我的书签
添加书签
移除书签Traefik & Kubernetes
Configuring KubernetesCRD and Deploying/Exposing Services
Resource Definition
RBAC
kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: traefik-ingress-controllerrules:- apiGroups:- ""resources:- services- endpoints- secretsverbs:- get- list- watch- apiGroups:- extensions- networking.k8s.ioresources:- ingresses- ingressclassesverbs:- get- list- watch- apiGroups:- extensionsresources:- ingresses/statusverbs:- update- apiGroups:- traefik.containo.usresources:- middlewares- ingressroutes- traefikservices- ingressroutetcps- ingressrouteudps- tlsoptions- tlsstores- serverstransportsverbs:- get- list- watch---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: traefik-ingress-controllerroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: traefik-ingress-controllersubjects:- kind: ServiceAccountname: traefik-ingress-controllernamespace: default
Traefik
apiVersion: v1kind: ServiceAccountmetadata:name: traefik-ingress-controller---kind: DeploymentapiVersion: apps/v1metadata:name: traefiklabels:app: traefikspec:replicas: 1selector:matchLabels:app: traefiktemplate:metadata:labels:app: traefikspec:serviceAccountName: traefik-ingress-controllercontainers:- name: traefikimage: traefik:v2.4args:- --log.level=DEBUG- --api- --api.insecure- --entrypoints.web.address=:80- --entrypoints.tcpep.address=:8000- --entrypoints.udpep.address=:9000/udp- --providers.kubernetescrdports:- name: webcontainerPort: 80- name: admincontainerPort: 8080- name: tcpepcontainerPort: 8000- name: udpepcontainerPort: 9000---apiVersion: v1kind: Servicemetadata:name: traefikspec:type: LoadBalancerselector:app: traefikports:- protocol: TCPport: 80name: webtargetPort: 80- protocol: TCPport: 8080name: admintargetPort: 8080- protocol: TCPport: 8000name: tcpeptargetPort: 8000---apiVersion: v1kind: Servicemetadata:name: traefikudpspec:type: LoadBalancerselector:app: traefikports:- protocol: UDPport: 9000name: udpeptargetPort: 9000
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: myingressroutenamespace: defaultspec:entryPoints:- webroutes:- match: Host(`foo`) && PathPrefix(`/bar`)kind: Ruleservices:- name: whoamiport: 80---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: ingressroute.tcpnamespace: defaultspec:entryPoints:- tcpeproutes:- match: HostSNI(`bar`)kind: Ruleservices:- name: whoamitcpport: 8080---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteUDPmetadata:name: ingressroute.udpnamespace: defaultspec:entryPoints:- fooudproutes:- kind: Ruleservices:- name: whoamiudpport: 8080
Whoami
kind: DeploymentapiVersion: apps/v1metadata:name: whoaminamespace: defaultlabels:app: traefiklabsname: whoamispec:replicas: 2selector:matchLabels:app: traefiklabstask: whoamitemplate:metadata:labels:app: traefiklabstask: whoamispec:containers:- name: whoamiimage: traefik/whoamiports:- containerPort: 80---apiVersion: v1kind: Servicemetadata:name: whoaminamespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: whoami---kind: DeploymentapiVersion: apps/v1metadata:name: whoamitcpnamespace: defaultlabels:app: traefiklabsname: whoamitcpspec:replicas: 2selector:matchLabels:app: traefiklabstask: whoamitcptemplate:metadata:labels:app: traefiklabstask: whoamitcpspec:containers:- name: whoamitcpimage: traefik/whoamitcpports:- containerPort: 8080---apiVersion: v1kind: Servicemetadata:name: whoamitcpnamespace: defaultspec:ports:- protocol: TCPport: 8080selector:app: traefiklabstask: whoamitcp---kind: DeploymentapiVersion: apps/v1metadata:name: whoamiudpnamespace: defaultlabels:app: traefiklabsname: whoamiudpspec:replicas: 2selector:matchLabels:app: traefiklabstask: whoamiudptemplate:metadata:labels:app: traefiklabstask: whoamiudpspec:containers:- name: whoamiudpimage: traefik/whoamiudp:latestports:- containerPort: 8080---apiVersion: v1kind: Servicemetadata:name: whoamiudpnamespace: defaultspec:ports:- port: 8080selector:app: traefiklabstask: whoamiudp
- You can find an exhaustive list, generated from Traefik’s source code, of the custom resources and their attributes in the reference page.
- Validate that are fulfilled before using the Traefik custom resources.
- Traefik CRDs are building blocks that you can assemble according to your needs.
You can find an excerpt of the available custom resources in the table below:
Kind: IngressRoute
IngressRoute is the CRD implementation of a .
Register the IngressRoute kind in the Kubernetes cluster before creating IngressRoute objects.
IngressRoute Attributes
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: foonamespace: barspec:entryPoints: # [1]- fooroutes: # [2]- kind: Rulematch: Host(`test.example.com`) # [3]priority: 10 # [4]middlewares: # [5]- name: middleware1 # [6]namespace: default # [7]services: # [8]- kind: Servicename: foonamespace: defaultpassHostHeader: trueport: 80responseForwarding:flushInterval: 1msscheme: httpsserversTransport: transportsticky:cookie:httpOnly: truename: cookiesecure: truesameSite: nonestrategy: RoundRobinweight: 10tls: # [9]secretName: supersecret # [10]options: # [11]name: opt # [12]namespace: default # [13]certResolver: foo # [14]domains: # [15]- main: example.net # [16]sans: # [17]- a.example.net- b.example.net
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | entryPoints | List of names |
| [2] | routes | List of routes |
| [3] | routes[n].match | Defines the rule corresponding to an underlying router. |
| [4] | routes[n].priority | rules of the same length, for route matching |
| [5] | routes[n].middlewares | List of reference to Middleware |
| [6] | middlewares[n].name | Defines the name |
| [7] | middlewares[n].namespace | Defines the Middleware namespace |
| [8] | routes[n].services | List of any combination of and reference to a Kubernetes service (See below for ExternalName Service setup) |
| [9] | tls | Defines certificate configuration |
| [10] | tls.secretName | Defines the secret name used to store the certificate (in the IngressRoute namespace) |
| [11] | tls.options | Defines the reference to a |
| [12] | options.name | Defines the TLSOption name |
| [13] | options.namespace | Defines the namespace |
| [14] | tls.certResolver | Defines the reference to a CertResolver |
| [15] | tls.domains | List of |
| [16] | domains[n].main | Defines the main domain name |
| [17] | domains[n].sans | List of SANs (alternative domains) |
Declaring an IngressRoute
IngressRoute
# All resources definition must be declaredapiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: testNamenamespace: defaultspec:entryPoints:- webroutes:- kind: Rulematch: Host(`test.example.com`)middlewares:- name: middleware1namespace: defaultpriority: 10services:- kind: Servicename: foonamespace: defaultport: 80responseForwarding:flushInterval: 1msscheme: httpssticky:cookie:httpOnly: truename: cookiesecure: truestrategy: RoundRobinweight: 10tls:certResolver: foodomains:- main: example.netsans:- a.example.net- b.example.netoptions:name: optnamespace: defaultsecretName: supersecret
Middlewares
# All resources definition must be declared# Prefixing with /fookind: Middlewaremetadata:name: middleware1namespace: defaultspec:addPrefix:prefix: /foo
TLSOption
apiVersion: traefik.containo.us/v1alpha1kind: TLSOptionmetadata:name: optnamespace: defaultspec:minVersion: VersionTLS12
Secret
apiVersion: v1kind: Secretmetadata:name: supersecretdata:tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
Configuring Backend Protocol
There are 3 ways to configure the backend protocol for communication between Traefik and your pods:
- Setting the scheme explicitly (http/https/h2c)
- Configuring the name of the kubernetes service port to start with https (https)
- Setting the kubernetes service port to use port 443 (https)
If you do not configure the above, Traefik will assume an http connection.
Using Kubernetes ExternalName Service
Traefik backends creation needs a port to be set, however Kubernetes ExternalName Service could be defined without any port. Accordingly, Traefik supports defining a port in two ways:
- only on
IngressRouteservice - on both sides, you’ll be warned if the ports don’t match, and the
IngressRouteservice port is used
Thus, in case of two sides port definition, Traefik expects a match between ports.
Examples
IngressRoute
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: Host(`example.net`)kind: Ruleservices:- name: external-svcport: 80---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalName
ExternalName Service
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: Host(`example.net`)kind: Ruleservices:- name: external-svc---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalNameports:- port: 80
Both sides
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: Host(`example.net`)kind: Ruleservices:- name: external-svcport: 80---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalNameports:- port: 80
Kind: Middleware
Middleware is the CRD implementation of a Traefik middleware.
Register the Middleware in the Kubernetes cluster before creating Middleware objects or referencing middlewares in the IngressRoute objects.
Declaring and Referencing a Middleware
Middleware
apiVersion: traefik.containo.us/v1alpha1kind: Middlewaremetadata:name: stripprefixnamespace: foospec:stripPrefix:prefixes:- /stripit
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/stripit`)kind: Ruleservices:- name: whoamiport: 80middlewares:- name: stripprefixnamespace: foo
Cross-provider namespace
As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource (in the reference to the middleware) with the , when the definition of the middleware comes from another provider. In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored. Additionally, when you want to reference a Middleware from the CRD Provider, you have to append the namespace of the resource in the resource-name as Traefik appends the namespace internally automatically.
More information about available middlewares in the dedicated middlewares section.
TraefikService is the CRD implementation of a .
Register the TraefikService kind in the Kubernetes cluster before creating TraefikService objects, referencing services in the objects, or recursively in others TraefikService objects.
Disambiguate Traefik and Kubernetes Services
As the field name can reference different types of objects, use the field kind to avoid any ambiguity.
Service(default value): to reference a Kubernetes ServiceTraefikService: to reference another
TraefikService object allows to use any (valid) combinations of:
- servers load balancing.
- services load balancing.
- services mirroring.
Server Load Balancing
More information in the dedicated server load balancing section.
Declaring and Using Server Load Balancing
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarnamespace: defaultspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/foo`)kind: Ruleservices:- name: svc1namespace: default- name: svc2namespace: default
K8s Service
Weighted Round Robin
More information in the dedicated Weighted Round Robin service load balancing section.
Declaring and Using Weighted Round Robin
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarnamespace: defaultspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/foo`)kind: Ruleservices:- name: wrr1namespace: defaultkind: TraefikService
Weighted Round Robin
apiVersion: traefik.containo.us/v1alpha1kind: TraefikServicemetadata:name: wrr1namespace: defaultspec:weighted:services:- name: svc1port: 80weight: 1- name: wrr2kind: TraefikServiceweight: 1- name: mirror1kind: TraefikServiceweight: 1---apiVersion: traefik.containo.us/v1alpha1kind: TraefikServicemetadata:name: wrr2namespace: defaultspec:weighted:services:- name: svc2port: 80weight: 1- name: svc3port: 80weight: 1
K8s Service
apiVersion: v1kind: Servicemetadata:name: svc1namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app1---apiVersion: v1kind: Servicemetadata:name: svc2namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app2---apiVersion: v1kind: Servicemetadata:name: svc3namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app3
Mirroring
More information in the dedicated mirroring service section.
Declaring and Using Mirroring
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarnamespace: defaultspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/foo`)kind: Ruleservices:- name: mirror1namespace: defaultkind: TraefikService
Mirroring k8s Service
# Mirroring from a k8s ServiceapiVersion: traefik.containo.us/v1alpha1kind: TraefikServicemetadata:name: mirror1namespace: defaultspec:mirroring:name: svc1port: 80mirrors:- name: svc2port: 80percent: 20- name: svc3kind: TraefikServicepercent: 20
Mirroring Traefik Service
# Mirroring from a Traefik ServiceapiVersion: traefik.containo.us/v1alpha1kind: TraefikServicemetadata:name: mirror1namespace: defaultspec:mirroring:name: wrr1kind: TraefikServicemirrors:- name: svc2port: 80percent: 20- name: svc3kind: TraefikServicepercent: 20
K8s Service
apiVersion: v1kind: Servicemetadata:name: svc1namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app1---apiVersion: v1kind: Servicemetadata:name: svc2namespace: defaultspec:ports:- name: httpport: 80selector:app: traefiklabstask: app2
References and namespaces
If the optional namespace attribute is not set, the configuration will be applied with the namespace of the current resource.
Additionally, when the definition of the TraefikService is from another provider, the cross-provider syntax (service@provider) should be used to refer to the TraefikService, just as in the middleware case.
Specifying a namespace attribute in this case would not make any sense, and will be ignored (except if the provider is kubernetescrd).
Stickiness and load-balancing
As explained in the section about Sticky sessions, for stickiness to work all the way, it must be specified at each load-balancing level.
For instance, in the example below, there is a first level of load-balancing because there is a (Weighted Round Robin) load-balancing of the two whoami services, and there is a second level because each whoami service is a replicaset and is thus handled as a load-balancer of servers.
Stickiness on two load-balancing levels
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarnamespace: defaultspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/foo`)kind: Ruleservices:- name: wrr1namespace: defaultkind: TraefikService
Weighted Round Robin
apiVersion: traefik.containo.us/v1alpha1kind: TraefikServicemetadata:name: wrr1namespace: defaultspec:weighted:services:- name: whoami1kind: Serviceport: 80weight: 1sticky:cookie:name: lvl2- name: whoami2kind: Serviceweight: 1port: 80sticky:cookie:name: lvl2sticky:cookie:name: lvl1
K8s Service
apiVersion: v1kind: Servicemetadata:spec:ports:- protocol: TCPname: webport: 80selector:app: whoami1---apiVersion: v1kind: Servicemetadata:name: whoami2spec:ports:- protocol: TCPname: webport: 80selector:app: whoami2
Deployment (to illustrate replicas)
kind: DeploymentapiVersion: apps/v1metadata:namespace: defaultname: whoami1labels:app: whoami1spec:replicas: 2selector:matchLabels:app: whoami1template:metadata:labels:app: whoami1spec:containers:- name: whoami1image: traefik/whoamiports:containerPort: 80---kind: DeploymentapiVersion: apps/v1metadata:namespace: defaultname: whoami2labels:app: whoami2spec:replicas: 2selector:matchLabels:app: whoami2template:metadata:labels:app: whoami2spec:containers:- name: whoami2image: traefik/whoamiports:- name: webcontainerPort: 80
To keep a session open with the same server, the client would then need to specify the two levels within the cookie for each request, e.g. with curl:
curl -H Host:example.com -b "lvl1=default-whoami1-80; lvl2=http://10.42.0.6:80" http://localhost:8000/foo
assuming 10.42.0.6 is the IP address of one of the replicas (a pod then) of the whoami1 service.
Kind IngressRouteTCP
IngressRouteTCP is the CRD implementation of a Traefik TCP router.
Register the IngressRouteTCP in the Kubernetes cluster before creating IngressRouteTCP objects.
IngressRouteTCP Attributes
apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: ingressroutetcpfoospec:entryPoints: # [1]- footcproutes: # [2]- match: HostSNI(`*`) # [3]services: # [4]- name: foo # [5]port: 8080 # [6]weight: 10 # [7]terminationDelay: 400 # [8]proxyProtocol: # [9]version: 1 # [10]tls: # [11]secretName: supersecret # [12]options: # [13]name: opt # [14]namespace: default # [15]certResolver: foo # [16]domains: # [17]- main: example.net # [18]sans: # [19]- a.example.net- b.example.netpassthrough: false # [20]
Declaring an IngressRouteTCP
IngressRouteTCP
apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: ingressroutetcpfoospec:entryPoints:- footcproutes:# Match is the rule corresponding to an underlying router.- match: HostSNI(`*`)services:- name: fooport: 8080terminationDelay: 400weight: 10- name: barport: 8081terminationDelay: 500weight: 10tls:certResolver: foodomains:- main: example.netsans:- a.example.net- b.example.netoptions:name: optnamespace: defaultsecretName: supersecretpassthrough: false
TLSOption
apiVersion: traefik.containo.us/v1alpha1kind: TLSOptionmetadata:name: optnamespace: defaultspec:minVersion: VersionTLS12
Secret
Using Kubernetes ExternalName Service
- only on
IngressRouteTCPservice - on both sides, you’ll be warned if the ports don’t match, and the
IngressRouteTCPservice port is used
Thus, in case of two sides port definition, Traefik expects a match between ports.
Examples
IngressRouteTCP
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: HostSNI(`*`)kind: Ruleservices:- name: external-svcport: 80---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalName
ExternalName Service
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: HostSNI(`*`)kind: Ruleservices:- name: external-svc---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalNameports:- port: 80
Both sides
---apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteTCPmetadata:name: test.routenamespace: defaultspec:entryPoints:- fooroutes:- match: HostSNI(`*`)kind: Ruleservices:- name: external-svcport: 80---apiVersion: v1kind: Servicemetadata:name: external-svcnamespace: defaultspec:externalName: external.domaintype: ExternalNameports:- port: 80
Kind IngressRouteUDP
IngressRouteUDP is the CRD implementation of a .
Register the IngressRouteUDP kind in the Kubernetes cluster before creating IngressRouteUDP objects.
IngressRouteUDP Attributes
apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteUDPmetadata:name: ingressrouteudpfoospec:entryPoints: # [1]- fooudproutes: # [2]- services: # [3]- name: foo # [4]port: 8080 # [5]weight: 10 # [6]
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | entryPoints | List of names |
| [2] | routes | List of routes |
| [3] | routes[n].services | List of Kubernetes service definitions |
| [4] | services[n].name | Defines the name of a |
| [6] | services[n].port | Defines the port of a Kubernetes service |
| [7] | services[n].weight | Defines the weight to apply to the server load balancing |
Declaring an IngressRouteUDP
apiVersion: traefik.containo.us/v1alpha1kind: IngressRouteUDPmetadata:name: ingressrouteudpfoospec:entryPoints:- fooudproutes:- services:- name: fooport: 8080weight: 10- name: barport: 8081weight: 10
TLSOption is the CRD implementation of a .
Register the TLSOption kind in the Kubernetes cluster before creating TLSOption objects or referencing TLS options in the / IngressRouteTCP objects.
TLSOption Attributes
TLSOption
apiVersion: traefik.containo.us/v1alpha1kind: TLSOptionmetadata:name: mytlsoptionnamespace: defaultspec:minVersion: VersionTLS12 # [1]maxVersion: VersionTLS13 # [1]curvePreferences: # [3]- CurveP521- CurveP384cipherSuites: # [4]- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256- TLS_RSA_WITH_AES_256_GCM_SHA384clientAuth: # [5]secretNames: # [6]- secretCA1- secretCA2clientAuthType: VerifyClientCertIfGiven # [7]sniStrict: true # [8]
Declaring and referencing a TLSOption
TLSOption
apiVersion: traefik.containo.us/v1alpha1kind: TLSOptionmetadata:name: mytlsoptionnamespace: defaultspec:minVersion: VersionTLS12sniStrict: truecipherSuites:- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256- TLS_RSA_WITH_AES_256_GCM_SHA384clientAuth:secretNames:- secretCA1- secretCA2clientAuthType: VerifyClientCertIfGiven
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/stripit`)kind: Ruleservices:- name: whoamiport: 80tls:options:name: mytlsoptionnamespace: default
Secrets
apiVersion: v1kind: Secretmetadata:name: secretCA1namespace: defaultdata:tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=---apiVersion: v1kind: Secretmetadata:name: secretCA2namespace: defaultdata:tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
References and namespaces
If the optional namespace attribute is not set, the configuration will be applied with the namespace of the IngressRoute.
Additionally, when the definition of the TLS option is from another provider, the cross-provider (middlewarename@provider) should be used to refer to the TLS option. Specifying a namespace attribute in this case would not make any sense, and will be ignored.
Kind: TLSStore
TLSStore is the CRD implementation of a .
Register the TLSStore kind in the Kubernetes cluster before creating TLSStore objects or referencing TLS stores in the IngressRoute / objects.
Default TLS Store
Traefik currently only uses the TLS Store named “default”. This means that if you have two stores that are named default in different kubernetes namespaces, they may be randomly chosen. For the time being, please only configure one TLSSTore named default.
TLSStore Attributes
TLSStore
apiVersion: traefik.containo.us/v1alpha1kind: TLSStoremetadata:name: defaultnamespace: defaultspec:defaultCertificate:secretName: mySecret # [1]
| Ref | Attribute | Purpose |
|---|---|---|
| [1] | secretName | The name of the referenced Kubernetes that holds the default certificate for the store. |
Declaring and referencing a TLSStore
TLSStore
apiVersion: traefik.containo.us/v1alpha1kind: TLSStoremetadata:name: defaultnamespace: defaultspec:defaultCertificate:secretName: supersecret
IngressRoute
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutebarspec:entryPoints:- webroutes:- match: Host(`example.com`) && PathPrefix(`/stripit`)kind: Ruleservices:- name: whoamiport: 80tls:store:name: default
Secret
apiVersion: v1kind: Secretmetadata:name: supersecretdata:tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
Kind: ServersTransport
ServersTransport is the CRD implementation of a .
Default serversTransport
If no serversTransport is specified, the default@internal will be used. The default@internal serversTransport is created from the static configuration.
ServersTransport Attributes
TLSStore
apiVersion: traefik.containo.us/v1alpha1kind: ServersTransportmetadata:name: mytransportnamespace: defaultspec:serverName: foobar # [1]insecureSkipVerify: true # [2]rootCAsSecrets: # [3]- foobar- foobarcertificatesSecrets: # [4]- foobar- foobarmaxIdleConnsPerHost: 1 # [5]forwardingTimeouts: # [6]dialTimeout: 42s # [7]responseHeaderTimeout: 42s # [8]idleConnTimeout: 42s # [9]
Declaring and referencing a ServersTransport
ServersTransport
apiVersion: traefik.containo.us/v1alpha1kind: ServersTransportmetadata:name: mytransportnamespace: defaultspec:
Also see the with Let’s Encrypt.
