我的书签
添加书签
移除书签Traefik & Kubernetes
The Kubernetes Ingress Controller, The Custom Resource Way.
Configuration Examples
Configuring KubernetesCRD and Deploying/Exposing Services
Resource Definition
# All resources definition must be declaredapiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:name: ingressroutes.traefik.containo.usspec:group: traefik.containo.usversion: v1alpha1names:kind: IngressRouteplural: ingressroutessingular: ingressroutescope: Namespaced---apiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:name: middlewares.traefik.containo.usspec:group: traefik.containo.usversion: v1alpha1names:kind: Middlewareplural: middlewaressingular: middlewarescope: Namespaced---apiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:name: ingressroutetcps.traefik.containo.usspec:group: traefik.containo.usversion: v1alpha1names:kind: IngressRouteTCPplural: ingressroutetcpssingular: ingressroutetcpscope: Namespaced---apiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:name: ingressrouteudps.traefik.containo.usspec:group: traefik.containo.usversion: v1alpha1names:kind: IngressRouteUDPplural: ingressrouteudpssingular: ingressrouteudpscope: Namespaced---apiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:name: tlsoptions.traefik.containo.usspec:group: traefik.containo.usversion: v1alpha1names:kind: TLSOptionplural: tlsoptionssingular: tlsoptionscope: Namespaced---apiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:name: tlsstores.traefik.containo.usspec:group: traefik.containo.usversion: v1alpha1names:kind: TLSStoreplural: tlsstoressingular: tlsstorescope: Namespaced---apiVersion: apiextensions.k8s.io/v1beta1kind: CustomResourceDefinitionmetadata:name: traefikservices.traefik.containo.usspec:group: traefik.containo.usversion: v1alpha1names:kind: TraefikServiceplural: traefikservicessingular: traefikservicescope: Namespaced
RBAC
kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: traefik-ingress-controllerrules:- apiGroups:- ""resources:- services- endpoints- secretsverbs:- get- list- watch- apiGroups:- extensions- networking.k8s.ioresources:- ingresses- ingressclassesverbs:- get- list- watch- apiGroups:- extensionsresources:- ingresses/statusverbs:- update- apiGroups:- traefik.containo.usresources:- middlewares- ingressroutes- traefikservices- ingressroutetcps- ingressrouteudps- tlsoptions- tlsstoresverbs:- get- list- watch---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: traefik-ingress-controllerroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: traefik-ingress-controllersubjects:- kind: ServiceAccountname: traefik-ingress-controllernamespace: default
Traefik
apiVersion: v1kind: ServiceAccountmetadata:name: traefik-ingress-controller---kind: DeploymentapiVersion: apps/v1metadata:name: traefiklabels:app: traefikspec:replicas: 1selector:matchLabels:app: traefiktemplate:metadata:labels:app: traefikspec:serviceAccountName: traefik-ingress-controllercontainers:- name: traefikimage: traefik:v2.3args:- --log.level=DEBUG- --api- --api.insecure- --entrypoints.web.address=:80- --entrypoints.tcpep.address=:8000- --entrypoints.udpep.address=:9000/udp- --providers.kubernetescrdports:- name: webcontainerPort: 80- name: admincontainerPort: 8080- name: tcpepcontainerPort: 8000- name: udpepcontainerPort: 9000---apiVersion: v1kind: Servicemetadata:name: traefikspec:type: LoadBalancerselector:app: traefikports:- protocol: TCPport: 80name: webtargetPort: 80- protocol: TCPport: 8080name: admintargetPort: 8080- protocol: TCPport: 8000name: tcpeptargetPort: 8000---apiVersion: v1kind: Servicemetadata:name: traefikudpspec:type: LoadBalancerselector:app: traefikports:- protocol: UDPport: 9000name: udpeptargetPort: 9000
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: myingressroutenamespace: defaultspec:entryPoints:- webroutes:- match: Host(`foo`) && PathPrefix(`/bar`)kind: Ruleservices:- name: whoamiport: 80---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: ingressroute.tcpnamespace: defaultspec:entryPoints:- tcpeproutes:- match: HostSNI(`bar`)kind: Ruleservices:- name: whoamitcpport: 8080---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteUDPmetadata:name: ingressroute.udpnamespace: defaultspec:entryPoints:- fooudproutes:- kind: Ruleservices:- name: whoamiudpport: 8080
Whoami
kind: DeploymentapiVersion: apps/v1metadata:name: whoaminamespace: defaultlabels:app: traefiklabsname: whoamispec:replicas: 2selector:matchLabels:app: traefiklabstask: whoamitemplate:metadata:labels:app: traefiklabstask: whoamispec:containers:- name: whoamiimage: traefik/whoamiports:- containerPort: 80---apiVersion: v1kind: Servicemetadata:name: whoaminamespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: whoami---kind: DeploymentapiVersion: apps/v1metadata:name: whoamitcpnamespace: defaultlabels:app: traefiklabsname: whoamitcpspec:replicas: 2selector:matchLabels:app: traefiklabstask: whoamitcptemplate:metadata:labels:app: traefiklabstask: whoamitcpspec:containers:- name: whoamitcpimage: traefik/whoamitcpports:- containerPort: 8080---apiVersion: v1kind: Servicemetadata:name: whoamitcpnamespace: defaultspec:ports:- protocol: TCPport: 8080selector:app: traefiklabstask: whoamitcp---kind: DeploymentapiVersion: apps/v1metadata:name: whoamiudpnamespace: defaultlabels:app: traefiklabsname: whoamiudpspec:replicas: 2selector:matchLabels:app: traefiklabstask: whoamiudptemplate:metadata:labels:app: traefiklabstask: whoamiudpspec:containers:- name: whoamiudpimage: traefik/whoamiudp:latestports:- containerPort: 8080---apiVersion: v1kind: Servicemetadata:name: whoamiudpnamespace: defaultspec:ports:- port: 8080selector:app: traefiklabstask: whoamiudp
Routing Configuration
Custom Resource Definition (CRD)
- You can find an exhaustive list, generated from Traefik’s source code, of the custom resources and their attributes in the reference page.
- Validate that the prerequisites are fulfilled before using the Traefik custom resources.
- Traefik CRDs are building blocks that you can assemble according to your needs.
You can find an excerpt of the available custom resources in the table below:
| Kind | Purpose | Concept Behind |
|---|---|---|
| IngressRoute | HTTP Routing | HTTP router |
| Middleware | Tweaks the HTTP requests before they are sent to your service | HTTP Middlewares |
| TraefikService | Abstraction for HTTP loadbalancing/mirroring | HTTP service |
| IngressRouteTCP | TCP Routing | TCP router |
| IngressRouteUDP | UDP Routing | UDP router |
| TLSOptions | Allows to configure some parameters of the TLS connection | TLSOptions |
| TLSStores | Allows to configure the default TLS store | TLSStores |
Kind: IngressRoute
IngressRoute is the CRD implementation of a Traefik HTTP router.
Register the IngressRoute kind in the Kubernetes cluster before creating IngressRoute objects.
IngressRoute Attributes
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: foonamespace: barspec:entryPoints: # [1]- fooroutes: # [2]- kind: Rulematch: Host(`test.example.com`) # [3]priority: 10 # [4]middlewares: # [5]- name: middleware1 # [6]namespace: default # [7]services: # [8]- kind: Servicename: foonamespace: defaultpassHostHeader: trueport: 80responseForwarding:flushInterval: 1msscheme: httpssticky:cookie:httpOnly: truename: cookiesecure: truesameSite: nonestrategy: RoundRobinweight: 10tls: # [9]secretName: supersecret # [10]options: # [11]name: opt # [12]namespace: default # [13]certResolver: foo # [14]domains: # [15]- main: example.net # [16]sans: # [17]- a.example.net- b.example.net
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | entryPoints | List of entry points names |
| [2] | routes | List of routes |
| [3] | routes[n].match | Defines the rule corresponding to an underlying router. |
| [4] | routes[n].priority | Disambiguate rules of the same length, for route matching |
| [5] | routes[n].middlewares | List of reference to Middleware |
| [6] | middlewares[n].name | Defines the Middleware name |
| [7] | middlewares[n].namespace | Defines the Middleware namespace |
| [8] | routes[n].services | List of any combination of TraefikService and reference to a Kubernetes service (See below for ExternalName Service setup) |
| [9] | tls | Defines TLS certificate configuration |
| [10] | tls.secretName | Defines the secret name used to store the certificate (in the IngressRoute namespace) |
| [11] | tls.options | Defines the reference to a TLSOption |
| [12] | options.name | Defines the TLSOption name |
| [13] | options.namespace | Defines the TLSOption namespace |
| [14] | tls.certResolver | Defines the reference to a CertResolver |
| [15] | tls.domains | List of domains |
| [16] | domains[n].main | Defines the main domain name |
| [17] | domains[n].sans | List of SANs (alternative domains) |
Declaring an IngressRoute
IngressRoute
# All resources definition must be declaredapiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: testNamenamespace: defaultspec:entryPoints:- webroutes:- kind: Rulematch: Host(`test.example.com`)middlewares:- name: middleware1namespace: defaultpriority: 10services:- kind: Servicename: foonamespace: defaultpassHostHeader: trueport: 80responseForwarding:flushInterval: 1msscheme: httpssticky:cookie:httpOnly: truename: cookiesecure: truestrategy: RoundRobinweight: 10tls:certResolver: foodomains:- main: example.netsans:- a.example.net- b.example.netoptions:name: optnamespace: defaultsecretName: supersecret
Middlewares
# All resources definition must be declared# Prefixing with /fooapiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata:name: middleware1namespace: defaultspec:addPrefix:prefix: /foo
TLSOption
apiVersion: traefik.containo.us/v1alpha1kind: TLSOptionmetadata:name: optnamespace: defaultspec:minVersion: VersionTLS12
Secret
apiVersion: v1kind: Secretmetadata:name: supersecretdata:tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
Configuring Backend Protocol
There are 3 ways to configure the backend protocol for communication between Traefik and your pods:
- Setting the scheme explicitly (http/https/h2c)
- Configuring the name of the kubernetes service port to start with https (https)
- Setting the kubernetes service port to use port 443 (https)
If you do not configure the above, Traefik will assume an http connection.
Using Kubernetes ExternalName Service
Traefik backends creation needs a port to be set, however Kubernetes ExternalName Service could be defined without any port. Accordingly, Traefik supports defining a port in two ways:
- only on
IngressRouteservice - on both sides, you’ll be warned if the ports don’t match, and the
IngressRouteservice port is used
Thus, in case of two sides port definition, Traefik expects a match between ports.
Examples
IngressRoute
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: Host(`example.net`)kind: Ruleservices:- name: external-svcport: 80---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalName
ExternalName Service
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: Host(`example.net`)kind: Ruleservices:- name: external-svc---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalNameports:- port: 80
Both sides
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: Host(`example.net`)kind: Ruleservices:- name: external-svcport: 80---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalNameports:- port: 80
Kind: Middleware
Middleware is the CRD implementation of a Traefik middleware.
Register the Middleware kind in the Kubernetes cluster before creating Middleware objects or referencing middlewares in the IngressRoute objects.
Declaring and Referencing a Middleware
Middleware
apiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata:name: stripprefixnamespace: foospec:stripPrefix:prefixes:- /stripit
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/stripit`)kind: Ruleservices:- name: whoamiport: 80middlewares:- name: stripprefixnamespace: foo
Cross-provider namespace
As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource (in the reference to the middleware) with the provider namespace, when the definition of the middleware comes from another provider. In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored. Additionally, when you want to reference a Middleware from the CRD Provider, you have to append the namespace of the resource in the resource-name as Traefik appends the namespace internally automatically.
More information about available middlewares in the dedicated middlewares section.
Kind: TraefikService
TraefikService is the CRD implementation of a “Traefik Service”.
Register the TraefikService kind in the Kubernetes cluster before creating TraefikService objects, referencing services in the IngressRoute objects, or recursively in others TraefikService objects.
Disambiguate Traefik and Kubernetes Services
As the field name can reference different types of objects, use the field kind to avoid any ambiguity.
The field kind allows the following values:
Service(default value): to reference a Kubernetes ServiceTraefikService: to reference another Traefik Service
TraefikService object allows to use any (valid) combinations of:
- servers load balancing.
- services Weighted Round Robin load balancing.
- services mirroring.
Server Load Balancing
More information in the dedicated server load balancing section.
Declaring and Using Server Load Balancing
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarnamespace: defaultspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/foo`)kind: Ruleservices:- name: svc1namespace: default- name: svc2namespace: default
K8s Service
apiVersion: v1kind: Servicemetadata:name: svc1namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app1---apiVersion: v1kind: Servicemetadata:name: svc2namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app2
Weighted Round Robin
More information in the dedicated Weighted Round Robin service load balancing section.
Declaring and Using Weighted Round Robin
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarnamespace: defaultspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/foo`)kind: Ruleservices:- name: wrr1namespace: defaultkind: TraefikService
Weighted Round Robin
apiVersion: traefik.containo.us/v1alpha1kind: TraefikServicemetadata:name: wrr1namespace: defaultspec:weighted:services:- name: svc1port: 80weight: 1- name: wrr2kind: TraefikServiceweight: 1- name: mirror1kind: TraefikServiceweight: 1---apiVersion: traefik.containo.us/v1alpha1kind: TraefikServicemetadata:name: wrr2namespace: defaultspec:weighted:services:- name: svc2port: 80weight: 1- name: svc3port: 80weight: 1
K8s Service
apiVersion: v1kind: Servicemetadata:name: svc1namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app1---apiVersion: v1kind: Servicemetadata:name: svc2namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app2---apiVersion: v1kind: Servicemetadata:name: svc3namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app3
Mirroring
More information in the dedicated mirroring service section.
Declaring and Using Mirroring
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarnamespace: defaultspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/foo`)kind: Ruleservices:- name: mirror1namespace: defaultkind: TraefikService
Mirroring k8s Service
# Mirroring from a k8s ServiceapiVersion: traefik.containo.us/v1alpha1kind: TraefikServicemetadata:name: mirror1namespace: defaultspec:mirroring:name: svc1port: 80mirrors:- name: svc2port: 80percent: 20- name: svc3kind: TraefikServicepercent: 20
Mirroring Traefik Service
# Mirroring from a Traefik ServiceapiVersion: traefik.containo.us/v1alpha1kind: TraefikServicemetadata:name: mirror1namespace: defaultspec:mirroring:name: wrr1kind: TraefikServicemirrors:- name: svc2port: 80percent: 20- name: svc3kind: TraefikServicepercent: 20
K8s Service
apiVersion: v1kind: Servicemetadata:name: svc1namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app1---apiVersion: v1kind: Servicemetadata:name: svc2namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app2
References and namespaces
If the optional namespace attribute is not set, the configuration will be applied with the namespace of the current resource.
Additionally, when the definition of the TraefikService is from another provider, the cross-provider syntax (service@provider) should be used to refer to the TraefikService, just as in the middleware case.
Specifying a namespace attribute in this case would not make any sense, and will be ignored (except if the provider is kubernetescrd).
Stickiness and load-balancing
As explained in the section about Sticky sessions, for stickiness to work all the way, it must be specified at each load-balancing level.
For instance, in the example below, there is a first level of load-balancing because there is a (Weighted Round Robin) load-balancing of the two whoami services, and there is a second level because each whoami service is a replicaset and is thus handled as a load-balancer of servers.
Stickiness on two load-balancing levels
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarnamespace: defaultspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/foo`)kind: Ruleservices:- name: wrr1namespace: defaultkind: TraefikService
Weighted Round Robin
apiVersion: traefik.containo.us/v1alpha1kind: TraefikServicemetadata:name: wrr1namespace: defaultspec:weighted:services:- name: whoami1kind: Serviceport: 80weight: 1sticky:cookie:name: lvl2- name: whoami2kind: Serviceweight: 1port: 80sticky:cookie:name: lvl2sticky:cookie:name: lvl1
K8s Service
apiVersion: v1kind: Servicemetadata:name: whoami1spec:ports:- protocol: TCPname: webport: 80selector:app: whoami1---apiVersion: v1kind: Servicemetadata:name: whoami2spec:ports:- protocol: TCPname: webport: 80selector:app: whoami2
Deployment (to illustrate replicas)
kind: DeploymentapiVersion: apps/v1metadata:namespace: defaultname: whoami1labels:app: whoami1spec:replicas: 2selector:matchLabels:app: whoami1template:metadata:labels:app: whoami1spec:containers:- name: whoami1image: traefik/whoamiports:- name: webcontainerPort: 80---kind: DeploymentapiVersion: apps/v1metadata:namespace: defaultname: whoami2labels:app: whoami2spec:replicas: 2selector:matchLabels:app: whoami2template:metadata:labels:app: whoami2spec:containers:- name: whoami2image: traefik/whoamiports:- name: webcontainerPort: 80
To keep a session open with the same server, the client would then need to specify the two levels within the cookie for each request, e.g. with curl:
curl -H Host:example.com -b "lvl1=default-whoami1-80; lvl2=http://10.42.0.6:80" http://localhost:8000/foo
assuming 10.42.0.6 is the IP address of one of the replicas (a pod then) of the whoami1 service.
Kind IngressRouteTCP
IngressRouteTCP is the CRD implementation of a Traefik TCP router.
Register the IngressRouteTCP kind in the Kubernetes cluster before creating IngressRouteTCP objects.
IngressRouteTCP Attributes
apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: ingressroutetcpfoospec:entryPoints: # [1]- footcproutes: # [2]- match: HostSNI(`*`) # [3]services: # [4]- name: foo # [5]port: 8080 # [6]weight: 10 # [7]terminationDelay: 400 # [8]tls: # [9]secretName: supersecret # [10]options: # [11]name: opt # [12]namespace: default # [13]certResolver: foo # [14]domains: # [15]- main: example.net # [16]sans: # [17]- a.example.net- b.example.netpassthrough: false # [18]
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | entryPoints | List of entrypoints names |
| [2] | routes | List of routes |
| [3] | routes[n].match | Defines the rule corresponding to an underlying router |
| [4] | routes[n].services | List of Kubernetes service definitions (See below for ExternalName Service setup) |
| [5] | services[n].name | Defines the name of a Kubernetes service |
| [6] | services[n].port | Defines the port of a Kubernetes service |
| [7] | services[n].weight | Defines the weight to apply to the server load balancing |
| [8] | services[n].terminationDelay | corresponds to the deadline that the proxy sets, after one of its connected peers indicates it has closed the writing capability of its connection, to close the reading capability as well, hence fully terminating the connection. It is a duration in milliseconds, defaulting to 100. A negative value means an infinite deadline (i.e. the reading capability is never closed). |
| [9] | tls | Defines TLS certificate configuration |
| [10] | tls.secretName | Defines the secret name used to store the certificate (in the IngressRoute namespace) |
| [11] | tls.options | Defines the reference to a TLSOption |
| [12] | options.name | Defines the TLSOption name |
| [13] | options.namespace | Defines the TLSOption namespace |
| [14] | tls.certResolver | Defines the reference to a CertResolver |
| [15] | tls.domains | List of domains |
| [16] | domains[n].main | Defines the main domain name |
| [17] | domains[n].sans | List of SANs (alternative domains) |
| [18] | tls.passthrough | If true, delegates the TLS termination to the backend |
Declaring an IngressRouteTCP
IngressRouteTCP
apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: ingressroutetcpfoospec:entryPoints:- footcproutes:# Match is the rule corresponding to an underlying router.- match: HostSNI(`*`)services:- name: fooport: 8080terminationDelay: 400weight: 10- name: barport: 8081terminationDelay: 500weight: 10tls:certResolver: foodomains:- main: example.netsans:- a.example.net- b.example.netoptions:name: optnamespace: defaultsecretName: supersecretpassthrough: false
TLSOption
apiVersion: traefik.containo.us/v1alpha1kind: TLSOptionmetadata:name: optnamespace: defaultspec:minVersion: VersionTLS12
Secret
apiVersion: v1kind: Secretmetadata:name: supersecretdata:tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
Using Kubernetes ExternalName Service
Traefik backends creation needs a port to be set, however Kubernetes ExternalName Service could be defined without any port. Accordingly, Traefik supports defining a port in two ways:
- only on
IngressRouteTCPservice - on both sides, you’ll be warned if the ports don’t match, and the
IngressRouteTCPservice port is used
Thus, in case of two sides port definition, Traefik expects a match between ports.
Examples
IngressRouteTCP
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: HostSNI(`*`)kind: Ruleservices:- name: external-svcport: 80---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalName
ExternalName Service
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: HostSNI(`*`)kind: Ruleservices:- name: external-svc---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalNameports:- port: 80
Both sides
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: HostSNI(`*`)kind: Ruleservices:- name: external-svcport: 80---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalNameports:- port: 80
Kind IngressRouteUDP
IngressRouteUDP is the CRD implementation of a Traefik UDP router.
Register the IngressRouteUDP kind in the Kubernetes cluster before creating IngressRouteUDP objects.
IngressRouteUDP Attributes
apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteUDPmetadata:name: ingressrouteudpfoospec:entryPoints: # [1]- fooudproutes: # [2]- services: # [3]- name: foo # [4]port: 8080 # [5]weight: 10 # [6]
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | entryPoints | List of entrypoints names |
| [2] | routes | List of routes |
| [3] | routes[n].services | List of Kubernetes service definitions |
| [4] | services[n].name | Defines the name of a Kubernetes service |
| [6] | services[n].port | Defines the port of a Kubernetes service |
| [7] | services[n].weight | Defines the weight to apply to the server load balancing |
Declaring an IngressRouteUDP
apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteUDPmetadata:name: ingressrouteudpfoospec:entryPoints:- fooudproutes:- services:- name: fooport: 8080weight: 10- name: barport: 8081weight: 10
Kind: TLSOption
TLSOption is the CRD implementation of a Traefik “TLS Option”.
Register the TLSOption kind in the Kubernetes cluster before creating TLSOption objects or referencing TLS options in the IngressRoute / IngressRouteTCP objects.
TLSOption Attributes
TLSOption
apiVersion: traefik.containo.us/v1alpha1kind: TLSOptionmetadata:name: mytlsoptionnamespace: defaultspec:minVersion: VersionTLS12 # [1]maxVersion: VersionTLS13 # [1]curvePreferences: # [3]- CurveP521- CurveP384cipherSuites: # [4]- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256- TLS_RSA_WITH_AES_256_GCM_SHA384clientAuth: # [5]secretNames: # [6]- secretCA1- secretCA2clientAuthType: VerifyClientCertIfGiven # [7]sniStrict: true # [8]
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | minVersion | Defines the minimum TLS version that is acceptable |
| [2] | maxVersion | Defines the maximum TLS version that is acceptable |
| [3] | cipherSuites | list of supported cipher suites for TLS versions up to TLS 1.2 |
| [4] | curvePreferences | List of the elliptic curves references that will be used in an ECDHE handshake, in preference order |
| [5] | clientAuth | determines the server’s policy for TLS Client Authentication |
| [6] | clientAuth.secretNames | list of names of the referenced Kubernetes Secrets (in TLSOption namespace) |
| [7] | clientAuth.clientAuthType | defines the client authentication type to apply. The available values are: NoClientCert, RequestClientCert, VerifyClientCertIfGiven and RequireAndVerifyClientCert |
| [8] | sniStrict | if true, Traefik won’t allow connections from clients connections that do not specify a server_name extension |
Declaring and referencing a TLSOption
TLSOption
apiVersion: traefik.containo.us/v1alpha1kind: TLSOptionmetadata:name: mytlsoptionnamespace: defaultspec:minVersion: VersionTLS12sniStrict: truecipherSuites:- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256- TLS_RSA_WITH_AES_256_GCM_SHA384clientAuth:secretNames:- secretCA1- secretCA2clientAuthType: VerifyClientCertIfGiven
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/stripit`)kind: Ruleservices:- name: whoamiport: 80tls:options:name: mytlsoptionnamespace: default
Secrets
apiVersion: v1kind: Secretmetadata:name: secretCA1namespace: defaultdata:tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=---apiVersion: v1kind: Secretmetadata:name: secretCA2namespace: defaultdata:tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
References and namespaces
If the optional namespace attribute is not set, the configuration will be applied with the namespace of the IngressRoute.
Additionally, when the definition of the TLS option is from another provider, the cross-provider syntax (middlewarename@provider) should be used to refer to the TLS option, just as in the middleware case. Specifying a namespace attribute in this case would not make any sense, and will be ignored.
Kind: TLSStore
TLSStore is the CRD implementation of a Traefik “TLS Store”.
Register the TLSStore kind in the Kubernetes cluster before creating TLSStore objects or referencing TLS stores in the IngressRoute / IngressRouteTCP objects.
Default TLS Store
Traefik currently only uses the TLS Store named “default”. This means that if you have two stores that are named default in different kubernetes namespaces, they may be randomly chosen. For the time being, please only configure one TLSSTore named default.
TLSStore Attributes
TLSStore
apiVersion: traefik.containo.us/v1alpha1kind: TLSStoremetadata:name: defaultnamespace: defaultspec:defaultCertificate:secretName: mySecret # [1]
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | secretName | The name of the referenced Kubernetes Secret that holds the default certificate for the store. |
Declaring and referencing a TLSStore
TLSStore
apiVersion: traefik.containo.us/v1alpha1kind: TLSStoremetadata:name: defaultnamespace: defaultspec:defaultCertificate:secretName: supersecret
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/stripit`)kind: Ruleservices:- name: whoamiport: 80tls:store:name: default
Secret
apiVersion: v1kind: Secretmetadata:name: supersecretdata:tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
Further
Also see the full example with Let’s Encrypt.
