca or a ca.crt key.
Declaring and referencing a ServersTransportTCP
ServersTransportTCP
apiVersion: traefik.io/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: default
spec:
tls:
serverName: example.org
insecureSkipVerify: true
IngressRouteTCP
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: testroute
namespace: default
spec:
entryPoints:
- tcpep
routes:
- match: HostSNI(`bar`)
services:
- name: whoamitcp
port: 8080
serversTransport: mytransport
ServersTransportTCP reference
By default, the referenced ServersTransportTCP CRD must be defined in the same Kubernetes service namespace.
To reference a ServersTransportTCP CRD from another namespace, the value must be of form namespace-name@kubernetescrd, and the allowCrossNamespace option must be enabled.
If the ServersTransportTCP CRD is defined in another provider the cross-provider format name@provider should be used.
Further
Also see the full example with Let’s Encrypt.
Using Traefik OSS in Production?
If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.
Adding API Gateway capabilities to Traefik OSS is fast and seamless. There’s no rip and replace and all configurations remain intact. See it in action via this short video.
