mirror of
https://github.com/containous/traefik.git
synced 2024-12-22 13:34:03 +03:00
Add documentation to Traefik CRD properties
Co-authored-by: Romain <rtribotte@users.noreply.github.com> Co-authored-by: Kevin Pollet <pollet.kevin@gmail.com>
This commit is contained in:
parent
ff17ac53df
commit
94141233f0
@ -31,15 +31,14 @@ the Traefik engineering team developed a [Custom Resource Definition](https://ku
|
||||
|
||||
For Kubernetes `v1.16+`, please use the Traefik `apiextensions.k8s.io/v1` CRDs instead.
|
||||
|
||||
??? example "Initializing Resource Definition and RBAC"
|
||||
!!! example "Installing Resource Definition and RBAC"
|
||||
|
||||
```yaml tab="Traefik Resource Definition"
|
||||
# All resources definition must be declared
|
||||
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml"
|
||||
```
|
||||
|
||||
```yaml tab="RBAC for Traefik CRD"
|
||||
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
|
||||
```bash
|
||||
# Install Traefik Resource Definitions:
|
||||
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
|
||||
|
||||
# Install RBAC for Traefik:
|
||||
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
|
||||
```
|
||||
|
||||
## Resource Configuration
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -8,13 +8,19 @@ description: "Learn about the definitions, resources, and RBAC of dynamic config
|
||||
Dynamic configuration with Kubernetes Custom Resource
|
||||
{: .subtitle }
|
||||
|
||||
!!! warning "Deprecated apiextensions.k8s.io/v1beta1 CRD"
|
||||
|
||||
The `apiextensions.k8s.io/v1beta1` CustomResourceDefinition is deprecated in Kubernetes `v1.16+` and will be removed in `v1.22+`.
|
||||
|
||||
For Kubernetes `v1.16+`, please use the Traefik `apiextensions.k8s.io/v1` CRDs instead.
|
||||
|
||||
## Definitions
|
||||
|
||||
```yaml tab="apiextensions.k8s.io/v1"
|
||||
```yaml tab="apiextensions.k8s.io/v1 (Kubernetes v1.16+)"
|
||||
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml"
|
||||
```
|
||||
|
||||
```yaml tab="apiextensions.k8s.io/v1beta1"
|
||||
```yaml tab="apiextensions.k8s.io/v1beta1 (Deprecated)"
|
||||
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition-v1beta1.yml"
|
||||
```
|
||||
|
||||
|
@ -19,7 +19,7 @@ spec:
|
||||
- name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: IngressRoute is an Ingress CRD specification.
|
||||
description: IngressRoute is the CRD implementation of a Traefik HTTP Router.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
@ -34,96 +34,151 @@ spec:
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: IngressRouteSpec is a specification for a IngressRouteSpec
|
||||
resource.
|
||||
description: IngressRouteSpec defines the desired state of IngressRoute.
|
||||
properties:
|
||||
entryPoints:
|
||||
description: 'EntryPoints defines the list of entry point names to
|
||||
bind to. Entry points have to be configured in the static configuration.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/
|
||||
Default: all.'
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
routes:
|
||||
description: Routes defines the list of routes.
|
||||
items:
|
||||
description: Route contains the set of routes.
|
||||
description: Route holds the HTTP route configuration.
|
||||
properties:
|
||||
kind:
|
||||
description: Kind defines the kind of the route. Rule is the
|
||||
only supported kind.
|
||||
enum:
|
||||
- Rule
|
||||
type: string
|
||||
match:
|
||||
description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule'
|
||||
type: string
|
||||
middlewares:
|
||||
description: 'Middlewares defines the list of references to
|
||||
Middleware resources. More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-middleware'
|
||||
items:
|
||||
description: MiddlewareRef is a ref to the Middleware resources.
|
||||
description: MiddlewareRef is a reference to a Middleware
|
||||
resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name defines the name of the referenced Middleware
|
||||
resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the namespace of the referenced
|
||||
Middleware resource.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
priority:
|
||||
description: 'Priority defines the router''s priority. More
|
||||
info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority'
|
||||
type: integer
|
||||
services:
|
||||
description: Services defines the list of Service. It can contain
|
||||
any combination of TraefikService and/or reference to a Kubernetes
|
||||
Service.
|
||||
items:
|
||||
description: Service defines an upstream to proxy traffic.
|
||||
description: Service defines an upstream HTTP service to proxy
|
||||
traffic to.
|
||||
properties:
|
||||
kind:
|
||||
description: Kind defines the kind of the Service.
|
||||
enum:
|
||||
- Service
|
||||
- TraefikService
|
||||
type: string
|
||||
name:
|
||||
description: Name is a reference to a Kubernetes Service
|
||||
object (for a load-balancer of servers), or to a TraefikService
|
||||
object (service load-balancer, mirroring, etc). The
|
||||
differentiation between the two is specified in the
|
||||
Kind field.
|
||||
description: Name defines the name of the referenced Kubernetes
|
||||
Service or TraefikService. The differentiation between
|
||||
the two is specified in the Kind field.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the namespace of the referenced
|
||||
Kubernetes Service or TraefikService.
|
||||
type: string
|
||||
passHostHeader:
|
||||
description: PassHostHeader defines whether the client
|
||||
Host header is forwarded to the upstream Kubernetes
|
||||
Service. By default, passHostHeader is true.
|
||||
type: boolean
|
||||
port:
|
||||
anyOf:
|
||||
- type: integer
|
||||
- type: string
|
||||
description: Port defines the port of a Kubernetes Service.
|
||||
This can be a reference to a named port.
|
||||
x-kubernetes-int-or-string: true
|
||||
responseForwarding:
|
||||
description: ResponseForwarding holds configuration for
|
||||
the forward of the response.
|
||||
description: ResponseForwarding defines how Traefik forwards
|
||||
the response from the upstream Kubernetes Service to
|
||||
the client.
|
||||
properties:
|
||||
flushInterval:
|
||||
description: 'FlushInterval defines the interval,
|
||||
in milliseconds, in between flushes to the client
|
||||
while copying the response body. A negative value
|
||||
means to flush immediately after each write to the
|
||||
client. This configuration is ignored when ReverseProxy
|
||||
recognizes a response as a streaming response; for
|
||||
such responses, writes are flushed to the client
|
||||
immediately. Default: 100ms'
|
||||
type: string
|
||||
type: object
|
||||
scheme:
|
||||
description: Scheme defines the scheme to use for the
|
||||
request to the upstream Kubernetes Service. It defaults
|
||||
to https when Kubernetes Service port is 443, http otherwise.
|
||||
type: string
|
||||
serversTransport:
|
||||
description: ServersTransport defines the name of ServersTransport
|
||||
resource to use. It allows to configure the transport
|
||||
between Traefik and your servers. Can only be used on
|
||||
a Kubernetes Service.
|
||||
type: string
|
||||
sticky:
|
||||
description: Sticky holds the sticky configuration.
|
||||
description: 'Sticky defines the sticky sessions configuration.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions'
|
||||
properties:
|
||||
cookie:
|
||||
description: Cookie holds the sticky configuration
|
||||
based on cookie.
|
||||
description: Cookie defines the sticky cookie configuration.
|
||||
properties:
|
||||
httpOnly:
|
||||
description: HTTPOnly defines whether the cookie
|
||||
can be accessed by client-side APIs, such as
|
||||
JavaScript.
|
||||
type: boolean
|
||||
name:
|
||||
description: Name defines the Cookie name.
|
||||
type: string
|
||||
sameSite:
|
||||
description: 'SameSite defines the same site policy.
|
||||
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
|
||||
type: string
|
||||
secure:
|
||||
description: Secure defines whether the cookie
|
||||
can only be transmitted over an encrypted connection
|
||||
(i.e. HTTPS).
|
||||
type: boolean
|
||||
type: object
|
||||
type: object
|
||||
strategy:
|
||||
description: Strategy defines the load balancing strategy
|
||||
between the servers. RoundRobin is the only supported
|
||||
value at the moment.
|
||||
type: string
|
||||
weight:
|
||||
description: Weight should only be specified when Name
|
||||
references a TraefikService object (and to be precise,
|
||||
one that embeds a Weighted Round Robin).
|
||||
description: Weight defines the weight and should only
|
||||
be specified when Name references a TraefikService object
|
||||
(and to be precise, one that embeds a Weighted Round
|
||||
Robin).
|
||||
type: integer
|
||||
required:
|
||||
- name
|
||||
@ -135,14 +190,16 @@ spec:
|
||||
type: object
|
||||
type: array
|
||||
tls:
|
||||
description: "TLS contains the TLS certificates configuration of the
|
||||
routes. To enable Let's Encrypt, use an empty TLS struct, e.g. in
|
||||
YAML: \n \t tls: {} # inline format \n \t tls: \t secretName:
|
||||
# block format"
|
||||
description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls'
|
||||
properties:
|
||||
certResolver:
|
||||
description: 'CertResolver defines the name of the certificate
|
||||
resolver to use. Cert resolvers have to be configured in the
|
||||
static configuration. More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers'
|
||||
type: string
|
||||
domains:
|
||||
description: 'Domains defines the list of domains that will be
|
||||
used to issue certificates. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains'
|
||||
items:
|
||||
description: Domain holds a domain name with SANs.
|
||||
properties:
|
||||
@ -155,12 +212,17 @@ spec:
|
||||
type: object
|
||||
type: array
|
||||
options:
|
||||
description: Options is a reference to a TLSOption, that specifies
|
||||
the parameters of the TLS connection.
|
||||
description: 'Options defines the reference to a TLSOption, that
|
||||
specifies the parameters of the TLS connection. If not defined,
|
||||
the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options'
|
||||
properties:
|
||||
name:
|
||||
description: 'Name defines the name of the referenced TLSOption.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption'
|
||||
type: string
|
||||
namespace:
|
||||
description: 'Namespace defines the namespace of the referenced
|
||||
TLSOption. More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption'
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
@ -170,12 +232,17 @@ spec:
|
||||
Secret to specify the certificate details.
|
||||
type: string
|
||||
store:
|
||||
description: Store is a reference to a TLSStore, that specifies
|
||||
the parameters of the TLS store.
|
||||
description: Store defines the reference to the TLSStore, that
|
||||
will be used to store certificates. Please note that only `default`
|
||||
TLSStore can be used.
|
||||
properties:
|
||||
name:
|
||||
description: 'Name defines the name of the referenced TLSStore.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore'
|
||||
type: string
|
||||
namespace:
|
||||
description: 'Namespace defines the namespace of the referenced
|
||||
TLSStore. More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore'
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
|
@ -19,7 +19,7 @@ spec:
|
||||
- name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: IngressRouteTCP is an Ingress CRD specification.
|
||||
description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
@ -34,58 +34,89 @@ spec:
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: IngressRouteTCPSpec is a specification for a IngressRouteTCPSpec
|
||||
resource.
|
||||
description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP.
|
||||
properties:
|
||||
entryPoints:
|
||||
description: 'EntryPoints defines the list of entry point names to
|
||||
bind to. Entry points have to be configured in the static configuration.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/
|
||||
Default: all.'
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
routes:
|
||||
description: Routes defines the list of routes.
|
||||
items:
|
||||
description: RouteTCP contains the set of routes.
|
||||
description: RouteTCP holds the TCP route configuration.
|
||||
properties:
|
||||
match:
|
||||
description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule_1'
|
||||
type: string
|
||||
middlewares:
|
||||
description: Middlewares contains references to MiddlewareTCP
|
||||
description: Middlewares defines the list of references to MiddlewareTCP
|
||||
resources.
|
||||
items:
|
||||
description: ObjectReference is a generic reference to a Traefik
|
||||
resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name defines the name of the referenced Traefik
|
||||
resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the namespace of the referenced
|
||||
Traefik resource.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
priority:
|
||||
description: 'Priority defines the router''s priority. More
|
||||
info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority_1'
|
||||
type: integer
|
||||
services:
|
||||
description: Services defines the list of TCP services.
|
||||
items:
|
||||
description: ServiceTCP defines an upstream to proxy traffic.
|
||||
description: ServiceTCP defines an upstream TCP service to
|
||||
proxy traffic to.
|
||||
properties:
|
||||
name:
|
||||
description: Name defines the name of the referenced Kubernetes
|
||||
Service.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the namespace of the referenced
|
||||
Kubernetes Service.
|
||||
type: string
|
||||
port:
|
||||
anyOf:
|
||||
- type: integer
|
||||
- type: string
|
||||
description: Port defines the port of a Kubernetes Service.
|
||||
This can be a reference to a named port.
|
||||
x-kubernetes-int-or-string: true
|
||||
proxyProtocol:
|
||||
description: ProxyProtocol holds the ProxyProtocol configuration.
|
||||
description: 'ProxyProtocol defines the PROXY protocol
|
||||
configuration. More info: https://doc.traefik.io/traefik/v2.7/routing/services/#proxy-protocol'
|
||||
properties:
|
||||
version:
|
||||
description: Version defines the PROXY Protocol version
|
||||
to use.
|
||||
type: integer
|
||||
type: object
|
||||
terminationDelay:
|
||||
description: TerminationDelay defines the deadline that
|
||||
the proxy sets, after one of its connected peers indicates
|
||||
it has closed the writing capability of its connection,
|
||||
to close the reading capability as well, hence fully
|
||||
terminating the connection. It is a duration in milliseconds,
|
||||
defaulting to 100. A negative value means an infinite
|
||||
deadline (i.e. the reading capability is never closed).
|
||||
type: integer
|
||||
weight:
|
||||
description: Weight defines the weight used when balancing
|
||||
requests between multiple Kubernetes Service.
|
||||
type: integer
|
||||
required:
|
||||
- name
|
||||
@ -97,14 +128,17 @@ spec:
|
||||
type: object
|
||||
type: array
|
||||
tls:
|
||||
description: "TLSTCP contains the TLS certificates configuration of
|
||||
the routes. To enable Let's Encrypt, use an empty TLS struct, e.g.
|
||||
in YAML: \n \t tls: {} # inline format \n \t tls: \t secretName:
|
||||
# block format"
|
||||
description: 'TLS defines the TLS configuration on a layer 4 / TCP
|
||||
Route. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls_1'
|
||||
properties:
|
||||
certResolver:
|
||||
description: 'CertResolver defines the name of the certificate
|
||||
resolver to use. Cert resolvers have to be configured in the
|
||||
static configuration. More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers'
|
||||
type: string
|
||||
domains:
|
||||
description: 'Domains defines the list of domains that will be
|
||||
used to issue certificates. More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains'
|
||||
items:
|
||||
description: Domain holds a domain name with SANs.
|
||||
properties:
|
||||
@ -117,29 +151,41 @@ spec:
|
||||
type: object
|
||||
type: array
|
||||
options:
|
||||
description: Options is a reference to a TLSOption, that specifies
|
||||
the parameters of the TLS connection.
|
||||
description: 'Options defines the reference to a TLSOption, that
|
||||
specifies the parameters of the TLS connection. If not defined,
|
||||
the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options'
|
||||
properties:
|
||||
name:
|
||||
description: Name defines the name of the referenced Traefik
|
||||
resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the namespace of the referenced
|
||||
Traefik resource.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
passthrough:
|
||||
description: Passthrough defines whether a TLS router will terminate
|
||||
the TLS connection.
|
||||
type: boolean
|
||||
secretName:
|
||||
description: SecretName is the name of the referenced Kubernetes
|
||||
Secret to specify the certificate details.
|
||||
type: string
|
||||
store:
|
||||
description: Store is a reference to a TLSStore, that specifies
|
||||
the parameters of the TLS store.
|
||||
description: Store defines the reference to the TLSStore, that
|
||||
will be used to store certificates. Please note that only `default`
|
||||
TLSStore can be used.
|
||||
properties:
|
||||
name:
|
||||
description: Name defines the name of the referenced Traefik
|
||||
resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the namespace of the referenced
|
||||
Traefik resource.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
|
@ -19,7 +19,7 @@ spec:
|
||||
- name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: IngressRouteUDP is an Ingress CRD specification.
|
||||
description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router.
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
@ -34,31 +34,45 @@ spec:
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: IngressRouteUDPSpec is a specification for a IngressRouteUDPSpec
|
||||
resource.
|
||||
description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.
|
||||
properties:
|
||||
entryPoints:
|
||||
description: 'EntryPoints defines the list of entry point names to
|
||||
bind to. Entry points have to be configured in the static configuration.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/
|
||||
Default: all.'
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
routes:
|
||||
description: Routes defines the list of routes.
|
||||
items:
|
||||
description: RouteUDP contains the set of routes.
|
||||
description: RouteUDP holds the UDP route configuration.
|
||||
properties:
|
||||
services:
|
||||
description: Services defines the list of UDP services.
|
||||
items:
|
||||
description: ServiceUDP defines an upstream to proxy traffic.
|
||||
description: ServiceUDP defines an upstream UDP service to
|
||||
proxy traffic to.
|
||||
properties:
|
||||
name:
|
||||
description: Name defines the name of the referenced Kubernetes
|
||||
Service.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the namespace of the referenced
|
||||
Kubernetes Service.
|
||||
type: string
|
||||
port:
|
||||
anyOf:
|
||||
- type: integer
|
||||
- type: string
|
||||
description: Port defines the port of a Kubernetes Service.
|
||||
This can be a reference to a named port.
|
||||
x-kubernetes-int-or-string: true
|
||||
weight:
|
||||
description: Weight defines the weight used when balancing
|
||||
requests between multiple Kubernetes Service.
|
||||
type: integer
|
||||
required:
|
||||
- name
|
||||
|
@ -19,7 +19,8 @@ spec:
|
||||
- name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: Middleware is a specification for a Middleware resource.
|
||||
description: 'Middleware is the CRD implementation of a Traefik Middleware.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/overview/'
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
@ -34,54 +35,99 @@ spec:
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: MiddlewareSpec holds the Middleware configuration.
|
||||
description: MiddlewareSpec defines the desired state of a Middleware.
|
||||
properties:
|
||||
addPrefix:
|
||||
description: AddPrefix holds the AddPrefix configuration.
|
||||
description: 'AddPrefix holds the add prefix middleware configuration.
|
||||
This middleware updates the path of a request before forwarding
|
||||
it. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/addprefix/'
|
||||
properties:
|
||||
prefix:
|
||||
description: Prefix is the string to add before the current path
|
||||
in the requested URL. It should include a leading slash (/).
|
||||
type: string
|
||||
type: object
|
||||
basicAuth:
|
||||
description: BasicAuth holds the HTTP basic authentication configuration.
|
||||
description: 'BasicAuth holds the basic auth middleware configuration.
|
||||
This middleware restricts access to your services to known users.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/'
|
||||
properties:
|
||||
headerField:
|
||||
description: 'HeaderField defines a header field to store the
|
||||
authenticated user. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield'
|
||||
type: string
|
||||
realm:
|
||||
description: 'Realm allows the protected resources on a server
|
||||
to be partitioned into a set of protection spaces, each with
|
||||
its own authentication scheme. Default: traefik.'
|
||||
type: string
|
||||
removeHeader:
|
||||
description: 'RemoveHeader sets the removeHeader option to true
|
||||
to remove the authorization header before forwarding the request
|
||||
to your service. Default: false.'
|
||||
type: boolean
|
||||
secret:
|
||||
description: Secret is the name of the referenced Kubernetes Secret
|
||||
containing user credentials.
|
||||
type: string
|
||||
type: object
|
||||
buffering:
|
||||
description: Buffering holds the request/response buffering configuration.
|
||||
description: 'Buffering holds the buffering middleware configuration.
|
||||
This middleware retries or limits the size of requests that can
|
||||
be forwarded to backends. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#maxrequestbodybytes'
|
||||
properties:
|
||||
maxRequestBodyBytes:
|
||||
description: 'MaxRequestBodyBytes defines the maximum allowed
|
||||
body size for the request (in bytes). If the request exceeds
|
||||
the allowed size, it is not forwarded to the service, and the
|
||||
client gets a 413 (Request Entity Too Large) response. Default:
|
||||
0 (no maximum).'
|
||||
format: int64
|
||||
type: integer
|
||||
maxResponseBodyBytes:
|
||||
description: 'MaxResponseBodyBytes defines the maximum allowed
|
||||
response size from the service (in bytes). If the response exceeds
|
||||
the allowed size, it is not forwarded to the client. The client
|
||||
gets a 500 (Internal Server Error) response instead. Default:
|
||||
0 (no maximum).'
|
||||
format: int64
|
||||
type: integer
|
||||
memRequestBodyBytes:
|
||||
description: 'MemRequestBodyBytes defines the threshold (in bytes)
|
||||
from which the request will be buffered on disk instead of in
|
||||
memory. Default: 1048576 (1Mi).'
|
||||
format: int64
|
||||
type: integer
|
||||
memResponseBodyBytes:
|
||||
description: 'MemResponseBodyBytes defines the threshold (in bytes)
|
||||
from which the response will be buffered on disk instead of
|
||||
in memory. Default: 1048576 (1Mi).'
|
||||
format: int64
|
||||
type: integer
|
||||
retryExpression:
|
||||
description: 'RetryExpression defines the retry conditions. It
|
||||
is a logical combination of functions with operators AND (&&)
|
||||
and OR (||). More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#retryexpression'
|
||||
type: string
|
||||
type: object
|
||||
chain:
|
||||
description: Chain holds a chain of middlewares.
|
||||
description: 'Chain holds the configuration of the chain middleware.
|
||||
This middleware enables to define reusable combinations of other
|
||||
pieces of middleware. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/chain/'
|
||||
properties:
|
||||
middlewares:
|
||||
description: Middlewares is the list of MiddlewareRef which composes
|
||||
the chain.
|
||||
items:
|
||||
description: MiddlewareRef is a ref to the Middleware resources.
|
||||
description: MiddlewareRef is a reference to a Middleware resource.
|
||||
properties:
|
||||
name:
|
||||
description: Name defines the name of the referenced Middleware
|
||||
resource.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the namespace of the referenced
|
||||
Middleware resource.
|
||||
type: string
|
||||
required:
|
||||
- name
|
||||
@ -89,165 +135,261 @@ spec:
|
||||
type: array
|
||||
type: object
|
||||
circuitBreaker:
|
||||
description: CircuitBreaker holds the circuit breaker configuration.
|
||||
description: 'CircuitBreaker holds the circuit breaker middleware
|
||||
configuration. This middleware protects the system from stacking
|
||||
requests to unhealthy services, resulting in cascading failures.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/circuitbreaker/'
|
||||
properties:
|
||||
expression:
|
||||
description: Expression defines the expression that, once matched,
|
||||
opens the circuit breaker and applies the fallback mechanism
|
||||
instead of calling the services.
|
||||
type: string
|
||||
type: object
|
||||
compress:
|
||||
description: Compress holds the compress configuration.
|
||||
description: 'Compress holds the compress middleware configuration.
|
||||
This middleware compresses responses before sending them to the
|
||||
client, using gzip compression. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/compress/'
|
||||
properties:
|
||||
excludedContentTypes:
|
||||
description: ExcludedContentTypes defines the list of content
|
||||
types to compare the Content-Type header of the incoming requests
|
||||
and responses before compressing.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
minResponseBodyBytes:
|
||||
description: 'MinResponseBodyBytes defines the minimum amount
|
||||
of bytes a response body must have to be compressed. Default:
|
||||
1024.'
|
||||
type: integer
|
||||
type: object
|
||||
contentType:
|
||||
description: ContentType middleware - or rather its unique `autoDetect`
|
||||
option - specifies whether to let the `Content-Type` header, if
|
||||
it has not been set by the backend, be automatically set to a value
|
||||
derived from the contents of the response. As a proxy, the default
|
||||
behavior should be to leave the header alone, regardless of what
|
||||
the backend did with it. However, the historic default was to always
|
||||
auto-detect and set the header if it was nil, and it is going to
|
||||
be kept that way in order to support users currently relying on
|
||||
it. This middleware exists to enable the correct behavior until
|
||||
at least the default one can be changed in a future version.
|
||||
description: ContentType holds the content-type middleware configuration.
|
||||
This middleware exists to enable the correct behavior until at least
|
||||
the default one can be changed in a future version.
|
||||
properties:
|
||||
autoDetect:
|
||||
description: AutoDetect specifies whether to let the `Content-Type`
|
||||
header, if it has not been set by the backend, be automatically
|
||||
set to a value derived from the contents of the response. As
|
||||
a proxy, the default behavior should be to leave the header
|
||||
alone, regardless of what the backend did with it. However,
|
||||
the historic default was to always auto-detect and set the header
|
||||
if it was nil, and it is going to be kept that way in order
|
||||
to support users currently relying on it.
|
||||
type: boolean
|
||||
type: object
|
||||
digestAuth:
|
||||
description: DigestAuth holds the Digest HTTP authentication configuration.
|
||||
description: 'DigestAuth holds the digest auth middleware configuration.
|
||||
This middleware restricts access to your services to known users.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/digestauth/'
|
||||
properties:
|
||||
headerField:
|
||||
description: 'HeaderField defines a header field to store the
|
||||
authenticated user. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield'
|
||||
type: string
|
||||
realm:
|
||||
description: 'Realm allows the protected resources on a server
|
||||
to be partitioned into a set of protection spaces, each with
|
||||
its own authentication scheme. Default: traefik.'
|
||||
type: string
|
||||
removeHeader:
|
||||
description: RemoveHeader defines whether to remove the authorization
|
||||
header before forwarding the request to the backend.
|
||||
type: boolean
|
||||
secret:
|
||||
description: Secret is the name of the referenced Kubernetes Secret
|
||||
containing user credentials.
|
||||
type: string
|
||||
type: object
|
||||
errors:
|
||||
description: ErrorPage holds the custom error page configuration.
|
||||
description: 'ErrorPage holds the custom error middleware configuration.
|
||||
This middleware returns a custom page in lieu of the default, according
|
||||
to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/'
|
||||
properties:
|
||||
query:
|
||||
description: Query defines the URL for the error page (hosted
|
||||
by service). The {status} variable can be used in order to insert
|
||||
the status code in the URL.
|
||||
type: string
|
||||
service:
|
||||
description: Service defines an upstream to proxy traffic.
|
||||
description: 'Service defines the reference to a Kubernetes Service
|
||||
that will serve the error page. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/#service'
|
||||
properties:
|
||||
kind:
|
||||
description: Kind defines the kind of the Service.
|
||||
enum:
|
||||
- Service
|
||||
- TraefikService
|
||||
type: string
|
||||
name:
|
||||
description: Name is a reference to a Kubernetes Service object
|
||||
(for a load-balancer of servers), or to a TraefikService
|
||||
object (service load-balancer, mirroring, etc). The differentiation
|
||||
between the two is specified in the Kind field.
|
||||
description: Name defines the name of the referenced Kubernetes
|
||||
Service or TraefikService. The differentiation between the
|
||||
two is specified in the Kind field.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the namespace of the referenced
|
||||
Kubernetes Service or TraefikService.
|
||||
type: string
|
||||
passHostHeader:
|
||||
description: PassHostHeader defines whether the client Host
|
||||
header is forwarded to the upstream Kubernetes Service.
|
||||
By default, passHostHeader is true.
|
||||
type: boolean
|
||||
port:
|
||||
anyOf:
|
||||
- type: integer
|
||||
- type: string
|
||||
description: Port defines the port of a Kubernetes Service.
|
||||
This can be a reference to a named port.
|
||||
x-kubernetes-int-or-string: true
|
||||
responseForwarding:
|
||||
description: ResponseForwarding holds configuration for the
|
||||
forward of the response.
|
||||
description: ResponseForwarding defines how Traefik forwards
|
||||
the response from the upstream Kubernetes Service to the
|
||||
client.
|
||||
properties:
|
||||
flushInterval:
|
||||
description: 'FlushInterval defines the interval, in milliseconds,
|
||||
in between flushes to the client while copying the response
|
||||
body. A negative value means to flush immediately after
|
||||
each write to the client. This configuration is ignored
|
||||
when ReverseProxy recognizes a response as a streaming
|
||||
response; for such responses, writes are flushed to
|
||||
the client immediately. Default: 100ms'
|
||||
type: string
|
||||
type: object
|
||||
scheme:
|
||||
description: Scheme defines the scheme to use for the request
|
||||
to the upstream Kubernetes Service. It defaults to https
|
||||
when Kubernetes Service port is 443, http otherwise.
|
||||
type: string
|
||||
serversTransport:
|
||||
description: ServersTransport defines the name of ServersTransport
|
||||
resource to use. It allows to configure the transport between
|
||||
Traefik and your servers. Can only be used on a Kubernetes
|
||||
Service.
|
||||
type: string
|
||||
sticky:
|
||||
description: Sticky holds the sticky configuration.
|
||||
description: 'Sticky defines the sticky sessions configuration.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions'
|
||||
properties:
|
||||
cookie:
|
||||
description: Cookie holds the sticky configuration based
|
||||
on cookie.
|
||||
description: Cookie defines the sticky cookie configuration.
|
||||
properties:
|
||||
httpOnly:
|
||||
description: HTTPOnly defines whether the cookie can
|
||||
be accessed by client-side APIs, such as JavaScript.
|
||||
type: boolean
|
||||
name:
|
||||
description: Name defines the Cookie name.
|
||||
type: string
|
||||
sameSite:
|
||||
description: 'SameSite defines the same site policy.
|
||||
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
|
||||
type: string
|
||||
secure:
|
||||
description: Secure defines whether the cookie can
|
||||
only be transmitted over an encrypted connection
|
||||
(i.e. HTTPS).
|
||||
type: boolean
|
||||
type: object
|
||||
type: object
|
||||
strategy:
|
||||
description: Strategy defines the load balancing strategy
|
||||
between the servers. RoundRobin is the only supported value
|
||||
at the moment.
|
||||
type: string
|
||||
weight:
|
||||
description: Weight should only be specified when Name references
|
||||
a TraefikService object (and to be precise, one that embeds
|
||||
a Weighted Round Robin).
|
||||
description: Weight defines the weight and should only be
|
||||
specified when Name references a TraefikService object (and
|
||||
to be precise, one that embeds a Weighted Round Robin).
|
||||
type: integer
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
status:
|
||||
description: Status defines which status or range of statuses
|
||||
should result in an error page. It can be either a status code
|
||||
as a number (500), as multiple comma-separated numbers (500,502),
|
||||
as ranges by separating two codes with a dash (500-599), or
|
||||
a combination of the two (404,418,500-599).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
forwardAuth:
|
||||
description: ForwardAuth holds the http forward authentication configuration.
|
||||
description: 'ForwardAuth holds the forward auth middleware configuration.
|
||||
This middleware delegates the request authentication to a Service.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/'
|
||||
properties:
|
||||
address:
|
||||
description: Address defines the authentication server address.
|
||||
type: string
|
||||
authRequestHeaders:
|
||||
description: AuthRequestHeaders defines the list of the headers
|
||||
to copy from the request to the authentication server. If not
|
||||
set or empty then all request headers are passed.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
authResponseHeaders:
|
||||
description: AuthResponseHeaders defines the list of headers to
|
||||
copy from the authentication server response and set on forwarded
|
||||
request, replacing any existing conflicting headers.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
authResponseHeadersRegex:
|
||||
description: 'AuthResponseHeadersRegex defines the regex to match
|
||||
headers to copy from the authentication server response and
|
||||
set on forwarded request, after stripping all headers that match
|
||||
the regex. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/#authresponseheadersregex'
|
||||
type: string
|
||||
tls:
|
||||
description: ClientTLS holds TLS specific configurations as client.
|
||||
description: TLS defines the configuration used to secure the
|
||||
connection to the authentication server.
|
||||
properties:
|
||||
caOptional:
|
||||
type: boolean
|
||||
caSecret:
|
||||
description: CASecret is the name of the referenced Kubernetes
|
||||
Secret containing the CA to validate the server certificate.
|
||||
The CA certificate is extracted from key `tls.ca` or `ca.crt`.
|
||||
type: string
|
||||
certSecret:
|
||||
description: CertSecret is the name of the referenced Kubernetes
|
||||
Secret containing the client certificate. The client certificate
|
||||
is extracted from the keys `tls.crt` and `tls.key`.
|
||||
type: string
|
||||
insecureSkipVerify:
|
||||
description: InsecureSkipVerify defines whether the server
|
||||
certificates should be validated.
|
||||
type: boolean
|
||||
type: object
|
||||
trustForwardHeader:
|
||||
description: 'TrustForwardHeader defines whether to trust (ie:
|
||||
forward) all X-Forwarded-* headers.'
|
||||
type: boolean
|
||||
type: object
|
||||
headers:
|
||||
description: Headers holds the custom header configuration.
|
||||
description: 'Headers holds the headers middleware configuration.
|
||||
This middleware manages the requests and responses headers. More
|
||||
info: https://doc.traefik.io/traefik/v2.7/middlewares/http/headers/#customrequestheaders'
|
||||
properties:
|
||||
accessControlAllowCredentials:
|
||||
description: AccessControlAllowCredentials is only valid if true.
|
||||
false is ignored.
|
||||
description: AccessControlAllowCredentials defines whether the
|
||||
request can include user credentials.
|
||||
type: boolean
|
||||
accessControlAllowHeaders:
|
||||
description: AccessControlAllowHeaders must be used in response
|
||||
to a preflight request with Access-Control-Request-Headers set.
|
||||
description: AccessControlAllowHeaders defines the Access-Control-Request-Headers
|
||||
values sent in preflight response.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
accessControlAllowMethods:
|
||||
description: AccessControlAllowMethods must be used in response
|
||||
to a preflight request with Access-Control-Request-Method set.
|
||||
description: AccessControlAllowMethods defines the Access-Control-Request-Method
|
||||
values sent in preflight response.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
@ -264,60 +406,96 @@ spec:
|
||||
type: string
|
||||
type: array
|
||||
accessControlExposeHeaders:
|
||||
description: AccessControlExposeHeaders sets valid headers for
|
||||
the response.
|
||||
description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers
|
||||
values sent in preflight response.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
accessControlMaxAge:
|
||||
description: AccessControlMaxAge sets the time that a preflight
|
||||
description: AccessControlMaxAge defines the time that a preflight
|
||||
request may be cached.
|
||||
format: int64
|
||||
type: integer
|
||||
addVaryHeader:
|
||||
description: AddVaryHeader controls if the Vary header is automatically
|
||||
added/updated when the AccessControlAllowOriginList is set.
|
||||
description: AddVaryHeader defines whether the Vary header is
|
||||
automatically added/updated when the AccessControlAllowOriginList
|
||||
is set.
|
||||
type: boolean
|
||||
allowedHosts:
|
||||
description: AllowedHosts defines the fully qualified list of
|
||||
allowed domain names.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
browserXssFilter:
|
||||
description: BrowserXSSFilter defines whether to add the X-XSS-Protection
|
||||
header with the value 1; mode=block.
|
||||
type: boolean
|
||||
contentSecurityPolicy:
|
||||
description: ContentSecurityPolicy defines the Content-Security-Policy
|
||||
header value.
|
||||
type: string
|
||||
contentTypeNosniff:
|
||||
description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
|
||||
header with the nosniff value.
|
||||
type: boolean
|
||||
customBrowserXSSValue:
|
||||
description: CustomBrowserXSSValue defines the X-XSS-Protection
|
||||
header value. This overrides the BrowserXssFilter option.
|
||||
type: string
|
||||
customFrameOptionsValue:
|
||||
description: CustomFrameOptionsValue defines the X-Frame-Options
|
||||
header value. This overrides the FrameDeny option.
|
||||
type: string
|
||||
customRequestHeaders:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: CustomRequestHeaders defines the header names and
|
||||
values to apply to the request.
|
||||
type: object
|
||||
customResponseHeaders:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: CustomResponseHeaders defines the header names and
|
||||
values to apply to the response.
|
||||
type: object
|
||||
featurePolicy:
|
||||
description: 'Deprecated: use PermissionsPolicy instead.'
|
||||
type: string
|
||||
forceSTSHeader:
|
||||
description: ForceSTSHeader defines whether to add the STS header
|
||||
even when the connection is HTTP.
|
||||
type: boolean
|
||||
frameDeny:
|
||||
description: FrameDeny defines whether to add the X-Frame-Options
|
||||
header with the DENY value.
|
||||
type: boolean
|
||||
hostsProxyHeaders:
|
||||
description: HostsProxyHeaders defines the header keys that may
|
||||
hold a proxied hostname value for the request.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
isDevelopment:
|
||||
description: IsDevelopment defines whether to mitigate the unwanted
|
||||
effects of the AllowedHosts, SSL, and STS options when developing.
|
||||
Usually testing takes place using HTTP, not HTTPS, and on localhost,
|
||||
not your production domain. If you would like your development
|
||||
environment to mimic production with complete Host blocking,
|
||||
SSL redirects, and STS headers, leave this as false.
|
||||
type: boolean
|
||||
permissionsPolicy:
|
||||
description: PermissionsPolicy defines the Permissions-Policy
|
||||
header value. This allows sites to control browser features.
|
||||
type: string
|
||||
publicKey:
|
||||
description: PublicKey is the public key that implements HPKP
|
||||
to prevent MITM attacks with forged certificates.
|
||||
type: string
|
||||
referrerPolicy:
|
||||
description: ReferrerPolicy defines the Referrer-Policy header
|
||||
value. This allows sites to control whether browsers forward
|
||||
the Referer header to other sites.
|
||||
type: string
|
||||
sslForceHost:
|
||||
description: 'Deprecated: use RedirectRegex instead.'
|
||||
@ -328,6 +506,10 @@ spec:
|
||||
sslProxyHeaders:
|
||||
additionalProperties:
|
||||
type: string
|
||||
description: 'SSLProxyHeaders defines the header keys with associated
|
||||
values that would indicate a valid HTTPS request. It can be
|
||||
useful when using other proxies (example: "X-Forwarded-Proto":
|
||||
"https").'
|
||||
type: object
|
||||
sslRedirect:
|
||||
description: 'Deprecated: use EntryPoint redirection or RedirectScheme
|
||||
@ -338,119 +520,192 @@ spec:
|
||||
instead.'
|
||||
type: boolean
|
||||
stsIncludeSubdomains:
|
||||
description: STSIncludeSubdomains defines whether the includeSubDomains
|
||||
directive is appended to the Strict-Transport-Security header.
|
||||
type: boolean
|
||||
stsPreload:
|
||||
description: STSPreload defines whether the preload flag is appended
|
||||
to the Strict-Transport-Security header.
|
||||
type: boolean
|
||||
stsSeconds:
|
||||
description: STSSeconds defines the max-age of the Strict-Transport-Security
|
||||
header. If set to 0, the header is not set.
|
||||
format: int64
|
||||
type: integer
|
||||
type: object
|
||||
inFlightReq:
|
||||
description: InFlightReq limits the number of requests being processed
|
||||
and served concurrently.
|
||||
description: 'InFlightReq holds the in-flight request middleware configuration.
|
||||
This middleware limits the number of requests being processed and
|
||||
served concurrently. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/'
|
||||
properties:
|
||||
amount:
|
||||
description: Amount defines the maximum amount of allowed simultaneous
|
||||
in-flight request. The middleware responds with HTTP 429 Too
|
||||
Many Requests if there are already amount requests in progress
|
||||
(based on the same sourceCriterion strategy).
|
||||
format: int64
|
||||
type: integer
|
||||
sourceCriterion:
|
||||
description: SourceCriterion defines what criterion is used to
|
||||
group requests as originating from a common source. If none
|
||||
are set, the default is to use the request's remote address
|
||||
field. All fields are mutually exclusive.
|
||||
description: 'SourceCriterion defines what criterion is used to
|
||||
group requests as originating from a common source. If several
|
||||
strategies are defined at the same time, an error will be raised.
|
||||
If none are set, the default is to use the requestHost. More
|
||||
info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/#sourcecriterion'
|
||||
properties:
|
||||
ipStrategy:
|
||||
description: IPStrategy holds the ip strategy configuration.
|
||||
description: 'IPStrategy holds the IP strategy configuration
|
||||
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy'
|
||||
properties:
|
||||
depth:
|
||||
description: Depth tells Traefik to use the X-Forwarded-For
|
||||
header and take the IP located at the depth position
|
||||
(starting from the right).
|
||||
type: integer
|
||||
excludedIPs:
|
||||
description: ExcludedIPs configures Traefik to scan the
|
||||
X-Forwarded-For header and select the first IP not in
|
||||
the list.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
requestHeaderName:
|
||||
description: RequestHeaderName defines the name of the header
|
||||
used to group incoming requests.
|
||||
type: string
|
||||
requestHost:
|
||||
description: RequestHost defines whether to consider the request
|
||||
Host as the source.
|
||||
type: boolean
|
||||
type: object
|
||||
type: object
|
||||
ipWhiteList:
|
||||
description: IPWhiteList holds the ip white list configuration.
|
||||
description: 'IPWhiteList holds the IP whitelist middleware configuration.
|
||||
This middleware accepts / refuses requests based on the client IP.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/'
|
||||
properties:
|
||||
ipStrategy:
|
||||
description: IPStrategy holds the ip strategy configuration.
|
||||
description: 'IPStrategy holds the IP strategy configuration used
|
||||
by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy'
|
||||
properties:
|
||||
depth:
|
||||
description: Depth tells Traefik to use the X-Forwarded-For
|
||||
header and take the IP located at the depth position (starting
|
||||
from the right).
|
||||
type: integer
|
||||
excludedIPs:
|
||||
description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
|
||||
header and select the first IP not in the list.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
sourceRange:
|
||||
description: SourceRange defines the set of allowed IPs (or ranges
|
||||
of allowed IPs by using CIDR notation).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
passTLSClientCert:
|
||||
description: PassTLSClientCert holds the TLS client cert headers configuration.
|
||||
description: 'PassTLSClientCert holds the pass TLS client cert middleware
|
||||
configuration. This middleware adds the selected data from the passed
|
||||
client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/passtlsclientcert/'
|
||||
properties:
|
||||
info:
|
||||
description: TLSClientCertificateInfo holds the client TLS certificate
|
||||
info configuration.
|
||||
description: Info selects the specific client certificate details
|
||||
you want to add to the X-Forwarded-Tls-Client-Cert-Info header.
|
||||
properties:
|
||||
issuer:
|
||||
description: TLSClientCertificateIssuerDNInfo holds the client
|
||||
TLS certificate distinguished name info configuration. cf
|
||||
https://tools.ietf.org/html/rfc3739
|
||||
description: Issuer defines the client certificate issuer
|
||||
details to add to the X-Forwarded-Tls-Client-Cert-Info header.
|
||||
properties:
|
||||
commonName:
|
||||
description: CommonName defines whether to add the organizationalUnit
|
||||
information into the issuer.
|
||||
type: boolean
|
||||
country:
|
||||
description: Country defines whether to add the country
|
||||
information into the issuer.
|
||||
type: boolean
|
||||
domainComponent:
|
||||
description: DomainComponent defines whether to add the
|
||||
domainComponent information into the issuer.
|
||||
type: boolean
|
||||
locality:
|
||||
description: Locality defines whether to add the locality
|
||||
information into the issuer.
|
||||
type: boolean
|
||||
organization:
|
||||
description: Organization defines whether to add the organization
|
||||
information into the issuer.
|
||||
type: boolean
|
||||
province:
|
||||
description: Province defines whether to add the province
|
||||
information into the issuer.
|
||||
type: boolean
|
||||
serialNumber:
|
||||
description: SerialNumber defines whether to add the serialNumber
|
||||
information into the issuer.
|
||||
type: boolean
|
||||
type: object
|
||||
notAfter:
|
||||
description: NotAfter defines whether to add the Not After
|
||||
information from the Validity part.
|
||||
type: boolean
|
||||
notBefore:
|
||||
description: NotBefore defines whether to add the Not Before
|
||||
information from the Validity part.
|
||||
type: boolean
|
||||
sans:
|
||||
description: Sans defines whether to add the Subject Alternative
|
||||
Name information from the Subject Alternative Name part.
|
||||
type: boolean
|
||||
serialNumber:
|
||||
description: SerialNumber defines whether to add the client
|
||||
serialNumber information.
|
||||
type: boolean
|
||||
subject:
|
||||
description: TLSClientCertificateSubjectDNInfo holds the client
|
||||
TLS certificate distinguished name info configuration. cf
|
||||
https://tools.ietf.org/html/rfc3739
|
||||
description: Subject defines the client certificate subject
|
||||
details to add to the X-Forwarded-Tls-Client-Cert-Info header.
|
||||
properties:
|
||||
commonName:
|
||||
description: CommonName defines whether to add the organizationalUnit
|
||||
information into the subject.
|
||||
type: boolean
|
||||
country:
|
||||
description: Country defines whether to add the country
|
||||
information into the subject.
|
||||
type: boolean
|
||||
domainComponent:
|
||||
description: DomainComponent defines whether to add the
|
||||
domainComponent information into the subject.
|
||||
type: boolean
|
||||
locality:
|
||||
description: Locality defines whether to add the locality
|
||||
information into the subject.
|
||||
type: boolean
|
||||
organization:
|
||||
description: Organization defines whether to add the organization
|
||||
information into the subject.
|
||||
type: boolean
|
||||
organizationalUnit:
|
||||
description: OrganizationalUnit defines whether to add
|
||||
the organizationalUnit information into the subject.
|
||||
type: boolean
|
||||
province:
|
||||
description: Province defines whether to add the province
|
||||
information into the subject.
|
||||
type: boolean
|
||||
serialNumber:
|
||||
description: SerialNumber defines whether to add the serialNumber
|
||||
information into the subject.
|
||||
type: boolean
|
||||
type: object
|
||||
type: object
|
||||
pem:
|
||||
description: PEM sets the X-Forwarded-Tls-Client-Cert header with
|
||||
the escaped certificate.
|
||||
type: boolean
|
||||
type: object
|
||||
plugin:
|
||||
@ -458,101 +713,171 @@ spec:
|
||||
x-kubernetes-preserve-unknown-fields: true
|
||||
type: object
|
||||
rateLimit:
|
||||
description: RateLimit holds the rate limiting configuration for a
|
||||
given router.
|
||||
description: 'RateLimit holds the rate limit configuration. This middleware
|
||||
ensures that services will receive a fair amount of requests, and
|
||||
allows one to define what fair is. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ratelimit/'
|
||||
properties:
|
||||
average:
|
||||
description: Average is the maximum rate, by default in requests/s,
|
||||
allowed for the given source. It defaults to 0, which means
|
||||
no rate limiting. The rate is actually defined by dividing Average
|
||||
by Period. So for a rate below 1req/s, one needs to define a
|
||||
Period larger than a second.
|
||||
format: int64
|
||||
type: integer
|
||||
burst:
|
||||
description: Burst is the maximum number of requests allowed to
|
||||
arrive in the same arbitrarily small period of time. It defaults
|
||||
to 1.
|
||||
format: int64
|
||||
type: integer
|
||||
period:
|
||||
anyOf:
|
||||
- type: integer
|
||||
- type: string
|
||||
description: 'Period, in combination with Average, defines the
|
||||
actual maximum rate, such as: r = Average / Period. It defaults
|
||||
to a second.'
|
||||
x-kubernetes-int-or-string: true
|
||||
sourceCriterion:
|
||||
description: SourceCriterion defines what criterion is used to
|
||||
group requests as originating from a common source. If none
|
||||
are set, the default is to use the request's remote address
|
||||
field. All fields are mutually exclusive.
|
||||
group requests as originating from a common source. If several
|
||||
strategies are defined at the same time, an error will be raised.
|
||||
If none are set, the default is to use the request's remote
|
||||
address field (as an ipStrategy).
|
||||
properties:
|
||||
ipStrategy:
|
||||
description: IPStrategy holds the ip strategy configuration.
|
||||
description: 'IPStrategy holds the IP strategy configuration
|
||||
used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy'
|
||||
properties:
|
||||
depth:
|
||||
description: Depth tells Traefik to use the X-Forwarded-For
|
||||
header and take the IP located at the depth position
|
||||
(starting from the right).
|
||||
type: integer
|
||||
excludedIPs:
|
||||
description: ExcludedIPs configures Traefik to scan the
|
||||
X-Forwarded-For header and select the first IP not in
|
||||
the list.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
requestHeaderName:
|
||||
description: RequestHeaderName defines the name of the header
|
||||
used to group incoming requests.
|
||||
type: string
|
||||
requestHost:
|
||||
description: RequestHost defines whether to consider the request
|
||||
Host as the source.
|
||||
type: boolean
|
||||
type: object
|
||||
type: object
|
||||
redirectRegex:
|
||||
description: RedirectRegex holds the redirection configuration.
|
||||
description: 'RedirectRegex holds the redirect regex middleware configuration.
|
||||
This middleware redirects a request using regex matching and replacement.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectregex/#regex'
|
||||
properties:
|
||||
permanent:
|
||||
description: Permanent defines whether the redirection is permanent
|
||||
(301).
|
||||
type: boolean
|
||||
regex:
|
||||
description: Regex defines the regex used to match and capture
|
||||
elements from the request URL.
|
||||
type: string
|
||||
replacement:
|
||||
description: Replacement defines how to modify the URL to have
|
||||
the new target URL.
|
||||
type: string
|
||||
type: object
|
||||
redirectScheme:
|
||||
description: RedirectScheme holds the scheme redirection configuration.
|
||||
description: 'RedirectScheme holds the redirect scheme middleware
|
||||
configuration. This middleware redirects requests from a scheme/port
|
||||
to another. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectscheme/'
|
||||
properties:
|
||||
permanent:
|
||||
description: Permanent defines whether the redirection is permanent
|
||||
(301).
|
||||
type: boolean
|
||||
port:
|
||||
description: Port defines the port of the new URL.
|
||||
type: string
|
||||
scheme:
|
||||
description: Scheme defines the scheme of the new URL.
|
||||
type: string
|
||||
type: object
|
||||
replacePath:
|
||||
description: ReplacePath holds the ReplacePath configuration.
|
||||
description: 'ReplacePath holds the replace path middleware configuration.
|
||||
This middleware replaces the path of the request URL and store the
|
||||
original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepath/'
|
||||
properties:
|
||||
path:
|
||||
description: Path defines the path to use as replacement in the
|
||||
request URL.
|
||||
type: string
|
||||
type: object
|
||||
replacePathRegex:
|
||||
description: ReplacePathRegex holds the ReplacePathRegex configuration.
|
||||
description: 'ReplacePathRegex holds the replace path regex middleware
|
||||
configuration. This middleware replaces the path of a URL using
|
||||
regex matching and replacement. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepathregex/'
|
||||
properties:
|
||||
regex:
|
||||
description: Regex defines the regular expression used to match
|
||||
and capture the path from the request URL.
|
||||
type: string
|
||||
replacement:
|
||||
description: Replacement defines the replacement path format,
|
||||
which can include captured variables.
|
||||
type: string
|
||||
type: object
|
||||
retry:
|
||||
description: Retry holds the retry configuration.
|
||||
description: 'Retry holds the retry middleware configuration. This
|
||||
middleware reissues requests a given number of times to a backend
|
||||
server if that server does not reply. As soon as the server answers,
|
||||
the middleware stops retrying, regardless of the response status.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/retry/'
|
||||
properties:
|
||||
attempts:
|
||||
description: Attempts defines how many times the request should
|
||||
be retried.
|
||||
type: integer
|
||||
initialInterval:
|
||||
anyOf:
|
||||
- type: integer
|
||||
- type: string
|
||||
description: InitialInterval defines the first wait time in the
|
||||
exponential backoff series. The maximum interval is calculated
|
||||
as twice the initialInterval. If unspecified, requests will
|
||||
be retried immediately. The value of initialInterval should
|
||||
be provided in seconds or as a valid duration format, see https://pkg.go.dev/time#ParseDuration.
|
||||
x-kubernetes-int-or-string: true
|
||||
type: object
|
||||
stripPrefix:
|
||||
description: StripPrefix holds the StripPrefix configuration.
|
||||
description: 'StripPrefix holds the strip prefix middleware configuration.
|
||||
This middleware removes the specified prefixes from the URL path.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefix/'
|
||||
properties:
|
||||
forceSlash:
|
||||
description: 'ForceSlash ensures that the resulting stripped path
|
||||
is not the empty string, by replacing it with / when necessary.
|
||||
Default: true.'
|
||||
type: boolean
|
||||
prefixes:
|
||||
description: Prefixes defines the prefixes to strip from the request
|
||||
URL.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
stripPrefixRegex:
|
||||
description: StripPrefixRegex holds the StripPrefixRegex configuration.
|
||||
description: 'StripPrefixRegex holds the strip prefix regex middleware
|
||||
configuration. This middleware removes the matching prefixes from
|
||||
the URL path. More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefixregex/'
|
||||
properties:
|
||||
regex:
|
||||
description: Regex defines the regular expression to match the
|
||||
path prefix from the request URL.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
|
@ -19,7 +19,8 @@ spec:
|
||||
- name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: MiddlewareTCP is a specification for a MiddlewareTCP resource.
|
||||
description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/middlewares/overview/'
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
@ -34,19 +35,24 @@ spec:
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: MiddlewareTCPSpec holds the MiddlewareTCP configuration.
|
||||
description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.
|
||||
properties:
|
||||
inFlightConn:
|
||||
description: TCPInFlightConn holds the TCP in flight connection configuration.
|
||||
description: InFlightConn defines the InFlightConn middleware configuration.
|
||||
properties:
|
||||
amount:
|
||||
description: Amount defines the maximum amount of allowed simultaneous
|
||||
connections. The middleware closes the connection if there are
|
||||
already amount connections opened.
|
||||
format: int64
|
||||
type: integer
|
||||
type: object
|
||||
ipWhiteList:
|
||||
description: TCPIPWhiteList holds the TCP ip white list configuration.
|
||||
description: IPWhiteList defines the IPWhiteList middleware configuration.
|
||||
properties:
|
||||
sourceRange:
|
||||
description: SourceRange defines the allowed IPs (or ranges of
|
||||
allowed IPs by using CIDR notation).
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
|
@ -19,7 +19,10 @@ spec:
|
||||
- name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: ServersTransport is a specification for a ServersTransport resource.
|
||||
description: 'ServersTransport is the CRD implementation of a ServersTransport.
|
||||
If no serversTransport is specified, the default@internal will be used.
|
||||
The default@internal serversTransport is created from the static configuration.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/routing/services/#serverstransport_1'
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
@ -34,27 +37,28 @@ spec:
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: ServersTransportSpec options to configure communication between
|
||||
Traefik and the servers.
|
||||
description: ServersTransportSpec defines the desired state of a ServersTransport.
|
||||
properties:
|
||||
certificatesSecrets:
|
||||
description: Certificates for mTLS.
|
||||
description: CertificatesSecrets defines a list of secret storing
|
||||
client certificates for mTLS.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
disableHTTP2:
|
||||
description: Disable HTTP/2 for connections with backend servers.
|
||||
description: DisableHTTP2 disables HTTP/2 for connections with backend
|
||||
servers.
|
||||
type: boolean
|
||||
forwardingTimeouts:
|
||||
description: Timeouts for requests forwarded to the backend servers.
|
||||
description: ForwardingTimeouts defines the timeouts for requests
|
||||
forwarded to the backend servers.
|
||||
properties:
|
||||
dialTimeout:
|
||||
anyOf:
|
||||
- type: integer
|
||||
- type: string
|
||||
description: DialTimeout is the amount of time to wait until a
|
||||
connection to a backend server can be established. If zero,
|
||||
no timeout exists.
|
||||
connection to a backend server can be established.
|
||||
x-kubernetes-int-or-string: true
|
||||
idleConnTimeout:
|
||||
anyOf:
|
||||
@ -77,7 +81,7 @@ spec:
|
||||
- type: string
|
||||
description: ReadIdleTimeout is the timeout after which a health
|
||||
check using ping frame will be carried out if no frame is received
|
||||
on the HTTP/2 connection. If zero, no health check is performed.
|
||||
on the HTTP/2 connection.
|
||||
x-kubernetes-int-or-string: true
|
||||
responseHeaderTimeout:
|
||||
anyOf:
|
||||
@ -85,27 +89,29 @@ spec:
|
||||
- type: string
|
||||
description: ResponseHeaderTimeout is the amount of time to wait
|
||||
for a server's response headers after fully writing the request
|
||||
(including its body, if any). If zero, no timeout exists.
|
||||
(including its body, if any).
|
||||
x-kubernetes-int-or-string: true
|
||||
type: object
|
||||
insecureSkipVerify:
|
||||
description: Disable SSL certificate verification.
|
||||
description: InsecureSkipVerify disables SSL certificate verification.
|
||||
type: boolean
|
||||
maxIdleConnsPerHost:
|
||||
description: If non-zero, controls the maximum idle (keep-alive) to
|
||||
keep per-host. If zero, DefaultMaxIdleConnsPerHost is used.
|
||||
description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
|
||||
to keep per-host.
|
||||
type: integer
|
||||
peerCertURI:
|
||||
description: URI used to match against SAN URI during the peer certificate
|
||||
verification.
|
||||
description: PeerCertURI defines the peer cert URI used to match against
|
||||
SAN URI during the peer certificate verification.
|
||||
type: string
|
||||
rootCAsSecrets:
|
||||
description: Add cert file for self-signed certificate.
|
||||
description: RootCAsSecrets defines a list of CA secret used to validate
|
||||
self-signed certificate.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
serverName:
|
||||
description: ServerName used to contact the server.
|
||||
description: ServerName defines the server name used to contact the
|
||||
server.
|
||||
type: string
|
||||
type: object
|
||||
required:
|
||||
|
@ -19,7 +19,9 @@ spec:
|
||||
- name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: TLSOption is a specification for a TLSOption resource.
|
||||
description: 'TLSOption is the CRD implementation of a Traefik TLS Option,
|
||||
allowing to configure some parameters of the TLS connection. More info:
|
||||
https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options'
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
@ -34,19 +36,24 @@ spec:
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: TLSOptionSpec configures TLS for an entry point.
|
||||
description: TLSOptionSpec defines the desired state of a TLSOption.
|
||||
properties:
|
||||
alpnProtocols:
|
||||
description: 'ALPNProtocols defines the list of supported application
|
||||
level protocols for the TLS handshake, in order of preference. More
|
||||
info: https://doc.traefik.io/traefik/v2.7/https/tls/#alpn-protocols'
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
cipherSuites:
|
||||
description: 'CipherSuites defines the list of supported cipher suites
|
||||
for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#cipher-suites'
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
clientAuth:
|
||||
description: ClientAuth defines the parameters of the client authentication
|
||||
part of the TLS connection, if any.
|
||||
description: ClientAuth defines the server's policy for TLS Client
|
||||
Authentication.
|
||||
properties:
|
||||
clientAuthType:
|
||||
description: ClientAuthType defines the client authentication
|
||||
@ -59,23 +66,36 @@ spec:
|
||||
- RequireAndVerifyClientCert
|
||||
type: string
|
||||
secretNames:
|
||||
description: SecretName is the name of the referenced Kubernetes
|
||||
Secret to specify the certificate details.
|
||||
description: SecretNames defines the names of the referenced Kubernetes
|
||||
Secret storing certificate details.
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
type: object
|
||||
curvePreferences:
|
||||
description: 'CurvePreferences defines the preferred elliptic curves
|
||||
in a specific order. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#curve-preferences'
|
||||
items:
|
||||
type: string
|
||||
type: array
|
||||
maxVersion:
|
||||
description: 'MaxVersion defines the maximum TLS version that Traefik
|
||||
will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
|
||||
VersionTLS13. Default: None.'
|
||||
type: string
|
||||
minVersion:
|
||||
description: 'MinVersion defines the minimum TLS version that Traefik
|
||||
will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
|
||||
VersionTLS13. Default: VersionTLS10.'
|
||||
type: string
|
||||
preferServerCipherSuites:
|
||||
description: PreferServerCipherSuites defines whether the server chooses
|
||||
a cipher suite among his own instead of among the client's. It is
|
||||
enabled automatically when minVersion or maxVersion are set.
|
||||
type: boolean
|
||||
sniStrict:
|
||||
description: SniStrict defines whether Traefik allows connections
|
||||
from clients connections that do not specify a server_name extension.
|
||||
type: boolean
|
||||
type: object
|
||||
required:
|
||||
|
@ -19,7 +19,10 @@ spec:
|
||||
- name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: TLSStore is a specification for a TLSStore resource.
|
||||
description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For
|
||||
the time being, only the TLSStore named default is supported. This means
|
||||
that you cannot have two stores that are named default in different Kubernetes
|
||||
namespaces. More info: https://doc.traefik.io/traefik/v2.7/https/tls/#certificates-stores'
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
@ -34,11 +37,10 @@ spec:
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: TLSStoreSpec configures a TLSStore resource.
|
||||
description: TLSStoreSpec defines the desired state of a TLSStore.
|
||||
properties:
|
||||
defaultCertificate:
|
||||
description: DefaultCertificate holds a secret name for the TLSOption
|
||||
resource.
|
||||
description: DefaultCertificate defines the default certificate configuration.
|
||||
properties:
|
||||
secretName:
|
||||
description: SecretName is the name of the referenced Kubernetes
|
||||
|
@ -19,10 +19,9 @@ spec:
|
||||
- name: v1alpha1
|
||||
schema:
|
||||
openAPIV3Schema:
|
||||
description: TraefikService is the specification for a service (that an IngressRoute
|
||||
refers to) that is usually not a terminal service (i.e. not a pod of servers),
|
||||
as opposed to a Kubernetes Service. That is to say, it usually refers to
|
||||
other (children) services, which themselves can be TraefikServices or Services.
|
||||
description: 'TraefikService is the CRD implementation of a Traefik Service.
|
||||
TraefikService object allows to: - Apply weight to Services on load-balancing -
|
||||
Mirror traffic on services More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-traefikservice'
|
||||
properties:
|
||||
apiVersion:
|
||||
description: 'APIVersion defines the versioned schema of this representation
|
||||
@ -37,220 +36,332 @@ spec:
|
||||
metadata:
|
||||
type: object
|
||||
spec:
|
||||
description: ServiceSpec defines whether a TraefikService is a load-balancer
|
||||
of services or a mirroring service.
|
||||
description: TraefikServiceSpec defines the desired state of a TraefikService.
|
||||
properties:
|
||||
mirroring:
|
||||
description: Mirroring defines a mirroring service, which is composed
|
||||
of a main load-balancer, and a list of mirrors.
|
||||
description: Mirroring defines the Mirroring service configuration.
|
||||
properties:
|
||||
kind:
|
||||
description: Kind defines the kind of the Service.
|
||||
enum:
|
||||
- Service
|
||||
- TraefikService
|
||||
type: string
|
||||
maxBodySize:
|
||||
description: MaxBodySize defines the maximum size allowed for
|
||||
the body of the request. If the body is larger, the request
|
||||
is not mirrored. Default value is -1, which means unlimited
|
||||
size.
|
||||
format: int64
|
||||
type: integer
|
||||
mirrors:
|
||||
description: Mirrors defines the list of mirrors where Traefik
|
||||
will duplicate the traffic.
|
||||
items:
|
||||
description: MirrorService defines one of the mirrors of a Mirroring
|
||||
service.
|
||||
description: MirrorService holds the mirror configuration.
|
||||
properties:
|
||||
kind:
|
||||
description: Kind defines the kind of the Service.
|
||||
enum:
|
||||
- Service
|
||||
- TraefikService
|
||||
type: string
|
||||
name:
|
||||
description: Name is a reference to a Kubernetes Service
|
||||
object (for a load-balancer of servers), or to a TraefikService
|
||||
object (service load-balancer, mirroring, etc). The differentiation
|
||||
between the two is specified in the Kind field.
|
||||
description: Name defines the name of the referenced Kubernetes
|
||||
Service or TraefikService. The differentiation between
|
||||
the two is specified in the Kind field.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the namespace of the referenced
|
||||
Kubernetes Service or TraefikService.
|
||||
type: string
|
||||
passHostHeader:
|
||||
description: PassHostHeader defines whether the client Host
|
||||
header is forwarded to the upstream Kubernetes Service.
|
||||
By default, passHostHeader is true.
|
||||
type: boolean
|
||||
percent:
|
||||
description: 'Percent defines the part of the traffic to
|
||||
mirror. Supported values: 0 to 100.'
|
||||
type: integer
|
||||
port:
|
||||
anyOf:
|
||||
- type: integer
|
||||
- type: string
|
||||
description: Port defines the port of a Kubernetes Service.
|
||||
This can be a reference to a named port.
|
||||
x-kubernetes-int-or-string: true
|
||||
responseForwarding:
|
||||
description: ResponseForwarding holds configuration for
|
||||
the forward of the response.
|
||||
description: ResponseForwarding defines how Traefik forwards
|
||||
the response from the upstream Kubernetes Service to the
|
||||
client.
|
||||
properties:
|
||||
flushInterval:
|
||||
description: 'FlushInterval defines the interval, in
|
||||
milliseconds, in between flushes to the client while
|
||||
copying the response body. A negative value means
|
||||
to flush immediately after each write to the client.
|
||||
This configuration is ignored when ReverseProxy recognizes
|
||||
a response as a streaming response; for such responses,
|
||||
writes are flushed to the client immediately. Default:
|
||||
100ms'
|
||||
type: string
|
||||
type: object
|
||||
scheme:
|
||||
description: Scheme defines the scheme to use for the request
|
||||
to the upstream Kubernetes Service. It defaults to https
|
||||
when Kubernetes Service port is 443, http otherwise.
|
||||
type: string
|
||||
serversTransport:
|
||||
description: ServersTransport defines the name of ServersTransport
|
||||
resource to use. It allows to configure the transport
|
||||
between Traefik and your servers. Can only be used on
|
||||
a Kubernetes Service.
|
||||
type: string
|
||||
sticky:
|
||||
description: Sticky holds the sticky configuration.
|
||||
description: 'Sticky defines the sticky sessions configuration.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions'
|
||||
properties:
|
||||
cookie:
|
||||
description: Cookie holds the sticky configuration based
|
||||
on cookie.
|
||||
description: Cookie defines the sticky cookie configuration.
|
||||
properties:
|
||||
httpOnly:
|
||||
description: HTTPOnly defines whether the cookie
|
||||
can be accessed by client-side APIs, such as JavaScript.
|
||||
type: boolean
|
||||
name:
|
||||
description: Name defines the Cookie name.
|
||||
type: string
|
||||
sameSite:
|
||||
description: 'SameSite defines the same site policy.
|
||||
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
|
||||
type: string
|
||||
secure:
|
||||
description: Secure defines whether the cookie can
|
||||
only be transmitted over an encrypted connection
|
||||
(i.e. HTTPS).
|
||||
type: boolean
|
||||
type: object
|
||||
type: object
|
||||
strategy:
|
||||
description: Strategy defines the load balancing strategy
|
||||
between the servers. RoundRobin is the only supported
|
||||
value at the moment.
|
||||
type: string
|
||||
weight:
|
||||
description: Weight should only be specified when Name references
|
||||
a TraefikService object (and to be precise, one that embeds
|
||||
a Weighted Round Robin).
|
||||
description: Weight defines the weight and should only be
|
||||
specified when Name references a TraefikService object
|
||||
(and to be precise, one that embeds a Weighted Round Robin).
|
||||
type: integer
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
name:
|
||||
description: Name is a reference to a Kubernetes Service object
|
||||
(for a load-balancer of servers), or to a TraefikService object
|
||||
(service load-balancer, mirroring, etc). The differentiation
|
||||
between the two is specified in the Kind field.
|
||||
description: Name defines the name of the referenced Kubernetes
|
||||
Service or TraefikService. The differentiation between the two
|
||||
is specified in the Kind field.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the namespace of the referenced
|
||||
Kubernetes Service or TraefikService.
|
||||
type: string
|
||||
passHostHeader:
|
||||
description: PassHostHeader defines whether the client Host header
|
||||
is forwarded to the upstream Kubernetes Service. By default,
|
||||
passHostHeader is true.
|
||||
type: boolean
|
||||
port:
|
||||
anyOf:
|
||||
- type: integer
|
||||
- type: string
|
||||
description: Port defines the port of a Kubernetes Service. This
|
||||
can be a reference to a named port.
|
||||
x-kubernetes-int-or-string: true
|
||||
responseForwarding:
|
||||
description: ResponseForwarding holds configuration for the forward
|
||||
of the response.
|
||||
description: ResponseForwarding defines how Traefik forwards the
|
||||
response from the upstream Kubernetes Service to the client.
|
||||
properties:
|
||||
flushInterval:
|
||||
description: 'FlushInterval defines the interval, in milliseconds,
|
||||
in between flushes to the client while copying the response
|
||||
body. A negative value means to flush immediately after
|
||||
each write to the client. This configuration is ignored
|
||||
when ReverseProxy recognizes a response as a streaming response;
|
||||
for such responses, writes are flushed to the client immediately.
|
||||
Default: 100ms'
|
||||
type: string
|
||||
type: object
|
||||
scheme:
|
||||
description: Scheme defines the scheme to use for the request
|
||||
to the upstream Kubernetes Service. It defaults to https when
|
||||
Kubernetes Service port is 443, http otherwise.
|
||||
type: string
|
||||
serversTransport:
|
||||
description: ServersTransport defines the name of ServersTransport
|
||||
resource to use. It allows to configure the transport between
|
||||
Traefik and your servers. Can only be used on a Kubernetes Service.
|
||||
type: string
|
||||
sticky:
|
||||
description: Sticky holds the sticky configuration.
|
||||
description: 'Sticky defines the sticky sessions configuration.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions'
|
||||
properties:
|
||||
cookie:
|
||||
description: Cookie holds the sticky configuration based on
|
||||
cookie.
|
||||
description: Cookie defines the sticky cookie configuration.
|
||||
properties:
|
||||
httpOnly:
|
||||
description: HTTPOnly defines whether the cookie can be
|
||||
accessed by client-side APIs, such as JavaScript.
|
||||
type: boolean
|
||||
name:
|
||||
description: Name defines the Cookie name.
|
||||
type: string
|
||||
sameSite:
|
||||
description: 'SameSite defines the same site policy. More
|
||||
info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
|
||||
type: string
|
||||
secure:
|
||||
description: Secure defines whether the cookie can only
|
||||
be transmitted over an encrypted connection (i.e. HTTPS).
|
||||
type: boolean
|
||||
type: object
|
||||
type: object
|
||||
strategy:
|
||||
description: Strategy defines the load balancing strategy between
|
||||
the servers. RoundRobin is the only supported value at the moment.
|
||||
type: string
|
||||
weight:
|
||||
description: Weight should only be specified when Name references
|
||||
a TraefikService object (and to be precise, one that embeds
|
||||
a Weighted Round Robin).
|
||||
description: Weight defines the weight and should only be specified
|
||||
when Name references a TraefikService object (and to be precise,
|
||||
one that embeds a Weighted Round Robin).
|
||||
type: integer
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
weighted:
|
||||
description: WeightedRoundRobin defines a load-balancer of services.
|
||||
description: Weighted defines the Weighted Round Robin configuration.
|
||||
properties:
|
||||
services:
|
||||
description: Services defines the list of Kubernetes Service and/or
|
||||
TraefikService to load-balance, with weight.
|
||||
items:
|
||||
description: Service defines an upstream to proxy traffic.
|
||||
description: Service defines an upstream HTTP service to proxy
|
||||
traffic to.
|
||||
properties:
|
||||
kind:
|
||||
description: Kind defines the kind of the Service.
|
||||
enum:
|
||||
- Service
|
||||
- TraefikService
|
||||
type: string
|
||||
name:
|
||||
description: Name is a reference to a Kubernetes Service
|
||||
object (for a load-balancer of servers), or to a TraefikService
|
||||
object (service load-balancer, mirroring, etc). The differentiation
|
||||
between the two is specified in the Kind field.
|
||||
description: Name defines the name of the referenced Kubernetes
|
||||
Service or TraefikService. The differentiation between
|
||||
the two is specified in the Kind field.
|
||||
type: string
|
||||
namespace:
|
||||
description: Namespace defines the namespace of the referenced
|
||||
Kubernetes Service or TraefikService.
|
||||
type: string
|
||||
passHostHeader:
|
||||
description: PassHostHeader defines whether the client Host
|
||||
header is forwarded to the upstream Kubernetes Service.
|
||||
By default, passHostHeader is true.
|
||||
type: boolean
|
||||
port:
|
||||
anyOf:
|
||||
- type: integer
|
||||
- type: string
|
||||
description: Port defines the port of a Kubernetes Service.
|
||||
This can be a reference to a named port.
|
||||
x-kubernetes-int-or-string: true
|
||||
responseForwarding:
|
||||
description: ResponseForwarding holds configuration for
|
||||
the forward of the response.
|
||||
description: ResponseForwarding defines how Traefik forwards
|
||||
the response from the upstream Kubernetes Service to the
|
||||
client.
|
||||
properties:
|
||||
flushInterval:
|
||||
description: 'FlushInterval defines the interval, in
|
||||
milliseconds, in between flushes to the client while
|
||||
copying the response body. A negative value means
|
||||
to flush immediately after each write to the client.
|
||||
This configuration is ignored when ReverseProxy recognizes
|
||||
a response as a streaming response; for such responses,
|
||||
writes are flushed to the client immediately. Default:
|
||||
100ms'
|
||||
type: string
|
||||
type: object
|
||||
scheme:
|
||||
description: Scheme defines the scheme to use for the request
|
||||
to the upstream Kubernetes Service. It defaults to https
|
||||
when Kubernetes Service port is 443, http otherwise.
|
||||
type: string
|
||||
serversTransport:
|
||||
description: ServersTransport defines the name of ServersTransport
|
||||
resource to use. It allows to configure the transport
|
||||
between Traefik and your servers. Can only be used on
|
||||
a Kubernetes Service.
|
||||
type: string
|
||||
sticky:
|
||||
description: Sticky holds the sticky configuration.
|
||||
description: 'Sticky defines the sticky sessions configuration.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions'
|
||||
properties:
|
||||
cookie:
|
||||
description: Cookie holds the sticky configuration based
|
||||
on cookie.
|
||||
description: Cookie defines the sticky cookie configuration.
|
||||
properties:
|
||||
httpOnly:
|
||||
description: HTTPOnly defines whether the cookie
|
||||
can be accessed by client-side APIs, such as JavaScript.
|
||||
type: boolean
|
||||
name:
|
||||
description: Name defines the Cookie name.
|
||||
type: string
|
||||
sameSite:
|
||||
description: 'SameSite defines the same site policy.
|
||||
More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
|
||||
type: string
|
||||
secure:
|
||||
description: Secure defines whether the cookie can
|
||||
only be transmitted over an encrypted connection
|
||||
(i.e. HTTPS).
|
||||
type: boolean
|
||||
type: object
|
||||
type: object
|
||||
strategy:
|
||||
description: Strategy defines the load balancing strategy
|
||||
between the servers. RoundRobin is the only supported
|
||||
value at the moment.
|
||||
type: string
|
||||
weight:
|
||||
description: Weight should only be specified when Name references
|
||||
a TraefikService object (and to be precise, one that embeds
|
||||
a Weighted Round Robin).
|
||||
description: Weight defines the weight and should only be
|
||||
specified when Name references a TraefikService object
|
||||
(and to be precise, one that embeds a Weighted Round Robin).
|
||||
type: integer
|
||||
required:
|
||||
- name
|
||||
type: object
|
||||
type: array
|
||||
sticky:
|
||||
description: Sticky holds the sticky configuration.
|
||||
description: 'Sticky defines whether sticky sessions are enabled.
|
||||
More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#stickiness-and-load-balancing'
|
||||
properties:
|
||||
cookie:
|
||||
description: Cookie holds the sticky configuration based on
|
||||
cookie.
|
||||
description: Cookie defines the sticky cookie configuration.
|
||||
properties:
|
||||
httpOnly:
|
||||
description: HTTPOnly defines whether the cookie can be
|
||||
accessed by client-side APIs, such as JavaScript.
|
||||
type: boolean
|
||||
name:
|
||||
description: Name defines the Cookie name.
|
||||
type: string
|
||||
sameSite:
|
||||
description: 'SameSite defines the same site policy. More
|
||||
info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
|
||||
type: string
|
||||
secure:
|
||||
description: Secure defines whether the cookie can only
|
||||
be transmitted over an encrypted connection (i.e. HTTPS).
|
||||
type: boolean
|
||||
type: object
|
||||
type: object
|
||||
|
@ -298,10 +298,10 @@ You can find an excerpt of the available custom resources in the table below:
|
||||
| Kind | Purpose | Concept Behind |
|
||||
|--------------------------------------------|--------------------------------------------------------------------|----------------------------------------------------------------|
|
||||
| [IngressRoute](#kind-ingressroute) | HTTP Routing | [HTTP router](../routers/index.md#configuring-http-routers) |
|
||||
| [Middleware](#kind-middleware) | Tweaks the HTTP requests before they are sent to your service | [HTTP Middlewares](../../middlewares/http/overview.md) |
|
||||
| [Middleware](#kind-middleware) | Tweaks the HTTP requests before they are sent to your service | [HTTP Middlewares](../../middlewares/http/overview.md) |
|
||||
| [TraefikService](#kind-traefikservice) | Abstraction for HTTP loadbalancing/mirroring | [HTTP service](../services/index.md#configuring-http-services) |
|
||||
| [IngressRouteTCP](#kind-ingressroutetcp) | TCP Routing | [TCP router](../routers/index.md#configuring-tcp-routers) |
|
||||
| [MiddlewareTCP](#kind-middlewaretcp) | Tweaks the TCP requests before they are sent to your service | [TCP Middlewares](../../middlewares/tcp/overview.md) |
|
||||
| [MiddlewareTCP](#kind-middlewaretcp) | Tweaks the TCP requests before they are sent to your service | [TCP Middlewares](../../middlewares/tcp/overview.md) |
|
||||
| [IngressRouteUDP](#kind-ingressrouteudp) | UDP Routing | [UDP router](../routers/index.md#configuring-udp-routers) |
|
||||
| [TLSOptions](#kind-tlsoption) | Allows to configure some parameters of the TLS connection | [TLSOptions](../../https/tls.md#tls-options) |
|
||||
| [TLSStores](#kind-tlsstore) | Allows to configure the default TLS store | [TLSStores](../../https/tls.md#certificates-stores) |
|
||||
@ -583,6 +583,62 @@ Register the `IngressRoute` [kind](../../reference/dynamic-configuration/kuberne
|
||||
- port: 80
|
||||
```
|
||||
|
||||
#### Load Balancing
|
||||
|
||||
More information in the dedicated server [load balancing](../services/index.md#load-balancing) section.
|
||||
|
||||
!!! info "Declaring and using Kubernetes Service Load Balancing"
|
||||
|
||||
```yaml tab="IngressRoute"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: ingressroutebar
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
entryPoints:
|
||||
- web
|
||||
routes:
|
||||
- match: Host(`example.com`) && PathPrefix(`/foo`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: svc1
|
||||
namespace: default
|
||||
- name: svc2
|
||||
namespace: default
|
||||
```
|
||||
|
||||
```yaml tab="K8s Service"
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc1
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
selector:
|
||||
app: traefiklabs
|
||||
task: app1
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc2
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
selector:
|
||||
app: traefiklabs
|
||||
task: app2
|
||||
```
|
||||
|
||||
### Kind: `Middleware`
|
||||
|
||||
`Middleware` is the CRD implementation of a [Traefik middleware](../../middlewares/http/overview.md).
|
||||
@ -642,7 +698,7 @@ More information about available middlewares in the dedicated [middlewares secti
|
||||
Register the `TraefikService` [kind](../../reference/dynamic-configuration/kubernetes-crd.md#definitions) in the Kubernetes cluster before creating `TraefikService` objects,
|
||||
referencing services in the [`IngressRoute`](#kind-ingressroute) objects, or recursively in others `TraefikService` objects.
|
||||
|
||||
!!! info "Disambiguate Traefik and Kubernetes Services "
|
||||
!!! info "Disambiguate Traefik and Kubernetes Services"
|
||||
|
||||
As the field `name` can reference different types of objects, use the field `kind` to avoid any ambiguity.
|
||||
|
||||
@ -653,65 +709,8 @@ referencing services in the [`IngressRoute`](#kind-ingressroute) objects, or rec
|
||||
|
||||
`TraefikService` object allows to use any (valid) combinations of:
|
||||
|
||||
* servers [load balancing](#server-load-balancing).
|
||||
* services [Weighted Round Robin](#weighted-round-robin) load balancing.
|
||||
* services [mirroring](#mirroring).
|
||||
|
||||
#### Server Load Balancing
|
||||
|
||||
More information in the dedicated server [load balancing](../services/index.md#load-balancing) section.
|
||||
|
||||
??? "Declaring and Using Server Load Balancing"
|
||||
|
||||
```yaml tab="IngressRoute"
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: ingressroutebar
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
entryPoints:
|
||||
- web
|
||||
routes:
|
||||
- match: Host(`example.com`) && PathPrefix(`/foo`)
|
||||
kind: Rule
|
||||
services:
|
||||
- name: svc1
|
||||
namespace: default
|
||||
- name: svc2
|
||||
namespace: default
|
||||
```
|
||||
|
||||
```yaml tab="K8s Service"
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc1
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
selector:
|
||||
app: traefiklabs
|
||||
task: app1
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: svc2
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
ports:
|
||||
- name: http
|
||||
port: 80
|
||||
selector:
|
||||
app: traefiklabs
|
||||
task: app2
|
||||
```
|
||||
* [Weighted Round Robin](#weighted-round-robin) load balancing.
|
||||
* [Mirroring](#mirroring).
|
||||
|
||||
#### Weighted Round Robin
|
||||
|
||||
@ -1074,7 +1073,7 @@ and there is a second level because each whoami service is a `replicaset` and is
|
||||
|
||||
assuming `10.42.0.6` is the IP address of one of the replicas (a pod then) of the `whoami1` service.
|
||||
|
||||
### Kind `IngressRouteTCP`
|
||||
### Kind: `IngressRouteTCP`
|
||||
|
||||
`IngressRouteTCP` is the CRD implementation of a [Traefik TCP router](../routers/index.md#configuring-tcp-routers).
|
||||
|
||||
@ -1327,7 +1326,7 @@ Register the `MiddlewareTCP` [kind](../../reference/dynamic-configuration/kubern
|
||||
|
||||
More information about available TCP middlewares in the dedicated [middlewares section](../../middlewares/tcp/overview.md).
|
||||
|
||||
### Kind `IngressRouteUDP`
|
||||
### Kind: `IngressRouteUDP`
|
||||
|
||||
`IngressRouteUDP` is the CRD implementation of a [Traefik UDP router](../routers/index.md#configuring-udp-routers).
|
||||
|
||||
@ -1616,9 +1615,8 @@ or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`Ingres
|
||||
!!! important "Default TLS Store"
|
||||
|
||||
Traefik currently only uses the [TLS Store named "default"](../../https/tls.md#certificates-stores).
|
||||
This means that if you have two stores that are named default in different kubernetes namespaces,
|
||||
they may be randomly chosen.
|
||||
For the time being, please only configure one TLSSTore named default.
|
||||
This means that you cannot have two stores that are named default in different Kubernetes namespaces.
|
||||
For the time being, please only configure one TLSStore named default.
|
||||
|
||||
!!! info "TLSStore Attributes"
|
||||
|
||||
|
17
docs/content/user-guides/crd-acme/05-tlsoption.yml
Normal file
17
docs/content/user-guides/crd-acme/05-tlsoption.yml
Normal file
@ -0,0 +1,17 @@
|
||||
---
|
||||
apiVersion: traefik.containo.us/v1alpha1
|
||||
kind: TLSOption
|
||||
metadata:
|
||||
name: default
|
||||
namespace: default
|
||||
spec:
|
||||
minVersion: VersionTLS12
|
||||
cipherSuites:
|
||||
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 # TLS 1.2
|
||||
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 # TLS 1.2
|
||||
- TLS_AES_256_GCM_SHA384 # TLS 1.3
|
||||
- TLS_CHACHA20_POLY1305_SHA256 # TLS 1.3
|
||||
curvePreferences:
|
||||
- CurveP521
|
||||
- CurveP384
|
||||
sniStrict: true
|
@ -44,20 +44,25 @@ Let's now have a look (in the order they should be applied, if using `kubectl ap
|
||||
|
||||
### IngressRoute Definition
|
||||
|
||||
First, the definition of the `IngressRoute` and the `Middleware` kinds.
|
||||
Also note the RBAC authorization resources; they'll be referenced through the `serviceAccountName` of the deployment, later on.
|
||||
First, you will need to install Traefik CRDs containing the definition of the `IngressRoute` and the `Middleware` kinds,
|
||||
and the RBAC authorization resources which will be referenced through the `serviceAccountName` of the deployment.
|
||||
|
||||
```yaml
|
||||
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml"
|
||||
```bash
|
||||
# Install Traefik Resource Definitions:
|
||||
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
|
||||
|
||||
---
|
||||
--8<-- "content/reference/dynamic-configuration/kubernetes-crd-rbac.yml"
|
||||
# Install RBAC for Traefik:
|
||||
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
|
||||
```
|
||||
|
||||
### Services
|
||||
|
||||
Then, the services. One for Traefik itself, and one for the app it routes for, i.e. in this case our demo HTTP server: [whoami](https://github.com/traefik/whoami).
|
||||
|
||||
```bash
|
||||
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/user-guides/crd-acme/02-services.yml
|
||||
```
|
||||
|
||||
```yaml
|
||||
--8<-- "content/user-guides/crd-acme/02-services.yml"
|
||||
```
|
||||
@ -67,6 +72,10 @@ Then, the services. One for Traefik itself, and one for the app it routes for, i
|
||||
Next, the deployments, i.e. the actual pods behind the services.
|
||||
Again, one pod for Traefik, and one for the whoami app.
|
||||
|
||||
```bash
|
||||
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/user-guides/crd-acme/03-deployments.yml
|
||||
```
|
||||
|
||||
```yaml
|
||||
--8<-- "content/user-guides/crd-acme/03-deployments.yml"
|
||||
```
|
||||
@ -91,7 +100,7 @@ Look it up.
|
||||
We can now finally apply the actual ingressRoutes, with:
|
||||
|
||||
```bash
|
||||
kubectl apply -f 04-ingressroutes.yml
|
||||
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/user-guides/crd-acme/04-ingressroutes.yml
|
||||
```
|
||||
|
||||
```yaml
|
||||
@ -110,3 +119,16 @@ curl http://your.example.com:8000/notls
|
||||
```
|
||||
|
||||
Note that you'll have to use `-k` as long as you're using the staging server of Let's Encrypt, since it is not an authorized certificate authority on systems where it hasn't been manually added.
|
||||
|
||||
### Force TLS v1.2+
|
||||
|
||||
Nowadays, TLS v1.0 and v1.1 are deprecated.
|
||||
In order to force TLS v1.2 or later on all your IngressRoute, you can define the `default` TLSOption:
|
||||
|
||||
```bash
|
||||
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.7/docs/content/user-guides/crd-acme/05-tlsoption.yml
|
||||
```
|
||||
|
||||
```yaml
|
||||
--8<-- "content/user-guides/crd-acme/05-tlsoption.yml"
|
||||
```
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -124,6 +124,7 @@ func (w *WRRService) SetDefaults() {
|
||||
|
||||
// Sticky holds the sticky configuration.
|
||||
type Sticky struct {
|
||||
// Cookie defines the sticky cookie configuration.
|
||||
Cookie *Cookie `json:"cookie,omitempty" toml:"cookie,omitempty" yaml:"cookie,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
|
||||
}
|
||||
|
||||
@ -131,9 +132,14 @@ type Sticky struct {
|
||||
|
||||
// Cookie holds the sticky configuration based on cookie.
|
||||
type Cookie struct {
|
||||
Name string `json:"name,omitempty" toml:"name,omitempty" yaml:"name,omitempty" export:"true"`
|
||||
Secure bool `json:"secure,omitempty" toml:"secure,omitempty" yaml:"secure,omitempty" export:"true"`
|
||||
HTTPOnly bool `json:"httpOnly,omitempty" toml:"httpOnly,omitempty" yaml:"httpOnly,omitempty" export:"true"`
|
||||
// Name defines the Cookie name.
|
||||
Name string `json:"name,omitempty" toml:"name,omitempty" yaml:"name,omitempty" export:"true"`
|
||||
// Secure defines whether the cookie can only be transmitted over an encrypted connection (i.e. HTTPS).
|
||||
Secure bool `json:"secure,omitempty" toml:"secure,omitempty" yaml:"secure,omitempty" export:"true"`
|
||||
// HTTPOnly defines whether the cookie can be accessed by client-side APIs, such as JavaScript.
|
||||
HTTPOnly bool `json:"httpOnly,omitempty" toml:"httpOnly,omitempty" yaml:"httpOnly,omitempty" export:"true"`
|
||||
// SameSite defines the same site policy.
|
||||
// More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite
|
||||
SameSite string `json:"sameSite,omitempty" toml:"sameSite,omitempty" yaml:"sameSite,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
@ -178,8 +184,13 @@ func (l *ServersLoadBalancer) SetDefaults() {
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// ResponseForwarding holds configuration for the forward of the response.
|
||||
// ResponseForwarding holds the response forwarding configuration.
|
||||
type ResponseForwarding struct {
|
||||
// FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
|
||||
// A negative value means to flush immediately after each write to the client.
|
||||
// This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
|
||||
// for such responses, writes are flushed to the client immediately.
|
||||
// Default: 100ms
|
||||
FlushInterval string `json:"flushInterval,omitempty" toml:"flushInterval,omitempty" yaml:"flushInterval,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
|
@ -40,153 +40,250 @@ type Middleware struct {
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// ContentType middleware - or rather its unique `autoDetect` option -
|
||||
// specifies whether to let the `Content-Type` header,
|
||||
// if it has not been set by the backend,
|
||||
// be automatically set to a value derived from the contents of the response.
|
||||
// As a proxy, the default behavior should be to leave the header alone,
|
||||
// regardless of what the backend did with it.
|
||||
// However, the historic default was to always auto-detect and set the header if it was nil,
|
||||
// and it is going to be kept that way in order to support users currently relying on it.
|
||||
// ContentType holds the content-type middleware configuration.
|
||||
// This middleware exists to enable the correct behavior until at least the default one can be changed in a future version.
|
||||
type ContentType struct {
|
||||
// AutoDetect specifies whether to let the `Content-Type` header, if it has not been set by the backend,
|
||||
// be automatically set to a value derived from the contents of the response.
|
||||
// As a proxy, the default behavior should be to leave the header alone, regardless of what the backend did with it.
|
||||
// However, the historic default was to always auto-detect and set the header if it was nil,
|
||||
// and it is going to be kept that way in order to support users currently relying on it.
|
||||
AutoDetect bool `json:"autoDetect,omitempty" toml:"autoDetect,omitempty" yaml:"autoDetect,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// AddPrefix holds the AddPrefix configuration.
|
||||
// AddPrefix holds the add prefix middleware configuration.
|
||||
// This middleware updates the path of a request before forwarding it.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/addprefix/
|
||||
type AddPrefix struct {
|
||||
// Prefix is the string to add before the current path in the requested URL.
|
||||
// It should include a leading slash (/).
|
||||
Prefix string `json:"prefix,omitempty" toml:"prefix,omitempty" yaml:"prefix,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// BasicAuth holds the HTTP basic authentication configuration.
|
||||
// BasicAuth holds the basic auth middleware configuration.
|
||||
// This middleware restricts access to your services to known users.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/
|
||||
type BasicAuth struct {
|
||||
Users Users `json:"users,omitempty" toml:"users,omitempty" yaml:"users,omitempty" loggable:"false"`
|
||||
UsersFile string `json:"usersFile,omitempty" toml:"usersFile,omitempty" yaml:"usersFile,omitempty"`
|
||||
Realm string `json:"realm,omitempty" toml:"realm,omitempty" yaml:"realm,omitempty"`
|
||||
RemoveHeader bool `json:"removeHeader,omitempty" toml:"removeHeader,omitempty" yaml:"removeHeader,omitempty" export:"true"`
|
||||
HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"`
|
||||
// Users is an array of authorized users.
|
||||
// Each user must be declared using the name:hashed-password format.
|
||||
// Tip: Use htpasswd to generate the passwords.
|
||||
Users Users `json:"users,omitempty" toml:"users,omitempty" yaml:"users,omitempty" loggable:"false"`
|
||||
// UsersFile is the path to an external file that contains the authorized users.
|
||||
UsersFile string `json:"usersFile,omitempty" toml:"usersFile,omitempty" yaml:"usersFile,omitempty"`
|
||||
// Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
|
||||
// Default: traefik.
|
||||
Realm string `json:"realm,omitempty" toml:"realm,omitempty" yaml:"realm,omitempty"`
|
||||
// RemoveHeader sets the removeHeader option to true to remove the authorization header before forwarding the request to your service.
|
||||
// Default: false.
|
||||
RemoveHeader bool `json:"removeHeader,omitempty" toml:"removeHeader,omitempty" yaml:"removeHeader,omitempty" export:"true"`
|
||||
// HeaderField defines a header field to store the authenticated user.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield
|
||||
HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// Buffering holds the request/response buffering configuration.
|
||||
// Buffering holds the buffering middleware configuration.
|
||||
// This middleware retries or limits the size of requests that can be forwarded to backends.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#maxrequestbodybytes
|
||||
type Buffering struct {
|
||||
MaxRequestBodyBytes int64 `json:"maxRequestBodyBytes,omitempty" toml:"maxRequestBodyBytes,omitempty" yaml:"maxRequestBodyBytes,omitempty" export:"true"`
|
||||
MemRequestBodyBytes int64 `json:"memRequestBodyBytes,omitempty" toml:"memRequestBodyBytes,omitempty" yaml:"memRequestBodyBytes,omitempty" export:"true"`
|
||||
MaxResponseBodyBytes int64 `json:"maxResponseBodyBytes,omitempty" toml:"maxResponseBodyBytes,omitempty" yaml:"maxResponseBodyBytes,omitempty" export:"true"`
|
||||
MemResponseBodyBytes int64 `json:"memResponseBodyBytes,omitempty" toml:"memResponseBodyBytes,omitempty" yaml:"memResponseBodyBytes,omitempty" export:"true"`
|
||||
RetryExpression string `json:"retryExpression,omitempty" toml:"retryExpression,omitempty" yaml:"retryExpression,omitempty" export:"true"`
|
||||
// MaxRequestBodyBytes defines the maximum allowed body size for the request (in bytes).
|
||||
// If the request exceeds the allowed size, it is not forwarded to the service, and the client gets a 413 (Request Entity Too Large) response.
|
||||
// Default: 0 (no maximum).
|
||||
MaxRequestBodyBytes int64 `json:"maxRequestBodyBytes,omitempty" toml:"maxRequestBodyBytes,omitempty" yaml:"maxRequestBodyBytes,omitempty" export:"true"`
|
||||
// MemRequestBodyBytes defines the threshold (in bytes) from which the request will be buffered on disk instead of in memory.
|
||||
// Default: 1048576 (1Mi).
|
||||
MemRequestBodyBytes int64 `json:"memRequestBodyBytes,omitempty" toml:"memRequestBodyBytes,omitempty" yaml:"memRequestBodyBytes,omitempty" export:"true"`
|
||||
// MaxResponseBodyBytes defines the maximum allowed response size from the service (in bytes).
|
||||
// If the response exceeds the allowed size, it is not forwarded to the client. The client gets a 500 (Internal Server Error) response instead.
|
||||
// Default: 0 (no maximum).
|
||||
MaxResponseBodyBytes int64 `json:"maxResponseBodyBytes,omitempty" toml:"maxResponseBodyBytes,omitempty" yaml:"maxResponseBodyBytes,omitempty" export:"true"`
|
||||
// MemResponseBodyBytes defines the threshold (in bytes) from which the response will be buffered on disk instead of in memory.
|
||||
// Default: 1048576 (1Mi).
|
||||
MemResponseBodyBytes int64 `json:"memResponseBodyBytes,omitempty" toml:"memResponseBodyBytes,omitempty" yaml:"memResponseBodyBytes,omitempty" export:"true"`
|
||||
// RetryExpression defines the retry conditions.
|
||||
// It is a logical combination of functions with operators AND (&&) and OR (||).
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/buffering/#retryexpression
|
||||
RetryExpression string `json:"retryExpression,omitempty" toml:"retryExpression,omitempty" yaml:"retryExpression,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// Chain holds a chain of middlewares.
|
||||
// Chain holds the chain middleware configuration.
|
||||
// This middleware enables to define reusable combinations of other pieces of middleware.
|
||||
type Chain struct {
|
||||
// Middlewares is the list of middleware names which composes the chain.
|
||||
Middlewares []string `json:"middlewares,omitempty" toml:"middlewares,omitempty" yaml:"middlewares,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// CircuitBreaker holds the circuit breaker configuration.
|
||||
// CircuitBreaker holds the circuit breaker middleware configuration.
|
||||
// This middleware protects the system from stacking requests to unhealthy services, resulting in cascading failures.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/circuitbreaker/
|
||||
type CircuitBreaker struct {
|
||||
// Expression defines the expression that, once matched, opens the circuit breaker and applies the fallback mechanism instead of calling the services.
|
||||
Expression string `json:"expression,omitempty" toml:"expression,omitempty" yaml:"expression,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// Compress holds the compress configuration.
|
||||
// Compress holds the compress middleware configuration.
|
||||
// This middleware compresses responses before sending them to the client, using gzip compression.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/compress/
|
||||
type Compress struct {
|
||||
// ExcludedContentTypes defines the list of content types to compare the Content-Type header of the incoming requests and responses before compressing.
|
||||
ExcludedContentTypes []string `json:"excludedContentTypes,omitempty" toml:"excludedContentTypes,omitempty" yaml:"excludedContentTypes,omitempty" export:"true"`
|
||||
MinResponseBodyBytes int `json:"minResponseBodyBytes,omitempty" toml:"minResponseBodyBytes,omitempty" yaml:"minResponseBodyBytes,omitempty" export:"true"`
|
||||
// MinResponseBodyBytes defines the minimum amount of bytes a response body must have to be compressed.
|
||||
// Default: 1024.
|
||||
MinResponseBodyBytes int `json:"minResponseBodyBytes,omitempty" toml:"minResponseBodyBytes,omitempty" yaml:"minResponseBodyBytes,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// DigestAuth holds the Digest HTTP authentication configuration.
|
||||
// DigestAuth holds the digest auth middleware configuration.
|
||||
// This middleware restricts access to your services to known users.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/digestauth/
|
||||
type DigestAuth struct {
|
||||
Users Users `json:"users,omitempty" toml:"users,omitempty" yaml:"users,omitempty" loggable:"false"`
|
||||
UsersFile string `json:"usersFile,omitempty" toml:"usersFile,omitempty" yaml:"usersFile,omitempty"`
|
||||
RemoveHeader bool `json:"removeHeader,omitempty" toml:"removeHeader,omitempty" yaml:"removeHeader,omitempty" export:"true"`
|
||||
Realm string `json:"realm,omitempty" toml:"realm,omitempty" yaml:"realm,omitempty"`
|
||||
HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"`
|
||||
// Users defines the authorized users.
|
||||
// Each user should be declared using the name:realm:encoded-password format.
|
||||
Users Users `json:"users,omitempty" toml:"users,omitempty" yaml:"users,omitempty" loggable:"false"`
|
||||
// UsersFile is the path to an external file that contains the authorized users for the middleware.
|
||||
UsersFile string `json:"usersFile,omitempty" toml:"usersFile,omitempty" yaml:"usersFile,omitempty"`
|
||||
// RemoveHeader defines whether to remove the authorization header before forwarding the request to the backend.
|
||||
RemoveHeader bool `json:"removeHeader,omitempty" toml:"removeHeader,omitempty" yaml:"removeHeader,omitempty" export:"true"`
|
||||
// Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
|
||||
// Default: traefik.
|
||||
Realm string `json:"realm,omitempty" toml:"realm,omitempty" yaml:"realm,omitempty"`
|
||||
// HeaderField defines a header field to store the authenticated user.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield
|
||||
HeaderField string `json:"headerField,omitempty" toml:"headerField,omitempty" yaml:"headerField,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// ErrorPage holds the custom error page configuration.
|
||||
// ErrorPage holds the custom error middleware configuration.
|
||||
// This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
|
||||
type ErrorPage struct {
|
||||
Status []string `json:"status,omitempty" toml:"status,omitempty" yaml:"status,omitempty" export:"true"`
|
||||
Service string `json:"service,omitempty" toml:"service,omitempty" yaml:"service,omitempty" export:"true"`
|
||||
Query string `json:"query,omitempty" toml:"query,omitempty" yaml:"query,omitempty" export:"true"`
|
||||
// Status defines which status or range of statuses should result in an error page.
|
||||
// It can be either a status code as a number (500),
|
||||
// as multiple comma-separated numbers (500,502),
|
||||
// as ranges by separating two codes with a dash (500-599),
|
||||
// or a combination of the two (404,418,500-599).
|
||||
Status []string `json:"status,omitempty" toml:"status,omitempty" yaml:"status,omitempty" export:"true"`
|
||||
// Service defines the name of the service that will serve the error page.
|
||||
Service string `json:"service,omitempty" toml:"service,omitempty" yaml:"service,omitempty" export:"true"`
|
||||
// Query defines the URL for the error page (hosted by service).
|
||||
// The {status} variable can be used in order to insert the status code in the URL.
|
||||
Query string `json:"query,omitempty" toml:"query,omitempty" yaml:"query,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// ForwardAuth holds the http forward authentication configuration.
|
||||
// ForwardAuth holds the forward auth middleware configuration.
|
||||
// This middleware delegates the request authentication to a Service.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/
|
||||
type ForwardAuth struct {
|
||||
Address string `json:"address,omitempty" toml:"address,omitempty" yaml:"address,omitempty"`
|
||||
TLS *types.ClientTLS `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"`
|
||||
TrustForwardHeader bool `json:"trustForwardHeader,omitempty" toml:"trustForwardHeader,omitempty" yaml:"trustForwardHeader,omitempty" export:"true"`
|
||||
AuthResponseHeaders []string `json:"authResponseHeaders,omitempty" toml:"authResponseHeaders,omitempty" yaml:"authResponseHeaders,omitempty" export:"true"`
|
||||
AuthResponseHeadersRegex string `json:"authResponseHeadersRegex,omitempty" toml:"authResponseHeadersRegex,omitempty" yaml:"authResponseHeadersRegex,omitempty" export:"true"`
|
||||
AuthRequestHeaders []string `json:"authRequestHeaders,omitempty" toml:"authRequestHeaders,omitempty" yaml:"authRequestHeaders,omitempty" export:"true"`
|
||||
// Address defines the authentication server address.
|
||||
Address string `json:"address,omitempty" toml:"address,omitempty" yaml:"address,omitempty"`
|
||||
// TLS defines the configuration used to secure the connection to the authentication server.
|
||||
TLS *types.ClientTLS `json:"tls,omitempty" toml:"tls,omitempty" yaml:"tls,omitempty" export:"true"`
|
||||
// TrustForwardHeader defines whether to trust (ie: forward) all X-Forwarded-* headers.
|
||||
TrustForwardHeader bool `json:"trustForwardHeader,omitempty" toml:"trustForwardHeader,omitempty" yaml:"trustForwardHeader,omitempty" export:"true"`
|
||||
// AuthResponseHeaders defines the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.
|
||||
AuthResponseHeaders []string `json:"authResponseHeaders,omitempty" toml:"authResponseHeaders,omitempty" yaml:"authResponseHeaders,omitempty" export:"true"`
|
||||
// AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/#authresponseheadersregex
|
||||
AuthResponseHeadersRegex string `json:"authResponseHeadersRegex,omitempty" toml:"authResponseHeadersRegex,omitempty" yaml:"authResponseHeadersRegex,omitempty" export:"true"`
|
||||
// AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server.
|
||||
// If not set or empty then all request headers are passed.
|
||||
AuthRequestHeaders []string `json:"authRequestHeaders,omitempty" toml:"authRequestHeaders,omitempty" yaml:"authRequestHeaders,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// Headers holds the custom header configuration.
|
||||
// Headers holds the headers middleware configuration.
|
||||
// This middleware manages the requests and responses headers.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/headers/#customrequestheaders
|
||||
type Headers struct {
|
||||
CustomRequestHeaders map[string]string `json:"customRequestHeaders,omitempty" toml:"customRequestHeaders,omitempty" yaml:"customRequestHeaders,omitempty" export:"true"`
|
||||
// CustomRequestHeaders defines the header names and values to apply to the request.
|
||||
CustomRequestHeaders map[string]string `json:"customRequestHeaders,omitempty" toml:"customRequestHeaders,omitempty" yaml:"customRequestHeaders,omitempty" export:"true"`
|
||||
// CustomResponseHeaders defines the header names and values to apply to the response.
|
||||
CustomResponseHeaders map[string]string `json:"customResponseHeaders,omitempty" toml:"customResponseHeaders,omitempty" yaml:"customResponseHeaders,omitempty" export:"true"`
|
||||
|
||||
// AccessControlAllowCredentials is only valid if true. false is ignored.
|
||||
// AccessControlAllowCredentials defines whether the request can include user credentials.
|
||||
AccessControlAllowCredentials bool `json:"accessControlAllowCredentials,omitempty" toml:"accessControlAllowCredentials,omitempty" yaml:"accessControlAllowCredentials,omitempty" export:"true"`
|
||||
// AccessControlAllowHeaders must be used in response to a preflight request with Access-Control-Request-Headers set.
|
||||
// AccessControlAllowHeaders defines the Access-Control-Request-Headers values sent in preflight response.
|
||||
AccessControlAllowHeaders []string `json:"accessControlAllowHeaders,omitempty" toml:"accessControlAllowHeaders,omitempty" yaml:"accessControlAllowHeaders,omitempty" export:"true"`
|
||||
// AccessControlAllowMethods must be used in response to a preflight request with Access-Control-Request-Method set.
|
||||
// AccessControlAllowMethods defines the Access-Control-Request-Method values sent in preflight response.
|
||||
AccessControlAllowMethods []string `json:"accessControlAllowMethods,omitempty" toml:"accessControlAllowMethods,omitempty" yaml:"accessControlAllowMethods,omitempty" export:"true"`
|
||||
// AccessControlAllowOriginList is a list of allowable origins. Can also be a wildcard origin "*".
|
||||
AccessControlAllowOriginList []string `json:"accessControlAllowOriginList,omitempty" toml:"accessControlAllowOriginList,omitempty" yaml:"accessControlAllowOriginList,omitempty"`
|
||||
// AccessControlAllowOriginListRegex is a list of allowable origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).
|
||||
AccessControlAllowOriginListRegex []string `json:"accessControlAllowOriginListRegex,omitempty" toml:"accessControlAllowOriginListRegex,omitempty" yaml:"accessControlAllowOriginListRegex,omitempty"`
|
||||
// AccessControlExposeHeaders sets valid headers for the response.
|
||||
// AccessControlExposeHeaders defines the Access-Control-Expose-Headers values sent in preflight response.
|
||||
AccessControlExposeHeaders []string `json:"accessControlExposeHeaders,omitempty" toml:"accessControlExposeHeaders,omitempty" yaml:"accessControlExposeHeaders,omitempty" export:"true"`
|
||||
// AccessControlMaxAge sets the time that a preflight request may be cached.
|
||||
// AccessControlMaxAge defines the time that a preflight request may be cached.
|
||||
AccessControlMaxAge int64 `json:"accessControlMaxAge,omitempty" toml:"accessControlMaxAge,omitempty" yaml:"accessControlMaxAge,omitempty" export:"true"`
|
||||
// AddVaryHeader controls if the Vary header is automatically added/updated when the AccessControlAllowOriginList is set.
|
||||
// AddVaryHeader defines whether the Vary header is automatically added/updated when the AccessControlAllowOriginList is set.
|
||||
AddVaryHeader bool `json:"addVaryHeader,omitempty" toml:"addVaryHeader,omitempty" yaml:"addVaryHeader,omitempty" export:"true"`
|
||||
|
||||
AllowedHosts []string `json:"allowedHosts,omitempty" toml:"allowedHosts,omitempty" yaml:"allowedHosts,omitempty"`
|
||||
// AllowedHosts defines the fully qualified list of allowed domain names.
|
||||
AllowedHosts []string `json:"allowedHosts,omitempty" toml:"allowedHosts,omitempty" yaml:"allowedHosts,omitempty"`
|
||||
// HostsProxyHeaders defines the header keys that may hold a proxied hostname value for the request.
|
||||
HostsProxyHeaders []string `json:"hostsProxyHeaders,omitempty" toml:"hostsProxyHeaders,omitempty" yaml:"hostsProxyHeaders,omitempty" export:"true"`
|
||||
// Deprecated: use EntryPoint redirection or RedirectScheme instead.
|
||||
SSLRedirect bool `json:"sslRedirect,omitempty" toml:"sslRedirect,omitempty" yaml:"sslRedirect,omitempty" export:"true"`
|
||||
// Deprecated: use EntryPoint redirection or RedirectScheme instead.
|
||||
SSLTemporaryRedirect bool `json:"sslTemporaryRedirect,omitempty" toml:"sslTemporaryRedirect,omitempty" yaml:"sslTemporaryRedirect,omitempty" export:"true"`
|
||||
// Deprecated: use RedirectRegex instead.
|
||||
SSLHost string `json:"sslHost,omitempty" toml:"sslHost,omitempty" yaml:"sslHost,omitempty"`
|
||||
SSLHost string `json:"sslHost,omitempty" toml:"sslHost,omitempty" yaml:"sslHost,omitempty"`
|
||||
// SSLProxyHeaders defines the header keys with associated values that would indicate a valid HTTPS request.
|
||||
// It can be useful when using other proxies (example: "X-Forwarded-Proto": "https").
|
||||
SSLProxyHeaders map[string]string `json:"sslProxyHeaders,omitempty" toml:"sslProxyHeaders,omitempty" yaml:"sslProxyHeaders,omitempty"`
|
||||
// Deprecated: use RedirectRegex instead.
|
||||
SSLForceHost bool `json:"sslForceHost,omitempty" toml:"sslForceHost,omitempty" yaml:"sslForceHost,omitempty" export:"true"`
|
||||
STSSeconds int64 `json:"stsSeconds,omitempty" toml:"stsSeconds,omitempty" yaml:"stsSeconds,omitempty" export:"true"`
|
||||
STSIncludeSubdomains bool `json:"stsIncludeSubdomains,omitempty" toml:"stsIncludeSubdomains,omitempty" yaml:"stsIncludeSubdomains,omitempty" export:"true"`
|
||||
STSPreload bool `json:"stsPreload,omitempty" toml:"stsPreload,omitempty" yaml:"stsPreload,omitempty" export:"true"`
|
||||
ForceSTSHeader bool `json:"forceSTSHeader,omitempty" toml:"forceSTSHeader,omitempty" yaml:"forceSTSHeader,omitempty" export:"true"`
|
||||
FrameDeny bool `json:"frameDeny,omitempty" toml:"frameDeny,omitempty" yaml:"frameDeny,omitempty" export:"true"`
|
||||
SSLForceHost bool `json:"sslForceHost,omitempty" toml:"sslForceHost,omitempty" yaml:"sslForceHost,omitempty" export:"true"`
|
||||
// STSSeconds defines the max-age of the Strict-Transport-Security header.
|
||||
// If set to 0, the header is not set.
|
||||
STSSeconds int64 `json:"stsSeconds,omitempty" toml:"stsSeconds,omitempty" yaml:"stsSeconds,omitempty" export:"true"`
|
||||
// STSIncludeSubdomains defines whether the includeSubDomains directive is appended to the Strict-Transport-Security header.
|
||||
STSIncludeSubdomains bool `json:"stsIncludeSubdomains,omitempty" toml:"stsIncludeSubdomains,omitempty" yaml:"stsIncludeSubdomains,omitempty" export:"true"`
|
||||
// STSPreload defines whether the preload flag is appended to the Strict-Transport-Security header.
|
||||
STSPreload bool `json:"stsPreload,omitempty" toml:"stsPreload,omitempty" yaml:"stsPreload,omitempty" export:"true"`
|
||||
// ForceSTSHeader defines whether to add the STS header even when the connection is HTTP.
|
||||
ForceSTSHeader bool `json:"forceSTSHeader,omitempty" toml:"forceSTSHeader,omitempty" yaml:"forceSTSHeader,omitempty" export:"true"`
|
||||
// FrameDeny defines whether to add the X-Frame-Options header with the DENY value.
|
||||
FrameDeny bool `json:"frameDeny,omitempty" toml:"frameDeny,omitempty" yaml:"frameDeny,omitempty" export:"true"`
|
||||
// CustomFrameOptionsValue defines the X-Frame-Options header value.
|
||||
// This overrides the FrameDeny option.
|
||||
CustomFrameOptionsValue string `json:"customFrameOptionsValue,omitempty" toml:"customFrameOptionsValue,omitempty" yaml:"customFrameOptionsValue,omitempty"`
|
||||
ContentTypeNosniff bool `json:"contentTypeNosniff,omitempty" toml:"contentTypeNosniff,omitempty" yaml:"contentTypeNosniff,omitempty" export:"true"`
|
||||
BrowserXSSFilter bool `json:"browserXssFilter,omitempty" toml:"browserXssFilter,omitempty" yaml:"browserXssFilter,omitempty" export:"true"`
|
||||
CustomBrowserXSSValue string `json:"customBrowserXSSValue,omitempty" toml:"customBrowserXSSValue,omitempty" yaml:"customBrowserXSSValue,omitempty"`
|
||||
ContentSecurityPolicy string `json:"contentSecurityPolicy,omitempty" toml:"contentSecurityPolicy,omitempty" yaml:"contentSecurityPolicy,omitempty"`
|
||||
PublicKey string `json:"publicKey,omitempty" toml:"publicKey,omitempty" yaml:"publicKey,omitempty"`
|
||||
ReferrerPolicy string `json:"referrerPolicy,omitempty" toml:"referrerPolicy,omitempty" yaml:"referrerPolicy,omitempty" export:"true"`
|
||||
// ContentTypeNosniff defines whether to add the X-Content-Type-Options header with the nosniff value.
|
||||
ContentTypeNosniff bool `json:"contentTypeNosniff,omitempty" toml:"contentTypeNosniff,omitempty" yaml:"contentTypeNosniff,omitempty" export:"true"`
|
||||
// BrowserXSSFilter defines whether to add the X-XSS-Protection header with the value 1; mode=block.
|
||||
BrowserXSSFilter bool `json:"browserXssFilter,omitempty" toml:"browserXssFilter,omitempty" yaml:"browserXssFilter,omitempty" export:"true"`
|
||||
// CustomBrowserXSSValue defines the X-XSS-Protection header value.
|
||||
// This overrides the BrowserXssFilter option.
|
||||
CustomBrowserXSSValue string `json:"customBrowserXSSValue,omitempty" toml:"customBrowserXSSValue,omitempty" yaml:"customBrowserXSSValue,omitempty"`
|
||||
// ContentSecurityPolicy defines the Content-Security-Policy header value.
|
||||
ContentSecurityPolicy string `json:"contentSecurityPolicy,omitempty" toml:"contentSecurityPolicy,omitempty" yaml:"contentSecurityPolicy,omitempty"`
|
||||
// PublicKey is the public key that implements HPKP to prevent MITM attacks with forged certificates.
|
||||
PublicKey string `json:"publicKey,omitempty" toml:"publicKey,omitempty" yaml:"publicKey,omitempty"`
|
||||
// ReferrerPolicy defines the Referrer-Policy header value.
|
||||
// This allows sites to control whether browsers forward the Referer header to other sites.
|
||||
ReferrerPolicy string `json:"referrerPolicy,omitempty" toml:"referrerPolicy,omitempty" yaml:"referrerPolicy,omitempty" export:"true"`
|
||||
// Deprecated: use PermissionsPolicy instead.
|
||||
FeaturePolicy string `json:"featurePolicy,omitempty" toml:"featurePolicy,omitempty" yaml:"featurePolicy,omitempty" export:"true"`
|
||||
FeaturePolicy string `json:"featurePolicy,omitempty" toml:"featurePolicy,omitempty" yaml:"featurePolicy,omitempty" export:"true"`
|
||||
// PermissionsPolicy defines the Permissions-Policy header value.
|
||||
// This allows sites to control browser features.
|
||||
PermissionsPolicy string `json:"permissionsPolicy,omitempty" toml:"permissionsPolicy,omitempty" yaml:"permissionsPolicy,omitempty" export:"true"`
|
||||
IsDevelopment bool `json:"isDevelopment,omitempty" toml:"isDevelopment,omitempty" yaml:"isDevelopment,omitempty" export:"true"`
|
||||
// IsDevelopment defines whether to mitigate the unwanted effects of the AllowedHosts, SSL, and STS options when developing.
|
||||
// Usually testing takes place using HTTP, not HTTPS, and on localhost, not your production domain.
|
||||
// If you would like your development environment to mimic production with complete Host blocking, SSL redirects,
|
||||
// and STS headers, leave this as false.
|
||||
IsDevelopment bool `json:"isDevelopment,omitempty" toml:"isDevelopment,omitempty" yaml:"isDevelopment,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// HasCustomHeadersDefined checks to see if any of the custom header elements have been set.
|
||||
@ -235,9 +332,12 @@ func (h *Headers) HasSecureHeadersDefined() bool {
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// IPStrategy holds the ip strategy configuration.
|
||||
// IPStrategy holds the IP strategy configuration used by Traefik to determine the client IP.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/#ipstrategy
|
||||
type IPStrategy struct {
|
||||
Depth int `json:"depth,omitempty" toml:"depth,omitempty" yaml:"depth,omitempty" export:"true"`
|
||||
// Depth tells Traefik to use the X-Forwarded-For header and take the IP located at the depth position (starting from the right).
|
||||
Depth int `json:"depth,omitempty" toml:"depth,omitempty" yaml:"depth,omitempty" export:"true"`
|
||||
// ExcludedIPs configures Traefik to scan the X-Forwarded-For header and select the first IP not in the list.
|
||||
ExcludedIPs []string `json:"excludedIPs,omitempty" toml:"excludedIPs,omitempty" yaml:"excludedIPs,omitempty"`
|
||||
// TODO(mpl): I think we should make RemoteAddr an explicit field. For one thing, it would yield better documentation.
|
||||
}
|
||||
@ -272,25 +372,40 @@ func (s *IPStrategy) Get() (ip.Strategy, error) {
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// IPWhiteList holds the ip white list configuration.
|
||||
// IPWhiteList holds the IP whitelist middleware configuration.
|
||||
// This middleware accepts / refuses requests based on the client IP.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ipwhitelist/
|
||||
type IPWhiteList struct {
|
||||
// SourceRange defines the set of allowed IPs (or ranges of allowed IPs by using CIDR notation).
|
||||
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
|
||||
IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" label:"allowEmpty" file:"allowEmpty" kv:"allowEmpty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// InFlightReq limits the number of requests being processed and served concurrently.
|
||||
// InFlightReq holds the in-flight request middleware configuration.
|
||||
// This middleware limits the number of requests being processed and served concurrently.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/
|
||||
type InFlightReq struct {
|
||||
Amount int64 `json:"amount,omitempty" toml:"amount,omitempty" yaml:"amount,omitempty" export:"true"`
|
||||
// Amount defines the maximum amount of allowed simultaneous in-flight request.
|
||||
// The middleware responds with HTTP 429 Too Many Requests if there are already amount requests in progress (based on the same sourceCriterion strategy).
|
||||
Amount int64 `json:"amount,omitempty" toml:"amount,omitempty" yaml:"amount,omitempty" export:"true"`
|
||||
// SourceCriterion defines what criterion is used to group requests as originating from a common source.
|
||||
// If several strategies are defined at the same time, an error will be raised.
|
||||
// If none are set, the default is to use the requestHost.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/inflightreq/#sourcecriterion
|
||||
SourceCriterion *SourceCriterion `json:"sourceCriterion,omitempty" toml:"sourceCriterion,omitempty" yaml:"sourceCriterion,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// PassTLSClientCert holds the TLS client cert headers configuration.
|
||||
// PassTLSClientCert holds the pass TLS client cert middleware configuration.
|
||||
// This middleware adds the selected data from the passed client TLS certificate to a header.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/passtlsclientcert/
|
||||
type PassTLSClientCert struct {
|
||||
PEM bool `json:"pem,omitempty" toml:"pem,omitempty" yaml:"pem,omitempty" export:"true"`
|
||||
// PEM sets the X-Forwarded-Tls-Client-Cert header with the escaped certificate.
|
||||
PEM bool `json:"pem,omitempty" toml:"pem,omitempty" yaml:"pem,omitempty" export:"true"`
|
||||
// Info selects the specific client certificate details you want to add to the X-Forwarded-Tls-Client-Cert-Info header.
|
||||
Info *TLSClientCertificateInfo `json:"info,omitempty" toml:"info,omitempty" yaml:"info,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
@ -300,14 +415,17 @@ type PassTLSClientCert struct {
|
||||
// If none are set, the default is to use the request's remote address field.
|
||||
// All fields are mutually exclusive.
|
||||
type SourceCriterion struct {
|
||||
IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" export:"true"`
|
||||
RequestHeaderName string `json:"requestHeaderName,omitempty" toml:"requestHeaderName,omitempty" yaml:"requestHeaderName,omitempty" export:"true"`
|
||||
RequestHost bool `json:"requestHost,omitempty" toml:"requestHost,omitempty" yaml:"requestHost,omitempty" export:"true"`
|
||||
IPStrategy *IPStrategy `json:"ipStrategy,omitempty" toml:"ipStrategy,omitempty" yaml:"ipStrategy,omitempty" export:"true"`
|
||||
// RequestHeaderName defines the name of the header used to group incoming requests.
|
||||
RequestHeaderName string `json:"requestHeaderName,omitempty" toml:"requestHeaderName,omitempty" yaml:"requestHeaderName,omitempty" export:"true"`
|
||||
// RequestHost defines whether to consider the request Host as the source.
|
||||
RequestHost bool `json:"requestHost,omitempty" toml:"requestHost,omitempty" yaml:"requestHost,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// RateLimit holds the rate limiting configuration for a given router.
|
||||
// RateLimit holds the rate limit configuration.
|
||||
// This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
|
||||
type RateLimit struct {
|
||||
// Average is the maximum rate, by default in requests/s, allowed for the given source.
|
||||
// It defaults to 0, which means no rate limiting.
|
||||
@ -323,6 +441,9 @@ type RateLimit struct {
|
||||
// It defaults to 1.
|
||||
Burst int64 `json:"burst,omitempty" toml:"burst,omitempty" yaml:"burst,omitempty" export:"true"`
|
||||
|
||||
// SourceCriterion defines what criterion is used to group requests as originating from a common source.
|
||||
// If several strategies are defined at the same time, an error will be raised.
|
||||
// If none are set, the default is to use the request's remote address field (as an ipStrategy).
|
||||
SourceCriterion *SourceCriterion `json:"sourceCriterion,omitempty" toml:"sourceCriterion,omitempty" yaml:"sourceCriterion,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
@ -334,51 +455,82 @@ func (r *RateLimit) SetDefaults() {
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// RedirectRegex holds the redirection configuration.
|
||||
// RedirectRegex holds the redirect regex middleware configuration.
|
||||
// This middleware redirects a request using regex matching and replacement.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectregex/#regex
|
||||
type RedirectRegex struct {
|
||||
Regex string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty"`
|
||||
// Regex defines the regex used to match and capture elements from the request URL.
|
||||
Regex string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty"`
|
||||
// Replacement defines how to modify the URL to have the new target URL.
|
||||
Replacement string `json:"replacement,omitempty" toml:"replacement,omitempty" yaml:"replacement,omitempty"`
|
||||
Permanent bool `json:"permanent,omitempty" toml:"permanent,omitempty" yaml:"permanent,omitempty" export:"true"`
|
||||
// Permanent defines whether the redirection is permanent (301).
|
||||
Permanent bool `json:"permanent,omitempty" toml:"permanent,omitempty" yaml:"permanent,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// RedirectScheme holds the scheme redirection configuration.
|
||||
// RedirectScheme holds the redirect scheme middleware configuration.
|
||||
// This middleware redirects requests from a scheme/port to another.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/redirectscheme/
|
||||
type RedirectScheme struct {
|
||||
Scheme string `json:"scheme,omitempty" toml:"scheme,omitempty" yaml:"scheme,omitempty" export:"true"`
|
||||
Port string `json:"port,omitempty" toml:"port,omitempty" yaml:"port,omitempty" export:"true"`
|
||||
Permanent bool `json:"permanent,omitempty" toml:"permanent,omitempty" yaml:"permanent,omitempty" export:"true"`
|
||||
// Scheme defines the scheme of the new URL.
|
||||
Scheme string `json:"scheme,omitempty" toml:"scheme,omitempty" yaml:"scheme,omitempty" export:"true"`
|
||||
// Port defines the port of the new URL.
|
||||
Port string `json:"port,omitempty" toml:"port,omitempty" yaml:"port,omitempty" export:"true"`
|
||||
// Permanent defines whether the redirection is permanent (301).
|
||||
Permanent bool `json:"permanent,omitempty" toml:"permanent,omitempty" yaml:"permanent,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// ReplacePath holds the ReplacePath configuration.
|
||||
// ReplacePath holds the replace path middleware configuration.
|
||||
// This middleware replaces the path of the request URL and store the original path in an X-Replaced-Path header.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepath/
|
||||
type ReplacePath struct {
|
||||
// Path defines the path to use as replacement in the request URL.
|
||||
Path string `json:"path,omitempty" toml:"path,omitempty" yaml:"path,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// ReplacePathRegex holds the ReplacePathRegex configuration.
|
||||
// ReplacePathRegex holds the replace path regex middleware configuration.
|
||||
// This middleware replaces the path of a URL using regex matching and replacement.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/replacepathregex/
|
||||
type ReplacePathRegex struct {
|
||||
Regex string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty" export:"true"`
|
||||
// Regex defines the regular expression used to match and capture the path from the request URL.
|
||||
Regex string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty" export:"true"`
|
||||
// Replacement defines the replacement path format, which can include captured variables.
|
||||
Replacement string `json:"replacement,omitempty" toml:"replacement,omitempty" yaml:"replacement,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// Retry holds the retry configuration.
|
||||
// Retry holds the retry middleware configuration.
|
||||
// This middleware reissues requests a given number of times to a backend server if that server does not reply.
|
||||
// As soon as the server answers, the middleware stops retrying, regardless of the response status.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/retry/
|
||||
type Retry struct {
|
||||
Attempts int `json:"attempts,omitempty" toml:"attempts,omitempty" yaml:"attempts,omitempty" export:"true"`
|
||||
// Attempts defines how many times the request should be retried.
|
||||
Attempts int `json:"attempts,omitempty" toml:"attempts,omitempty" yaml:"attempts,omitempty" export:"true"`
|
||||
// InitialInterval defines the first wait time in the exponential backoff series.
|
||||
// The maximum interval is calculated as twice the initialInterval.
|
||||
// If unspecified, requests will be retried immediately.
|
||||
// The value of initialInterval should be provided in seconds or as a valid duration format,
|
||||
// see https://pkg.go.dev/time#ParseDuration.
|
||||
InitialInterval ptypes.Duration `json:"initialInterval,omitempty" toml:"initialInterval,omitempty" yaml:"initialInterval,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// StripPrefix holds the StripPrefix configuration.
|
||||
// StripPrefix holds the strip prefix middleware configuration.
|
||||
// This middleware removes the specified prefixes from the URL path.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefix/
|
||||
type StripPrefix struct {
|
||||
Prefixes []string `json:"prefixes,omitempty" toml:"prefixes,omitempty" yaml:"prefixes,omitempty" export:"true"`
|
||||
ForceSlash bool `json:"forceSlash,omitempty" toml:"forceSlash,omitempty" yaml:"forceSlash,omitempty" export:"true"` // Deprecated
|
||||
// Prefixes defines the prefixes to strip from the request URL.
|
||||
Prefixes []string `json:"prefixes,omitempty" toml:"prefixes,omitempty" yaml:"prefixes,omitempty" export:"true"`
|
||||
// ForceSlash ensures that the resulting stripped path is not the empty string, by replacing it with / when necessary.
|
||||
// Default: true.
|
||||
ForceSlash bool `json:"forceSlash,omitempty" toml:"forceSlash,omitempty" yaml:"forceSlash,omitempty" export:"true"` // Deprecated
|
||||
}
|
||||
|
||||
// SetDefaults Default values for a StripPrefix.
|
||||
@ -388,8 +540,11 @@ func (s *StripPrefix) SetDefaults() {
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// StripPrefixRegex holds the StripPrefixRegex configuration.
|
||||
// StripPrefixRegex holds the strip prefix regex middleware configuration.
|
||||
// This middleware removes the matching prefixes from the URL path.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/stripprefixregex/
|
||||
type StripPrefixRegex struct {
|
||||
// Regex defines the regular expression to match the path prefix from the request URL.
|
||||
Regex []string `json:"regex,omitempty" toml:"regex,omitempty" yaml:"regex,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
@ -397,12 +552,18 @@ type StripPrefixRegex struct {
|
||||
|
||||
// TLSClientCertificateInfo holds the client TLS certificate info configuration.
|
||||
type TLSClientCertificateInfo struct {
|
||||
NotAfter bool `json:"notAfter,omitempty" toml:"notAfter,omitempty" yaml:"notAfter,omitempty" export:"true"`
|
||||
NotBefore bool `json:"notBefore,omitempty" toml:"notBefore,omitempty" yaml:"notBefore,omitempty" export:"true"`
|
||||
Sans bool `json:"sans,omitempty" toml:"sans,omitempty" yaml:"sans,omitempty" export:"true"`
|
||||
Subject *TLSClientCertificateSubjectDNInfo `json:"subject,omitempty" toml:"subject,omitempty" yaml:"subject,omitempty" export:"true"`
|
||||
Issuer *TLSClientCertificateIssuerDNInfo `json:"issuer,omitempty" toml:"issuer,omitempty" yaml:"issuer,omitempty" export:"true"`
|
||||
SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"`
|
||||
// NotAfter defines whether to add the Not After information from the Validity part.
|
||||
NotAfter bool `json:"notAfter,omitempty" toml:"notAfter,omitempty" yaml:"notAfter,omitempty" export:"true"`
|
||||
// NotBefore defines whether to add the Not Before information from the Validity part.
|
||||
NotBefore bool `json:"notBefore,omitempty" toml:"notBefore,omitempty" yaml:"notBefore,omitempty" export:"true"`
|
||||
// Sans defines whether to add the Subject Alternative Name information from the Subject Alternative Name part.
|
||||
Sans bool `json:"sans,omitempty" toml:"sans,omitempty" yaml:"sans,omitempty" export:"true"`
|
||||
// SerialNumber defines whether to add the client serialNumber information.
|
||||
SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"`
|
||||
// Subject defines the client certificate subject details to add to the X-Forwarded-Tls-Client-Cert-Info header.
|
||||
Subject *TLSClientCertificateSubjectDNInfo `json:"subject,omitempty" toml:"subject,omitempty" yaml:"subject,omitempty" export:"true"`
|
||||
// Issuer defines the client certificate issuer details to add to the X-Forwarded-Tls-Client-Cert-Info header.
|
||||
Issuer *TLSClientCertificateIssuerDNInfo `json:"issuer,omitempty" toml:"issuer,omitempty" yaml:"issuer,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
@ -410,12 +571,19 @@ type TLSClientCertificateInfo struct {
|
||||
// TLSClientCertificateIssuerDNInfo holds the client TLS certificate distinguished name info configuration.
|
||||
// cf https://tools.ietf.org/html/rfc3739
|
||||
type TLSClientCertificateIssuerDNInfo struct {
|
||||
Country bool `json:"country,omitempty" toml:"country,omitempty" yaml:"country,omitempty" export:"true"`
|
||||
Province bool `json:"province,omitempty" toml:"province,omitempty" yaml:"province,omitempty" export:"true"`
|
||||
Locality bool `json:"locality,omitempty" toml:"locality,omitempty" yaml:"locality,omitempty" export:"true"`
|
||||
Organization bool `json:"organization,omitempty" toml:"organization,omitempty" yaml:"organization,omitempty" export:"true"`
|
||||
CommonName bool `json:"commonName,omitempty" toml:"commonName,omitempty" yaml:"commonName,omitempty" export:"true"`
|
||||
SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"`
|
||||
// Country defines whether to add the country information into the issuer.
|
||||
Country bool `json:"country,omitempty" toml:"country,omitempty" yaml:"country,omitempty" export:"true"`
|
||||
// Province defines whether to add the province information into the issuer.
|
||||
Province bool `json:"province,omitempty" toml:"province,omitempty" yaml:"province,omitempty" export:"true"`
|
||||
// Locality defines whether to add the locality information into the issuer.
|
||||
Locality bool `json:"locality,omitempty" toml:"locality,omitempty" yaml:"locality,omitempty" export:"true"`
|
||||
// Organization defines whether to add the organization information into the issuer.
|
||||
Organization bool `json:"organization,omitempty" toml:"organization,omitempty" yaml:"organization,omitempty" export:"true"`
|
||||
// CommonName defines whether to add the organizationalUnit information into the issuer.
|
||||
CommonName bool `json:"commonName,omitempty" toml:"commonName,omitempty" yaml:"commonName,omitempty" export:"true"`
|
||||
// SerialNumber defines whether to add the serialNumber information into the issuer.
|
||||
SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"`
|
||||
// DomainComponent defines whether to add the domainComponent information into the issuer.
|
||||
DomainComponent bool `json:"domainComponent,omitempty" toml:"domainComponent,omitempty" yaml:"domainComponent,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
@ -424,14 +592,22 @@ type TLSClientCertificateIssuerDNInfo struct {
|
||||
// TLSClientCertificateSubjectDNInfo holds the client TLS certificate distinguished name info configuration.
|
||||
// cf https://tools.ietf.org/html/rfc3739
|
||||
type TLSClientCertificateSubjectDNInfo struct {
|
||||
Country bool `json:"country,omitempty" toml:"country,omitempty" yaml:"country,omitempty" export:"true"`
|
||||
Province bool `json:"province,omitempty" toml:"province,omitempty" yaml:"province,omitempty" export:"true"`
|
||||
Locality bool `json:"locality,omitempty" toml:"locality,omitempty" yaml:"locality,omitempty" export:"true"`
|
||||
Organization bool `json:"organization,omitempty" toml:"organization,omitempty" yaml:"organization,omitempty" export:"true"`
|
||||
// Country defines whether to add the country information into the subject.
|
||||
Country bool `json:"country,omitempty" toml:"country,omitempty" yaml:"country,omitempty" export:"true"`
|
||||
// Province defines whether to add the province information into the subject.
|
||||
Province bool `json:"province,omitempty" toml:"province,omitempty" yaml:"province,omitempty" export:"true"`
|
||||
// Locality defines whether to add the locality information into the subject.
|
||||
Locality bool `json:"locality,omitempty" toml:"locality,omitempty" yaml:"locality,omitempty" export:"true"`
|
||||
// Organization defines whether to add the organization information into the subject.
|
||||
Organization bool `json:"organization,omitempty" toml:"organization,omitempty" yaml:"organization,omitempty" export:"true"`
|
||||
// OrganizationalUnit defines whether to add the organizationalUnit information into the subject.
|
||||
OrganizationalUnit bool `json:"organizationalUnit,omitempty" toml:"organizationalUnit,omitempty" yaml:"organizationalUnit,omitempty" export:"true"`
|
||||
CommonName bool `json:"commonName,omitempty" toml:"commonName,omitempty" yaml:"commonName,omitempty" export:"true"`
|
||||
SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"`
|
||||
DomainComponent bool `json:"domainComponent,omitempty" toml:"domainComponent,omitempty" yaml:"domainComponent,omitempty" export:"true"`
|
||||
// CommonName defines whether to add the organizationalUnit information into the subject.
|
||||
CommonName bool `json:"commonName,omitempty" toml:"commonName,omitempty" yaml:"commonName,omitempty" export:"true"`
|
||||
// SerialNumber defines whether to add the serialNumber information into the subject.
|
||||
SerialNumber bool `json:"serialNumber,omitempty" toml:"serialNumber,omitempty" yaml:"serialNumber,omitempty" export:"true"`
|
||||
// DomainComponent defines whether to add the domainComponent information into the subject.
|
||||
DomainComponent bool `json:"domainComponent,omitempty" toml:"domainComponent,omitempty" yaml:"domainComponent,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
@ -113,8 +113,10 @@ type TCPServer struct {
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// ProxyProtocol holds the ProxyProtocol configuration.
|
||||
// ProxyProtocol holds the PROXY Protocol configuration.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/services/#proxy-protocol
|
||||
type ProxyProtocol struct {
|
||||
// Version defines the PROXY Protocol version to use.
|
||||
Version int `json:"version,omitempty" toml:"version,omitempty" yaml:"version,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
|
@ -10,14 +10,21 @@ type TCPMiddleware struct {
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// TCPInFlightConn holds the TCP in flight connection configuration.
|
||||
// TCPInFlightConn holds the TCP InFlightConn middleware configuration.
|
||||
// This middleware prevents services from being overwhelmed with high load,
|
||||
// by limiting the number of allowed simultaneous connections for one IP.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/tcp/inflightconn/
|
||||
type TCPInFlightConn struct {
|
||||
// Amount defines the maximum amount of allowed simultaneous connections.
|
||||
// The middleware closes the connection if there are already amount connections opened.
|
||||
Amount int64 `json:"amount,omitempty" toml:"amount,omitempty" yaml:"amount,omitempty" export:"true"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// TCPIPWhiteList holds the TCP ip white list configuration.
|
||||
// TCPIPWhiteList holds the TCP IPWhiteList middleware configuration.
|
||||
// This middleware accepts/refuses connections based on the client IP.
|
||||
type TCPIPWhiteList struct {
|
||||
// SourceRange defines the allowed IPs (or ranges of allowed IPs by using CIDR notation).
|
||||
SourceRange []string `json:"sourceRange,omitempty" toml:"sourceRange,omitempty" yaml:"sourceRange,omitempty"`
|
||||
}
|
||||
|
@ -84,7 +84,7 @@ func (p *Provider) loadIngressRouteConfiguration(ctx context.Context, client Cli
|
||||
serviceName := normalized
|
||||
|
||||
if len(route.Services) > 1 {
|
||||
spec := v1alpha1.ServiceSpec{
|
||||
spec := v1alpha1.TraefikServiceSpec{
|
||||
Weighted: &v1alpha1.WeightedRoundRobin{
|
||||
Services: route.Services,
|
||||
},
|
||||
@ -217,7 +217,7 @@ func (c configBuilder) buildTraefikService(ctx context.Context, tService *v1alph
|
||||
|
||||
// buildServicesLB creates the configuration for the load-balancer of services named id, and defined in tService.
|
||||
// It adds it to the given conf map.
|
||||
func (c configBuilder) buildServicesLB(ctx context.Context, namespace string, tService v1alpha1.ServiceSpec, id string, conf map[string]*dynamic.Service) error {
|
||||
func (c configBuilder) buildServicesLB(ctx context.Context, namespace string, tService v1alpha1.TraefikServiceSpec, id string, conf map[string]*dynamic.Service) error {
|
||||
var wrrServices []dynamic.WRRService
|
||||
|
||||
for _, service := range tService.Weighted.Services {
|
||||
|
@ -7,90 +7,130 @@ import (
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
)
|
||||
|
||||
// IngressRouteSpec is a specification for a IngressRouteSpec resource.
|
||||
// IngressRouteSpec defines the desired state of IngressRoute.
|
||||
type IngressRouteSpec struct {
|
||||
Routes []Route `json:"routes"`
|
||||
// Routes defines the list of routes.
|
||||
Routes []Route `json:"routes"`
|
||||
// EntryPoints defines the list of entry point names to bind to.
|
||||
// Entry points have to be configured in the static configuration.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/
|
||||
// Default: all.
|
||||
EntryPoints []string `json:"entryPoints,omitempty"`
|
||||
TLS *TLS `json:"tls,omitempty"`
|
||||
// TLS defines the TLS configuration.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls
|
||||
TLS *TLS `json:"tls,omitempty"`
|
||||
}
|
||||
|
||||
// Route contains the set of routes.
|
||||
// Route holds the HTTP route configuration.
|
||||
type Route struct {
|
||||
// Match defines the router's rule.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule
|
||||
Match string `json:"match"`
|
||||
// Kind defines the kind of the route.
|
||||
// Rule is the only supported kind.
|
||||
// +kubebuilder:validation:Enum=Rule
|
||||
Kind string `json:"kind"`
|
||||
Priority int `json:"priority,omitempty"`
|
||||
Services []Service `json:"services,omitempty"`
|
||||
Kind string `json:"kind"`
|
||||
// Priority defines the router's priority.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority
|
||||
Priority int `json:"priority,omitempty"`
|
||||
// Services defines the list of Service.
|
||||
// It can contain any combination of TraefikService and/or reference to a Kubernetes Service.
|
||||
Services []Service `json:"services,omitempty"`
|
||||
// Middlewares defines the list of references to Middleware resources.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-middleware
|
||||
Middlewares []MiddlewareRef `json:"middlewares,omitempty"`
|
||||
}
|
||||
|
||||
// TLS contains the TLS certificates configuration of the routes.
|
||||
// To enable Let's Encrypt, use an empty TLS struct,
|
||||
// e.g. in YAML:
|
||||
//
|
||||
// tls: {} # inline format
|
||||
//
|
||||
// tls:
|
||||
// secretName: # block format
|
||||
// TLS holds the TLS configuration.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls
|
||||
type TLS struct {
|
||||
// SecretName is the name of the referenced Kubernetes Secret to specify the
|
||||
// certificate details.
|
||||
// SecretName is the name of the referenced Kubernetes Secret to specify the certificate details.
|
||||
SecretName string `json:"secretName,omitempty"`
|
||||
// Options is a reference to a TLSOption, that specifies the parameters of the TLS connection.
|
||||
// Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
|
||||
// If not defined, the `default` TLSOption is used.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options
|
||||
Options *TLSOptionRef `json:"options,omitempty"`
|
||||
// Store is a reference to a TLSStore, that specifies the parameters of the TLS store.
|
||||
Store *TLSStoreRef `json:"store,omitempty"`
|
||||
CertResolver string `json:"certResolver,omitempty"`
|
||||
Domains []types.Domain `json:"domains,omitempty"`
|
||||
// Store defines the reference to the TLSStore, that will be used to store certificates.
|
||||
// Please note that only `default` TLSStore can be used.
|
||||
Store *TLSStoreRef `json:"store,omitempty"`
|
||||
// CertResolver defines the name of the certificate resolver to use.
|
||||
// Cert resolvers have to be configured in the static configuration.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers
|
||||
CertResolver string `json:"certResolver,omitempty"`
|
||||
// Domains defines the list of domains that will be used to issue certificates.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains
|
||||
Domains []types.Domain `json:"domains,omitempty"`
|
||||
}
|
||||
|
||||
// TLSOptionRef is a ref to the TLSOption resources.
|
||||
// TLSOptionRef is a reference to a TLSOption resource.
|
||||
type TLSOptionRef struct {
|
||||
Name string `json:"name"`
|
||||
// Name defines the name of the referenced TLSOption.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption
|
||||
Name string `json:"name"`
|
||||
// Namespace defines the namespace of the referenced TLSOption.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsoption
|
||||
Namespace string `json:"namespace,omitempty"`
|
||||
}
|
||||
|
||||
// TLSStoreRef is a ref to the TLSStore resource.
|
||||
// TLSStoreRef is a reference to a TLSStore resource.
|
||||
type TLSStoreRef struct {
|
||||
Name string `json:"name"`
|
||||
// Name defines the name of the referenced TLSStore.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore
|
||||
Name string `json:"name"`
|
||||
// Namespace defines the namespace of the referenced TLSStore.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-tlsstore
|
||||
Namespace string `json:"namespace,omitempty"`
|
||||
}
|
||||
|
||||
// LoadBalancerSpec can reference either a Kubernetes Service object (a load-balancer of servers),
|
||||
// or a TraefikService object (a traefik load-balancer of services).
|
||||
// LoadBalancerSpec defines the desired state of LoadBalancer.
|
||||
// It can reference either a Kubernetes Service object (a load-balancer of servers),
|
||||
// or a TraefikService object (a load-balancer of Traefik services).
|
||||
type LoadBalancerSpec struct {
|
||||
// Name is a reference to a Kubernetes Service object (for a load-balancer of servers),
|
||||
// or to a TraefikService object (service load-balancer, mirroring, etc).
|
||||
// Name defines the name of the referenced Kubernetes Service or TraefikService.
|
||||
// The differentiation between the two is specified in the Kind field.
|
||||
Name string `json:"name"`
|
||||
// Kind defines the kind of the Service.
|
||||
// +kubebuilder:validation:Enum=Service;TraefikService
|
||||
Kind string `json:"kind,omitempty"`
|
||||
Namespace string `json:"namespace,omitempty"`
|
||||
Sticky *dynamic.Sticky `json:"sticky,omitempty"`
|
||||
|
||||
// Port and all the fields below are related to a servers load-balancer,
|
||||
// and therefore should only be specified when Name references a Kubernetes Service.
|
||||
|
||||
Port intstr.IntOrString `json:"port,omitempty"`
|
||||
Scheme string `json:"scheme,omitempty"`
|
||||
Strategy string `json:"strategy,omitempty"`
|
||||
PassHostHeader *bool `json:"passHostHeader,omitempty"`
|
||||
Kind string `json:"kind,omitempty"`
|
||||
// Namespace defines the namespace of the referenced Kubernetes Service or TraefikService.
|
||||
Namespace string `json:"namespace,omitempty"`
|
||||
// Sticky defines the sticky sessions configuration.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/services/#sticky-sessions
|
||||
Sticky *dynamic.Sticky `json:"sticky,omitempty"`
|
||||
// Port defines the port of a Kubernetes Service.
|
||||
// This can be a reference to a named port.
|
||||
Port intstr.IntOrString `json:"port,omitempty"`
|
||||
// Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
|
||||
// It defaults to https when Kubernetes Service port is 443, http otherwise.
|
||||
Scheme string `json:"scheme,omitempty"`
|
||||
// Strategy defines the load balancing strategy between the servers.
|
||||
// RoundRobin is the only supported value at the moment.
|
||||
Strategy string `json:"strategy,omitempty"`
|
||||
// PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
|
||||
// By default, passHostHeader is true.
|
||||
PassHostHeader *bool `json:"passHostHeader,omitempty"`
|
||||
// ResponseForwarding defines how Traefik forwards the response from the upstream Kubernetes Service to the client.
|
||||
ResponseForwarding *dynamic.ResponseForwarding `json:"responseForwarding,omitempty"`
|
||||
ServersTransport string `json:"serversTransport,omitempty"`
|
||||
// ServersTransport defines the name of ServersTransport resource to use.
|
||||
// It allows to configure the transport between Traefik and your servers.
|
||||
// Can only be used on a Kubernetes Service.
|
||||
ServersTransport string `json:"serversTransport,omitempty"`
|
||||
|
||||
// Weight should only be specified when Name references a TraefikService object
|
||||
// Weight defines the weight and should only be specified when Name references a TraefikService object
|
||||
// (and to be precise, one that embeds a Weighted Round Robin).
|
||||
Weight *int `json:"weight,omitempty"`
|
||||
}
|
||||
|
||||
// Service defines an upstream to proxy traffic.
|
||||
// Service defines an upstream HTTP service to proxy traffic to.
|
||||
type Service struct {
|
||||
LoadBalancerSpec `json:",inline"`
|
||||
}
|
||||
|
||||
// MiddlewareRef is a ref to the Middleware resources.
|
||||
// MiddlewareRef is a reference to a Middleware resource.
|
||||
type MiddlewareRef struct {
|
||||
Name string `json:"name"`
|
||||
// Name defines the name of the referenced Middleware resource.
|
||||
Name string `json:"name"`
|
||||
// Namespace defines the namespace of the referenced Middleware resource.
|
||||
Namespace string `json:"namespace,omitempty"`
|
||||
}
|
||||
|
||||
@ -98,9 +138,11 @@ type MiddlewareRef struct {
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:storageversion
|
||||
|
||||
// IngressRoute is an Ingress CRD specification.
|
||||
// IngressRoute is the CRD implementation of a Traefik HTTP Router.
|
||||
type IngressRoute struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ObjectMeta `json:"metadata"`
|
||||
|
||||
Spec IngressRouteSpec `json:"spec"`
|
||||
@ -108,9 +150,13 @@ type IngressRoute struct {
|
||||
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// IngressRouteList is a list of IngressRoutes.
|
||||
// IngressRouteList is a collection of IngressRoute.
|
||||
type IngressRouteList struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ListMeta `json:"metadata"`
|
||||
Items []IngressRoute `json:"items"`
|
||||
|
||||
// Items is the list of IngressRoute.
|
||||
Items []IngressRoute `json:"items"`
|
||||
}
|
||||
|
@ -7,60 +7,88 @@ import (
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
)
|
||||
|
||||
// IngressRouteTCPSpec is a specification for a IngressRouteTCPSpec resource.
|
||||
// IngressRouteTCPSpec defines the desired state of IngressRouteTCP.
|
||||
type IngressRouteTCPSpec struct {
|
||||
Routes []RouteTCP `json:"routes"`
|
||||
EntryPoints []string `json:"entryPoints,omitempty"`
|
||||
TLS *TLSTCP `json:"tls,omitempty"`
|
||||
// Routes defines the list of routes.
|
||||
Routes []RouteTCP `json:"routes"`
|
||||
// EntryPoints defines the list of entry point names to bind to.
|
||||
// Entry points have to be configured in the static configuration.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/
|
||||
// Default: all.
|
||||
EntryPoints []string `json:"entryPoints,omitempty"`
|
||||
// TLS defines the TLS configuration on a layer 4 / TCP Route.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls_1
|
||||
TLS *TLSTCP `json:"tls,omitempty"`
|
||||
}
|
||||
|
||||
// RouteTCP contains the set of routes.
|
||||
// RouteTCP holds the TCP route configuration.
|
||||
type RouteTCP struct {
|
||||
Match string `json:"match"`
|
||||
Priority int `json:"priority,omitempty"`
|
||||
// Match defines the router's rule.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#rule_1
|
||||
Match string `json:"match"`
|
||||
// Priority defines the router's priority.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#priority_1
|
||||
Priority int `json:"priority,omitempty"`
|
||||
// Services defines the list of TCP services.
|
||||
Services []ServiceTCP `json:"services,omitempty"`
|
||||
// Middlewares contains references to MiddlewareTCP resources.
|
||||
// Middlewares defines the list of references to MiddlewareTCP resources.
|
||||
Middlewares []ObjectReference `json:"middlewares,omitempty"`
|
||||
}
|
||||
|
||||
// TLSTCP contains the TLS certificates configuration of the routes.
|
||||
// To enable Let's Encrypt, use an empty TLS struct,
|
||||
// e.g. in YAML:
|
||||
//
|
||||
// tls: {} # inline format
|
||||
//
|
||||
// tls:
|
||||
// secretName: # block format
|
||||
// TLSTCP holds the TLS configuration for an IngressRouteTCP.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#tls_1
|
||||
type TLSTCP struct {
|
||||
// SecretName is the name of the referenced Kubernetes Secret to specify the
|
||||
// certificate details.
|
||||
SecretName string `json:"secretName,omitempty"`
|
||||
Passthrough bool `json:"passthrough,omitempty"`
|
||||
// Options is a reference to a TLSOption, that specifies the parameters of the TLS connection.
|
||||
// SecretName is the name of the referenced Kubernetes Secret to specify the certificate details.
|
||||
SecretName string `json:"secretName,omitempty"`
|
||||
// Passthrough defines whether a TLS router will terminate the TLS connection.
|
||||
Passthrough bool `json:"passthrough,omitempty"`
|
||||
// Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
|
||||
// If not defined, the `default` TLSOption is used.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options
|
||||
Options *ObjectReference `json:"options,omitempty"`
|
||||
// Store is a reference to a TLSStore, that specifies the parameters of the TLS store.
|
||||
Store *ObjectReference `json:"store,omitempty"`
|
||||
CertResolver string `json:"certResolver,omitempty"`
|
||||
Domains []types.Domain `json:"domains,omitempty"`
|
||||
// Store defines the reference to the TLSStore, that will be used to store certificates.
|
||||
// Please note that only `default` TLSStore can be used.
|
||||
Store *ObjectReference `json:"store,omitempty"`
|
||||
// CertResolver defines the name of the certificate resolver to use.
|
||||
// Cert resolvers have to be configured in the static configuration.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/https/acme/#certificate-resolvers
|
||||
CertResolver string `json:"certResolver,omitempty"`
|
||||
// Domains defines the list of domains that will be used to issue certificates.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/routers/#domains
|
||||
Domains []types.Domain `json:"domains,omitempty"`
|
||||
}
|
||||
|
||||
// ServiceTCP defines an upstream to proxy traffic.
|
||||
// ServiceTCP defines an upstream TCP service to proxy traffic to.
|
||||
type ServiceTCP struct {
|
||||
Name string `json:"name"`
|
||||
Namespace string `json:"namespace,omitempty"`
|
||||
Port intstr.IntOrString `json:"port"`
|
||||
Weight *int `json:"weight,omitempty"`
|
||||
TerminationDelay *int `json:"terminationDelay,omitempty"`
|
||||
ProxyProtocol *dynamic.ProxyProtocol `json:"proxyProtocol,omitempty"`
|
||||
// Name defines the name of the referenced Kubernetes Service.
|
||||
Name string `json:"name"`
|
||||
// Namespace defines the namespace of the referenced Kubernetes Service.
|
||||
Namespace string `json:"namespace,omitempty"`
|
||||
// Port defines the port of a Kubernetes Service.
|
||||
// This can be a reference to a named port.
|
||||
Port intstr.IntOrString `json:"port"`
|
||||
// Weight defines the weight used when balancing requests between multiple Kubernetes Service.
|
||||
Weight *int `json:"weight,omitempty"`
|
||||
// TerminationDelay defines the deadline that the proxy sets, after one of its connected peers indicates
|
||||
// it has closed the writing capability of its connection, to close the reading capability as well,
|
||||
// hence fully terminating the connection.
|
||||
// It is a duration in milliseconds, defaulting to 100.
|
||||
// A negative value means an infinite deadline (i.e. the reading capability is never closed).
|
||||
TerminationDelay *int `json:"terminationDelay,omitempty"`
|
||||
// ProxyProtocol defines the PROXY protocol configuration.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/services/#proxy-protocol
|
||||
ProxyProtocol *dynamic.ProxyProtocol `json:"proxyProtocol,omitempty"`
|
||||
}
|
||||
|
||||
// +genclient
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:storageversion
|
||||
|
||||
// IngressRouteTCP is an Ingress CRD specification.
|
||||
// IngressRouteTCP is the CRD implementation of a Traefik TCP Router.
|
||||
type IngressRouteTCP struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ObjectMeta `json:"metadata"`
|
||||
|
||||
Spec IngressRouteTCPSpec `json:"spec"`
|
||||
@ -68,9 +96,13 @@ type IngressRouteTCP struct {
|
||||
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// IngressRouteTCPList is a list of IngressRoutes.
|
||||
// IngressRouteTCPList is a collection of IngressRouteTCP.
|
||||
type IngressRouteTCPList struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ListMeta `json:"metadata"`
|
||||
Items []IngressRouteTCP `json:"items"`
|
||||
|
||||
// Items is the list of IngressRouteTCP.
|
||||
Items []IngressRouteTCP `json:"items"`
|
||||
}
|
||||
|
@ -5,38 +5,45 @@ import (
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
)
|
||||
|
||||
// IngressRouteUDPSpec is a specification for a IngressRouteUDPSpec resource.
|
||||
// IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.
|
||||
type IngressRouteUDPSpec struct {
|
||||
Routes []RouteUDP `json:"routes"`
|
||||
EntryPoints []string `json:"entryPoints,omitempty"`
|
||||
// Routes defines the list of routes.
|
||||
Routes []RouteUDP `json:"routes"`
|
||||
// EntryPoints defines the list of entry point names to bind to.
|
||||
// Entry points have to be configured in the static configuration.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/entrypoints/
|
||||
// Default: all.
|
||||
EntryPoints []string `json:"entryPoints,omitempty"`
|
||||
}
|
||||
|
||||
// RouteUDP contains the set of routes.
|
||||
// RouteUDP holds the UDP route configuration.
|
||||
type RouteUDP struct {
|
||||
// Services defines the list of UDP services.
|
||||
Services []ServiceUDP `json:"services,omitempty"`
|
||||
}
|
||||
|
||||
// TLSOptionUDPRef is a ref to the TLSOption resources.
|
||||
type TLSOptionUDPRef struct {
|
||||
Name string `json:"name"`
|
||||
Namespace string `json:"namespace,omitempty"`
|
||||
}
|
||||
|
||||
// ServiceUDP defines an upstream to proxy traffic.
|
||||
// ServiceUDP defines an upstream UDP service to proxy traffic to.
|
||||
type ServiceUDP struct {
|
||||
Name string `json:"name"`
|
||||
Namespace string `json:"namespace,omitempty"`
|
||||
Port intstr.IntOrString `json:"port"`
|
||||
Weight *int `json:"weight,omitempty"`
|
||||
// Name defines the name of the referenced Kubernetes Service.
|
||||
Name string `json:"name"`
|
||||
// Namespace defines the namespace of the referenced Kubernetes Service.
|
||||
Namespace string `json:"namespace,omitempty"`
|
||||
// Port defines the port of a Kubernetes Service.
|
||||
// This can be a reference to a named port.
|
||||
Port intstr.IntOrString `json:"port"`
|
||||
// Weight defines the weight used when balancing requests between multiple Kubernetes Service.
|
||||
Weight *int `json:"weight,omitempty"`
|
||||
}
|
||||
|
||||
// +genclient
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:storageversion
|
||||
|
||||
// IngressRouteUDP is an Ingress CRD specification.
|
||||
// IngressRouteUDP is a CRD implementation of a Traefik UDP Router.
|
||||
type IngressRouteUDP struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ObjectMeta `json:"metadata"`
|
||||
|
||||
Spec IngressRouteUDPSpec `json:"spec"`
|
||||
@ -44,9 +51,13 @@ type IngressRouteUDP struct {
|
||||
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// IngressRouteUDPList is a list of IngressRoutes.
|
||||
// IngressRouteUDPList is a collection of IngressRouteUDP.
|
||||
type IngressRouteUDPList struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ListMeta `json:"metadata"`
|
||||
Items []IngressRouteUDP `json:"items"`
|
||||
|
||||
// Items is the list of IngressRouteUDP.
|
||||
Items []IngressRouteUDP `json:"items"`
|
||||
}
|
||||
|
@ -11,9 +11,12 @@ import (
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:storageversion
|
||||
|
||||
// Middleware is a specification for a Middleware resource.
|
||||
// Middleware is the CRD implementation of a Traefik Middleware.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/overview/
|
||||
type Middleware struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ObjectMeta `json:"metadata"`
|
||||
|
||||
Spec MiddlewareSpec `json:"spec"`
|
||||
@ -21,7 +24,7 @@ type Middleware struct {
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// MiddlewareSpec holds the Middleware configuration.
|
||||
// MiddlewareSpec defines the desired state of a Middleware.
|
||||
type MiddlewareSpec struct {
|
||||
AddPrefix *dynamic.AddPrefix `json:"addPrefix,omitempty"`
|
||||
StripPrefix *dynamic.StripPrefix `json:"stripPrefix,omitempty"`
|
||||
@ -50,84 +53,155 @@ type MiddlewareSpec struct {
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// ErrorPage holds the custom error page configuration.
|
||||
// ErrorPage holds the custom error middleware configuration.
|
||||
// This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/
|
||||
type ErrorPage struct {
|
||||
Status []string `json:"status,omitempty"`
|
||||
Service Service `json:"service,omitempty"`
|
||||
Query string `json:"query,omitempty"`
|
||||
// Status defines which status or range of statuses should result in an error page.
|
||||
// It can be either a status code as a number (500),
|
||||
// as multiple comma-separated numbers (500,502),
|
||||
// as ranges by separating two codes with a dash (500-599),
|
||||
// or a combination of the two (404,418,500-599).
|
||||
Status []string `json:"status,omitempty"`
|
||||
// Service defines the reference to a Kubernetes Service that will serve the error page.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/errorpages/#service
|
||||
Service Service `json:"service,omitempty"`
|
||||
// Query defines the URL for the error page (hosted by service).
|
||||
// The {status} variable can be used in order to insert the status code in the URL.
|
||||
Query string `json:"query,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// Chain holds a chain of middlewares.
|
||||
// Chain holds the configuration of the chain middleware.
|
||||
// This middleware enables to define reusable combinations of other pieces of middleware.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/chain/
|
||||
type Chain struct {
|
||||
// Middlewares is the list of MiddlewareRef which composes the chain.
|
||||
Middlewares []MiddlewareRef `json:"middlewares,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// BasicAuth holds the HTTP basic authentication configuration.
|
||||
// BasicAuth holds the basic auth middleware configuration.
|
||||
// This middleware restricts access to your services to known users.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/
|
||||
type BasicAuth struct {
|
||||
Secret string `json:"secret,omitempty"`
|
||||
Realm string `json:"realm,omitempty"`
|
||||
RemoveHeader bool `json:"removeHeader,omitempty"`
|
||||
HeaderField string `json:"headerField,omitempty"`
|
||||
// Secret is the name of the referenced Kubernetes Secret containing user credentials.
|
||||
Secret string `json:"secret,omitempty"`
|
||||
// Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
|
||||
// Default: traefik.
|
||||
Realm string `json:"realm,omitempty"`
|
||||
// RemoveHeader sets the removeHeader option to true to remove the authorization header before forwarding the request to your service.
|
||||
// Default: false.
|
||||
RemoveHeader bool `json:"removeHeader,omitempty"`
|
||||
// HeaderField defines a header field to store the authenticated user.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield
|
||||
HeaderField string `json:"headerField,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// DigestAuth holds the Digest HTTP authentication configuration.
|
||||
// DigestAuth holds the digest auth middleware configuration.
|
||||
// This middleware restricts access to your services to known users.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/digestauth/
|
||||
type DigestAuth struct {
|
||||
Secret string `json:"secret,omitempty"`
|
||||
RemoveHeader bool `json:"removeHeader,omitempty"`
|
||||
Realm string `json:"realm,omitempty"`
|
||||
HeaderField string `json:"headerField,omitempty"`
|
||||
// Secret is the name of the referenced Kubernetes Secret containing user credentials.
|
||||
Secret string `json:"secret,omitempty"`
|
||||
// RemoveHeader defines whether to remove the authorization header before forwarding the request to the backend.
|
||||
RemoveHeader bool `json:"removeHeader,omitempty"`
|
||||
// Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
|
||||
// Default: traefik.
|
||||
Realm string `json:"realm,omitempty"`
|
||||
// HeaderField defines a header field to store the authenticated user.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/basicauth/#headerfield
|
||||
HeaderField string `json:"headerField,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// ForwardAuth holds the http forward authentication configuration.
|
||||
// ForwardAuth holds the forward auth middleware configuration.
|
||||
// This middleware delegates the request authentication to a Service.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/
|
||||
type ForwardAuth struct {
|
||||
Address string `json:"address,omitempty"`
|
||||
TrustForwardHeader bool `json:"trustForwardHeader,omitempty"`
|
||||
AuthResponseHeaders []string `json:"authResponseHeaders,omitempty"`
|
||||
AuthResponseHeadersRegex string `json:"authResponseHeadersRegex,omitempty"`
|
||||
AuthRequestHeaders []string `json:"authRequestHeaders,omitempty"`
|
||||
TLS *ClientTLS `json:"tls,omitempty"`
|
||||
// Address defines the authentication server address.
|
||||
Address string `json:"address,omitempty"`
|
||||
// TrustForwardHeader defines whether to trust (ie: forward) all X-Forwarded-* headers.
|
||||
TrustForwardHeader bool `json:"trustForwardHeader,omitempty"`
|
||||
// AuthResponseHeaders defines the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.
|
||||
AuthResponseHeaders []string `json:"authResponseHeaders,omitempty"`
|
||||
// AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/forwardauth/#authresponseheadersregex
|
||||
AuthResponseHeadersRegex string `json:"authResponseHeadersRegex,omitempty"`
|
||||
// AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server.
|
||||
// If not set or empty then all request headers are passed.
|
||||
AuthRequestHeaders []string `json:"authRequestHeaders,omitempty"`
|
||||
// TLS defines the configuration used to secure the connection to the authentication server.
|
||||
TLS *ClientTLS `json:"tls,omitempty"`
|
||||
}
|
||||
|
||||
// ClientTLS holds TLS specific configurations as client.
|
||||
// ClientTLS holds the client TLS configuration.
|
||||
type ClientTLS struct {
|
||||
CASecret string `json:"caSecret,omitempty"`
|
||||
CAOptional bool `json:"caOptional,omitempty"`
|
||||
CertSecret string `json:"certSecret,omitempty"`
|
||||
InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// MiddlewareList is a list of Middleware resources.
|
||||
type MiddlewareList struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
metav1.ListMeta `json:"metadata"`
|
||||
|
||||
Items []Middleware `json:"items"`
|
||||
// CASecret is the name of the referenced Kubernetes Secret containing the CA to validate the server certificate.
|
||||
// The CA certificate is extracted from key `tls.ca` or `ca.crt`.
|
||||
CASecret string `json:"caSecret,omitempty"`
|
||||
// CertSecret is the name of the referenced Kubernetes Secret containing the client certificate.
|
||||
// The client certificate is extracted from the keys `tls.crt` and `tls.key`.
|
||||
CertSecret string `json:"certSecret,omitempty"`
|
||||
// InsecureSkipVerify defines whether the server certificates should be validated.
|
||||
InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
|
||||
CAOptional bool `json:"caOptional,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// RateLimit holds the rate limiting configuration for a given router.
|
||||
// RateLimit holds the rate limit configuration.
|
||||
// This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/ratelimit/
|
||||
type RateLimit struct {
|
||||
Average int64 `json:"average,omitempty"`
|
||||
Period *intstr.IntOrString `json:"period,omitempty"`
|
||||
Burst *int64 `json:"burst,omitempty"`
|
||||
// Average is the maximum rate, by default in requests/s, allowed for the given source.
|
||||
// It defaults to 0, which means no rate limiting.
|
||||
// The rate is actually defined by dividing Average by Period. So for a rate below 1req/s,
|
||||
// one needs to define a Period larger than a second.
|
||||
Average int64 `json:"average,omitempty"`
|
||||
// Period, in combination with Average, defines the actual maximum rate, such as:
|
||||
// r = Average / Period. It defaults to a second.
|
||||
Period *intstr.IntOrString `json:"period,omitempty"`
|
||||
// Burst is the maximum number of requests allowed to arrive in the same arbitrarily small period of time.
|
||||
// It defaults to 1.
|
||||
Burst *int64 `json:"burst,omitempty"`
|
||||
// SourceCriterion defines what criterion is used to group requests as originating from a common source.
|
||||
// If several strategies are defined at the same time, an error will be raised.
|
||||
// If none are set, the default is to use the request's remote address field (as an ipStrategy).
|
||||
SourceCriterion *dynamic.SourceCriterion `json:"sourceCriterion,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// Retry holds the retry configuration.
|
||||
// Retry holds the retry middleware configuration.
|
||||
// This middleware reissues requests a given number of times to a backend server if that server does not reply.
|
||||
// As soon as the server answers, the middleware stops retrying, regardless of the response status.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/http/retry/
|
||||
type Retry struct {
|
||||
Attempts int `json:"attempts,omitempty"`
|
||||
// Attempts defines how many times the request should be retried.
|
||||
Attempts int `json:"attempts,omitempty"`
|
||||
// InitialInterval defines the first wait time in the exponential backoff series.
|
||||
// The maximum interval is calculated as twice the initialInterval.
|
||||
// If unspecified, requests will be retried immediately.
|
||||
// The value of initialInterval should be provided in seconds or as a valid duration format,
|
||||
// see https://pkg.go.dev/time#ParseDuration.
|
||||
InitialInterval intstr.IntOrString `json:"initialInterval,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// MiddlewareList is a collection of Middleware resources.
|
||||
type MiddlewareList struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ListMeta `json:"metadata"`
|
||||
|
||||
// Items is the list of Middleware.
|
||||
Items []Middleware `json:"items"`
|
||||
}
|
||||
|
@ -8,9 +8,12 @@ import (
|
||||
// +genclient
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// MiddlewareTCP is a specification for a MiddlewareTCP resource.
|
||||
// MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/middlewares/overview/
|
||||
type MiddlewareTCP struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ObjectMeta `json:"metadata"`
|
||||
|
||||
Spec MiddlewareTCPSpec `json:"spec"`
|
||||
@ -18,18 +21,23 @@ type MiddlewareTCP struct {
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// MiddlewareTCPSpec holds the MiddlewareTCP configuration.
|
||||
// MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.
|
||||
type MiddlewareTCPSpec struct {
|
||||
// InFlightConn defines the InFlightConn middleware configuration.
|
||||
InFlightConn *dynamic.TCPInFlightConn `json:"inFlightConn,omitempty"`
|
||||
IPWhiteList *dynamic.TCPIPWhiteList `json:"ipWhiteList,omitempty"`
|
||||
// IPWhiteList defines the IPWhiteList middleware configuration.
|
||||
IPWhiteList *dynamic.TCPIPWhiteList `json:"ipWhiteList,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// MiddlewareTCPList is a list of MiddlewareTCP resources.
|
||||
// MiddlewareTCPList is a collection of MiddlewareTCP resources.
|
||||
type MiddlewareTCPList struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ListMeta `json:"metadata"`
|
||||
|
||||
// Items is the list of MiddlewareTCP.
|
||||
Items []MiddlewareTCP `json:"items"`
|
||||
}
|
||||
|
@ -2,6 +2,8 @@ package v1alpha1
|
||||
|
||||
// ObjectReference is a generic reference to a Traefik resource.
|
||||
type ObjectReference struct {
|
||||
Name string `json:"name"`
|
||||
// Name defines the name of the referenced Traefik resource.
|
||||
Name string `json:"name"`
|
||||
// Namespace defines the namespace of the referenced Traefik resource.
|
||||
Namespace string `json:"namespace,omitempty"`
|
||||
}
|
||||
|
@ -9,9 +9,14 @@ import (
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:storageversion
|
||||
|
||||
// ServersTransport is a specification for a ServersTransport resource.
|
||||
// ServersTransport is the CRD implementation of a ServersTransport.
|
||||
// If no serversTransport is specified, the default@internal will be used.
|
||||
// The default@internal serversTransport is created from the static configuration.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/services/#serverstransport_1
|
||||
type ServersTransport struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ObjectMeta `json:"metadata"`
|
||||
|
||||
Spec ServersTransportSpec `json:"spec"`
|
||||
@ -19,38 +24,37 @@ type ServersTransport struct {
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// ServersTransportSpec options to configure communication between Traefik and the servers.
|
||||
// ServersTransportSpec defines the desired state of a ServersTransport.
|
||||
type ServersTransportSpec struct {
|
||||
// ServerName used to contact the server.
|
||||
// ServerName defines the server name used to contact the server.
|
||||
ServerName string `json:"serverName,omitempty"`
|
||||
// Disable SSL certificate verification.
|
||||
// InsecureSkipVerify disables SSL certificate verification.
|
||||
InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
|
||||
// Add cert file for self-signed certificate.
|
||||
// RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
|
||||
RootCAsSecrets []string `json:"rootCAsSecrets,omitempty"`
|
||||
// Certificates for mTLS.
|
||||
// CertificatesSecrets defines a list of secret storing client certificates for mTLS.
|
||||
CertificatesSecrets []string `json:"certificatesSecrets,omitempty"`
|
||||
// If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, DefaultMaxIdleConnsPerHost is used.
|
||||
// MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.
|
||||
MaxIdleConnsPerHost int `json:"maxIdleConnsPerHost,omitempty"`
|
||||
// Timeouts for requests forwarded to the backend servers.
|
||||
// ForwardingTimeouts defines the timeouts for requests forwarded to the backend servers.
|
||||
ForwardingTimeouts *ForwardingTimeouts `json:"forwardingTimeouts,omitempty"`
|
||||
// Disable HTTP/2 for connections with backend servers.
|
||||
// DisableHTTP2 disables HTTP/2 for connections with backend servers.
|
||||
DisableHTTP2 bool `json:"disableHTTP2,omitempty"`
|
||||
// URI used to match against SAN URI during the peer certificate verification.
|
||||
// PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.
|
||||
PeerCertURI string `json:"peerCertURI,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// ForwardingTimeouts contains timeout configurations for forwarding requests to the backend servers.
|
||||
// ForwardingTimeouts holds the timeout configurations for forwarding requests to the backend servers.
|
||||
type ForwardingTimeouts struct {
|
||||
// DialTimeout is the amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists.
|
||||
// DialTimeout is the amount of time to wait until a connection to a backend server can be established.
|
||||
DialTimeout *intstr.IntOrString `json:"dialTimeout,omitempty"`
|
||||
// ResponseHeaderTimeout is the amount of time to wait for a server's response headers after fully writing the request (including its body, if any).
|
||||
// If zero, no timeout exists.
|
||||
ResponseHeaderTimeout *intstr.IntOrString `json:"responseHeaderTimeout,omitempty"`
|
||||
// IdleConnTimeout is the maximum period for which an idle HTTP keep-alive connection will remain open before closing itself.
|
||||
IdleConnTimeout *intstr.IntOrString `json:"idleConnTimeout,omitempty"`
|
||||
// ReadIdleTimeout is the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection. If zero, no health check is performed.
|
||||
// ReadIdleTimeout is the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection.
|
||||
ReadIdleTimeout *intstr.IntOrString `json:"readIdleTimeout,omitempty"`
|
||||
// PingTimeout is the timeout after which the HTTP/2 connection will be closed if a response to ping is not received.
|
||||
PingTimeout *intstr.IntOrString `json:"pingTimeout,omitempty"`
|
||||
@ -58,10 +62,13 @@ type ForwardingTimeouts struct {
|
||||
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// ServersTransportList is a list of ServersTransport resources.
|
||||
// ServersTransportList is a collection of ServersTransport resources.
|
||||
type ServersTransportList struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ListMeta `json:"metadata"`
|
||||
|
||||
// Items is the list of ServersTransport.
|
||||
Items []ServersTransport `json:"items"`
|
||||
}
|
||||
|
@ -9,60 +9,77 @@ import (
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:storageversion
|
||||
|
||||
// TraefikService is the specification for a service (that an IngressRoute refers
|
||||
// to) that is usually not a terminal service (i.e. not a pod of servers), as
|
||||
// opposed to a Kubernetes Service. That is to say, it usually refers to other
|
||||
// (children) services, which themselves can be TraefikServices or Services.
|
||||
// TraefikService is the CRD implementation of a Traefik Service.
|
||||
// TraefikService object allows to:
|
||||
// - Apply weight to Services on load-balancing
|
||||
// - Mirror traffic on services
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#kind-traefikservice
|
||||
type TraefikService struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ObjectMeta `json:"metadata"`
|
||||
|
||||
Spec ServiceSpec `json:"spec"`
|
||||
Spec TraefikServiceSpec `json:"spec"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// TraefikServiceList is a list of TraefikService resources.
|
||||
// TraefikServiceList is a collection of TraefikService resources.
|
||||
type TraefikServiceList struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ListMeta `json:"metadata"`
|
||||
|
||||
// Items is the list of TraefikService.
|
||||
Items []TraefikService `json:"items"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// ServiceSpec defines whether a TraefikService is a load-balancer of services or a
|
||||
// mirroring service.
|
||||
type ServiceSpec struct {
|
||||
Weighted *WeightedRoundRobin `json:"weighted,omitempty"`
|
||||
Mirroring *Mirroring `json:"mirroring,omitempty"`
|
||||
// TraefikServiceSpec defines the desired state of a TraefikService.
|
||||
type TraefikServiceSpec struct {
|
||||
// Weighted defines the Weighted Round Robin configuration.
|
||||
Weighted *WeightedRoundRobin `json:"weighted,omitempty"`
|
||||
// Mirroring defines the Mirroring service configuration.
|
||||
Mirroring *Mirroring `json:"mirroring,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// Mirroring defines a mirroring service, which is composed of a main
|
||||
// load-balancer, and a list of mirrors.
|
||||
// Mirroring holds the mirroring service configuration.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/services/#mirroring-service
|
||||
type Mirroring struct {
|
||||
LoadBalancerSpec `json:",inline"`
|
||||
|
||||
MaxBodySize *int64 `json:"maxBodySize,omitempty"`
|
||||
Mirrors []MirrorService `json:"mirrors,omitempty"`
|
||||
// MaxBodySize defines the maximum size allowed for the body of the request.
|
||||
// If the body is larger, the request is not mirrored.
|
||||
// Default value is -1, which means unlimited size.
|
||||
MaxBodySize *int64 `json:"maxBodySize,omitempty"`
|
||||
// Mirrors defines the list of mirrors where Traefik will duplicate the traffic.
|
||||
Mirrors []MirrorService `json:"mirrors,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// MirrorService defines one of the mirrors of a Mirroring service.
|
||||
// MirrorService holds the mirror configuration.
|
||||
type MirrorService struct {
|
||||
LoadBalancerSpec `json:",inline"`
|
||||
|
||||
// Percent defines the part of the traffic to mirror.
|
||||
// Supported values: 0 to 100.
|
||||
Percent int `json:"percent,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// WeightedRoundRobin defines a load-balancer of services.
|
||||
// WeightedRoundRobin holds the weighted round-robin configuration.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/services/#weighted-round-robin-service
|
||||
type WeightedRoundRobin struct {
|
||||
Services []Service `json:"services,omitempty"`
|
||||
Sticky *dynamic.Sticky `json:"sticky,omitempty"`
|
||||
// Services defines the list of Kubernetes Service and/or TraefikService to load-balance, with weight.
|
||||
Services []Service `json:"services,omitempty"`
|
||||
// Sticky defines whether sticky sessions are enabled.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
|
||||
Sticky *dynamic.Sticky `json:"sticky,omitempty"`
|
||||
}
|
||||
|
@ -8,9 +8,12 @@ import (
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:storageversion
|
||||
|
||||
// TLSOption is a specification for a TLSOption resource.
|
||||
// TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#tls-options
|
||||
type TLSOption struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ObjectMeta `json:"metadata"`
|
||||
|
||||
Spec TLSOptionSpec `json:"spec"`
|
||||
@ -18,35 +21,54 @@ type TLSOption struct {
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// TLSOptionSpec configures TLS for an entry point.
|
||||
// TLSOptionSpec defines the desired state of a TLSOption.
|
||||
type TLSOptionSpec struct {
|
||||
MinVersion string `json:"minVersion,omitempty"`
|
||||
MaxVersion string `json:"maxVersion,omitempty"`
|
||||
CipherSuites []string `json:"cipherSuites,omitempty"`
|
||||
CurvePreferences []string `json:"curvePreferences,omitempty"`
|
||||
ClientAuth ClientAuth `json:"clientAuth,omitempty"`
|
||||
SniStrict bool `json:"sniStrict,omitempty"`
|
||||
PreferServerCipherSuites bool `json:"preferServerCipherSuites,omitempty"`
|
||||
ALPNProtocols []string `json:"alpnProtocols,omitempty"`
|
||||
// MinVersion defines the minimum TLS version that Traefik will accept.
|
||||
// Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
|
||||
// Default: VersionTLS10.
|
||||
MinVersion string `json:"minVersion,omitempty"`
|
||||
// MaxVersion defines the maximum TLS version that Traefik will accept.
|
||||
// Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
|
||||
// Default: None.
|
||||
MaxVersion string `json:"maxVersion,omitempty"`
|
||||
// CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#cipher-suites
|
||||
CipherSuites []string `json:"cipherSuites,omitempty"`
|
||||
// CurvePreferences defines the preferred elliptic curves in a specific order.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#curve-preferences
|
||||
CurvePreferences []string `json:"curvePreferences,omitempty"`
|
||||
// ClientAuth defines the server's policy for TLS Client Authentication.
|
||||
ClientAuth ClientAuth `json:"clientAuth,omitempty"`
|
||||
// SniStrict defines whether Traefik allows connections from clients connections that do not specify a server_name extension.
|
||||
SniStrict bool `json:"sniStrict,omitempty"`
|
||||
// PreferServerCipherSuites defines whether the server chooses a cipher suite among his own instead of among the client's.
|
||||
// It is enabled automatically when minVersion or maxVersion are set.
|
||||
PreferServerCipherSuites bool `json:"preferServerCipherSuites,omitempty"`
|
||||
// ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#alpn-protocols
|
||||
ALPNProtocols []string `json:"alpnProtocols,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// ClientAuth defines the parameters of the client authentication part of the TLS connection, if any.
|
||||
// ClientAuth holds the TLS client authentication configuration.
|
||||
type ClientAuth struct {
|
||||
// SecretName is the name of the referenced Kubernetes Secret to specify the certificate details.
|
||||
// SecretNames defines the names of the referenced Kubernetes Secret storing certificate details.
|
||||
SecretNames []string `json:"secretNames,omitempty"`
|
||||
// +kubebuilder:validation:Enum=NoClientCert;RequestClientCert;RequireAnyClientCert;VerifyClientCertIfGiven;RequireAndVerifyClientCert
|
||||
// ClientAuthType defines the client authentication type to apply.
|
||||
// +kubebuilder:validation:Enum=NoClientCert;RequestClientCert;RequireAnyClientCert;VerifyClientCertIfGiven;RequireAndVerifyClientCert
|
||||
ClientAuthType string `json:"clientAuthType,omitempty"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// TLSOptionList is a list of TLSOption resources.
|
||||
// TLSOptionList is a collection of TLSOption resources.
|
||||
type TLSOptionList struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ListMeta `json:"metadata"`
|
||||
|
||||
// Items is the list of TLSOption.
|
||||
Items []TLSOption `json:"items"`
|
||||
}
|
||||
|
@ -8,9 +8,14 @@ import (
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
// +kubebuilder:storageversion
|
||||
|
||||
// TLSStore is a specification for a TLSStore resource.
|
||||
// TLSStore is the CRD implementation of a Traefik TLS Store.
|
||||
// For the time being, only the TLSStore named default is supported.
|
||||
// This means that you cannot have two stores that are named default in different Kubernetes namespaces.
|
||||
// More info: https://doc.traefik.io/traefik/v2.7/https/tls/#certificates-stores
|
||||
type TLSStore struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ObjectMeta `json:"metadata"`
|
||||
|
||||
Spec TLSStoreSpec `json:"spec"`
|
||||
@ -18,14 +23,15 @@ type TLSStore struct {
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// TLSStoreSpec configures a TLSStore resource.
|
||||
// TLSStoreSpec defines the desired state of a TLSStore.
|
||||
type TLSStoreSpec struct {
|
||||
// DefaultCertificate defines the default certificate configuration.
|
||||
DefaultCertificate DefaultCertificate `json:"defaultCertificate"`
|
||||
}
|
||||
|
||||
// +k8s:deepcopy-gen=true
|
||||
|
||||
// DefaultCertificate holds a secret name for the TLSOption resource.
|
||||
// DefaultCertificate holds the default certificate configuration.
|
||||
type DefaultCertificate struct {
|
||||
// SecretName is the name of the referenced Kubernetes Secret to specify the certificate details.
|
||||
SecretName string `json:"secretName"`
|
||||
@ -33,10 +39,13 @@ type DefaultCertificate struct {
|
||||
|
||||
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
||||
|
||||
// TLSStoreList is a list of TLSStore resources.
|
||||
// TLSStoreList is a collection of TLSStore resources.
|
||||
type TLSStoreList struct {
|
||||
metav1.TypeMeta `json:",inline"`
|
||||
// Standard object's metadata.
|
||||
// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
|
||||
metav1.ListMeta `json:"metadata"`
|
||||
|
||||
// Items is the list of TLSStore.
|
||||
Items []TLSStore `json:"items"`
|
||||
}
|
||||
|
@ -1140,32 +1140,6 @@ func (in *Service) DeepCopy() *Service {
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *ServiceSpec) DeepCopyInto(out *ServiceSpec) {
|
||||
*out = *in
|
||||
if in.Weighted != nil {
|
||||
in, out := &in.Weighted, &out.Weighted
|
||||
*out = new(WeightedRoundRobin)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
if in.Mirroring != nil {
|
||||
in, out := &in.Mirroring, &out.Mirroring
|
||||
*out = new(Mirroring)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceSpec.
|
||||
func (in *ServiceSpec) DeepCopy() *ServiceSpec {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(ServiceSpec)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *ServiceTCP) DeepCopyInto(out *ServiceTCP) {
|
||||
*out = *in
|
||||
@ -1361,22 +1335,6 @@ func (in *TLSOptionSpec) DeepCopy() *TLSOptionSpec {
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *TLSOptionUDPRef) DeepCopyInto(out *TLSOptionUDPRef) {
|
||||
*out = *in
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSOptionUDPRef.
|
||||
func (in *TLSOptionUDPRef) DeepCopy() *TLSOptionUDPRef {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(TLSOptionUDPRef)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *TLSStore) DeepCopyInto(out *TLSStore) {
|
||||
*out = *in
|
||||
@ -1563,6 +1521,32 @@ func (in *TraefikServiceList) DeepCopyObject() runtime.Object {
|
||||
return nil
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *TraefikServiceSpec) DeepCopyInto(out *TraefikServiceSpec) {
|
||||
*out = *in
|
||||
if in.Weighted != nil {
|
||||
in, out := &in.Weighted, &out.Weighted
|
||||
*out = new(WeightedRoundRobin)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
if in.Mirroring != nil {
|
||||
in, out := &in.Mirroring, &out.Mirroring
|
||||
*out = new(Mirroring)
|
||||
(*in).DeepCopyInto(*out)
|
||||
}
|
||||
return
|
||||
}
|
||||
|
||||
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TraefikServiceSpec.
|
||||
func (in *TraefikServiceSpec) DeepCopy() *TraefikServiceSpec {
|
||||
if in == nil {
|
||||
return nil
|
||||
}
|
||||
out := new(TraefikServiceSpec)
|
||||
in.DeepCopyInto(out)
|
||||
return out
|
||||
}
|
||||
|
||||
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
|
||||
func (in *WeightedRoundRobin) DeepCopyInto(out *WeightedRoundRobin) {
|
||||
*out = *in
|
||||
|
@ -283,6 +283,7 @@
|
||||
"notAfter": true,
|
||||
"notBefore": true,
|
||||
"sans": true,
|
||||
"serialNumber": true,
|
||||
"subject": {
|
||||
"country": true,
|
||||
"province": true,
|
||||
@ -301,8 +302,7 @@
|
||||
"commonName": true,
|
||||
"serialNumber": true,
|
||||
"domainComponent": true
|
||||
},
|
||||
"serialNumber": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"retry": {
|
||||
|
@ -286,6 +286,7 @@
|
||||
"notAfter": true,
|
||||
"notBefore": true,
|
||||
"sans": true,
|
||||
"serialNumber": true,
|
||||
"subject": {
|
||||
"country": true,
|
||||
"province": true,
|
||||
@ -304,8 +305,7 @@
|
||||
"commonName": true,
|
||||
"serialNumber": true,
|
||||
"domainComponent": true
|
||||
},
|
||||
"serialNumber": true
|
||||
}
|
||||
}
|
||||
},
|
||||
"retry": {
|
||||
|
@ -32,8 +32,9 @@ docker run --rm \
|
||||
-w "/go/src/${PROJECT_MODULE}" \
|
||||
"${IMAGE_NAME}" $cmd
|
||||
|
||||
echo "Concatenate the CRD definitions for the integration tests ..."
|
||||
cat $(pwd)/docs/content/reference/dynamic-configuration/traefik.containo.us_*.yaml > $(pwd)/integration/fixtures/k8s/01-traefik-crd.yml
|
||||
echo "Concatenate the CRD definitions for publication and integration tests ..."
|
||||
cat $(pwd)/docs/content/reference/dynamic-configuration/traefik.containo.us_*.yaml > $(pwd)/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
|
||||
cp -f $(pwd)/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml $(pwd)/integration/fixtures/k8s/01-traefik-crd.yml
|
||||
|
||||
cp -r $(pwd)/${MODULE_VERSION}/* $(pwd)
|
||||
rm -rf $(pwd)/${MODULE_VERSION}
|
||||
|
Loading…
Reference in New Issue
Block a user