homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch v3.2 into master

Browse source
This commit is contained in:
kevinpollet 2024-11-21 11:45:02 +01:00
commit 090db6d4b0
No known key found for this signature in database
GPG key ID: 0C9A5DDD1B292453
76 changed files with 1823 additions and 1016 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/content/contributing/building-testing.md
View file

@ -92,7 +92,7 @@ For development purposes, you can specify which tests to run by using (only work
Create `tailscale.secret` file in `integration` directory.
This file need to contains a [Tailscale auth key](https://tailscale.com/kb/1085/auth-keys)
This file needs to contain a [Tailscale auth key](https://tailscale.com/kb/1085/auth-keys)
(an ephemeral, but reusable, one is recommended).
Add this section to your tailscale ACLs to auto-approve the routes for the

6
docs/content/contributing/documentation.md
View file

@ -15,13 +15,13 @@ Let's see how.
### General
This [documentation](../../ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to website of MkDocs").
This [documentation](../../ "Link to the official Traefik documentation") is built with [MkDocs](https://mkdocs.org/ "Link to the website of MkDocs").
### Method 1: `Docker` and `make`
Please make sure you have the following requirements installed:
- [Docker](https://www.docker.com/ "Link to website of Docker")
- [Docker](https://www.docker.com/ "Link to the website of Docker")
You can build the documentation and test it locally (with live reloading), using the `docs-serve` target:
@ -51,7 +51,7 @@ $ make docs-build
Please make sure you have the following requirements installed:
- [Python](https://www.python.org/ "Link to website of Python")
- [Python](https://www.python.org/ "Link to the website of Python")
- [pip](https://pypi.org/project/pip/ "Link to the website of pip on PyPI")
```bash

2
docs/content/contributing/maintainers-guidelines.md
View file

@ -32,7 +32,7 @@ The contributor should also meet one or several of the following requirements:
including those of other maintainers and contributors.
- The contributor is active on Traefik Community forums
or other technical forums/boards such as K8S slack, Reddit, StackOverflow, hacker news.
or other technical forums/boards, such as K8S Slack, Reddit, StackOverflow, and Hacker News.
Any existing active maintainer can create an issue to discuss promoting a contributor to maintainer.
Other maintainers can vote on the issue, and if the quorum is reached, the contributor is promoted to maintainer.

4
docs/content/contributing/submitting-pull-requests.md
View file

@ -17,7 +17,7 @@ or the list of [confirmed bugs](https://github.com/traefik/traefik/labels/kind%2
## How We Prioritize
We wish we could review every pull request right away, but because it's a time consuming operation, it's not always possible.
We wish we could review every pull request right away, but because it's a time-consuming operation, it's not always possible.
The PRs we are able to handle the fastest are:
@ -130,7 +130,7 @@ This label can be used when:
Traefik Proxy is made by the community for the community,
as such the goal is to engage the community to make Traefik the best reverse proxy available.
Part of this goal is maintaining a lean codebase and ensuring code velocity.
unfortunately, this means that sometimes we will not be able to merge a pull request.
Unfortunately, this means that sometimes we will not be able to merge a pull request.
Because we respect the work you did, you will always be told why we are closing your pull request.
If you do not agree with our decision, do not worry; closed pull requests are effortless to recreate,

2
docs/content/contributing/submitting-security-issues.md
View file

@ -8,7 +8,7 @@ description: "Security is a key part of Traefik Proxy. Read the technical docume
## Security Advisories
We strongly advise you to join our mailing list to be aware of the latest announcements from our security team.
You can subscribe sending a mail to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
You can subscribe by sending an email to security+subscribe@traefik.io or on [the online viewer](https://groups.google.com/a/traefik.io/forum/#!forum/security).
## CVE

11
docs/content/https/acme.md
View file

@ -322,11 +322,11 @@ For complete details, refer to your provider's _Additional configuration_ link.
| [ArvanCloud](https://www.arvancloud.ir/en) | `arvancloud` | `ARVANCLOUD_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/arvancloud) |
| [Auroradns](https://www.pcextreme.com/dns-health-checks) | `auroradns` | `AURORA_USER_ID`, `AURORA_KEY`, `AURORA_ENDPOINT` | [Additional configuration](https://go-acme.github.io/lego/dns/auroradns) |
| [Autodns](https://www.internetx.com/domains/autodns/) | `autodns` | `AUTODNS_API_USER`, `AUTODNS_API_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/autodns) |
| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED) | `azure` | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]` | [Additional configuration](https://go-acme.github.io/lego/dns/azure) |
| [Azure](https://azure.microsoft.com/services/dns/) (DEPRECATED) | `azure` | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_METADATA_ENDPOINT]` | [Additional configuration](https://go-acme.github.io/lego/dns/azure) |
| [AzureDNS](https://azure.microsoft.com/services/dns/) | `azuredns` | `AZURE_CLIENT_ID`, `AZURE_CLIENT_SECRET`, `AZURE_TENANT_ID`, `AZURE_SUBSCRIPTION_ID`, `AZURE_RESOURCE_GROUP`, `[AZURE_ENVIRONMENT]`, `[AZURE_PRIVATE_ZONE]`, `[AZURE_ZONE_NAME]` | [Additional configuration](https://go-acme.github.io/lego/dns/azuredns) |
| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook) | `bindman` | `BINDMAN_MANAGER_ADDRESS` | [Additional configuration](https://go-acme.github.io/lego/dns/bindman) |
| [Blue Cat](https://www.bluecatnetworks.com/) | `bluecat` | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW` | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat) |
| [Brandit](https://www.brandit.com) | `brandit` | `BRANDIT_API_USERNAME`, `BRANDIT_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/brandit) |
| [Brandit](https://www.brandit.com) (DEPRECATED) | `brandit` | `BRANDIT_API_USERNAME`, `BRANDIT_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/brandit) |
| [Bunny](https://bunny.net) | `bunny` | `BUNNY_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/bunny) |
| [Checkdomain](https://www.checkdomain.de/) | `checkdomain` | `CHECKDOMAIN_TOKEN`, | [Additional configuration](https://go-acme.github.io/lego/dns/checkdomain/) |
| [Civo](https://www.civo.com/) | `civo` | `CIVO_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/civo) |
@ -334,9 +334,10 @@ For complete details, refer to your provider's _Additional configuration_ link.
| [CloudDNS](https://vshosting.eu/) | `clouddns` | `CLOUDDNS_CLIENT_ID`, `CLOUDDNS_EMAIL`, `CLOUDDNS_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/clouddns) |
| [Cloudflare](https://www.cloudflare.com) | `cloudflare` | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]` | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare) |
| [ClouDNS](https://www.cloudns.net/) | `cloudns` | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns) |
| [CloudXNS](https://www.cloudxns.net) | `cloudxns` | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns) |
| [CloudXNS](https://www.cloudxns.net) (DEPRECATED) | `cloudxns` | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns) |
| [ConoHa](https://www.conoha.jp) | `conoha` | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/conoha) |
| [Constellix](https://constellix.com) | `constellix` | `CONSTELLIX_API_KEY`, `CONSTELLIX_SECRET_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/constellix) |
| [Core-Networks](https://www.core-networks.de) | `corenetworks` | `CORENETWORKS_LOGIN`, `CORENETWORKS_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/corenetworks) |
| [CPanel and WHM](https://cpanel.net/) | `cpanel` | `CPANEL_MODE`, `CPANEL_USERNAME`, `CPANEL_TOKEN`, `CPANEL_BASE_URL` | [Additional configuration](https://go-acme.github.io/lego/dns/cpanel) |
| [Derak Cloud](https://derak.cloud/) | `derak` | `DERAK_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/derak) |
| [deSEC](https://desec.io) | `desec` | `DESEC_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/desec) |
@ -418,6 +419,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
| [Rackspace](https://www.rackspace.com/cloud/dns) | `rackspace` | `RACKSPACE_USER`, `RACKSPACE_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/rackspace) |
| [RcodeZero](https://www.rcodezero.at) | `rcodezero` | `RCODEZERO_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/rcodezero) |
| [reg.ru](https://www.reg.ru) | `regru` | `REGRU_USERNAME`, `REGRU_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/regru) |
| [Regfish](https://regfish.de) | `regfish` | `regfish` | [Additional configuration](https://go-acme.github.io/lego/dns/regfish) |
| [RFC2136](https://tools.ietf.org/html/rfc2136) | `rfc2136` | `RFC2136_TSIG_KEY`, `RFC2136_TSIG_SECRET`, `RFC2136_TSIG_ALGORITHM`, `RFC2136_NAMESERVER` | [Additional configuration](https://go-acme.github.io/lego/dns/rfc2136) |
| [RimuHosting](https://rimuhosting.com) | `rimuhosting` | `RIMUHOSTING_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/rimuhosting) |
| [Route 53](https://aws.amazon.com/route53/) | `route53` | `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, `[AWS_REGION]`, `[AWS_HOSTED_ZONE_ID]` or a configured user/instance IAM profile. | [Additional configuration](https://go-acme.github.io/lego/dns/route53) |
@ -431,7 +433,9 @@ For complete details, refer to your provider's _Additional configuration_ link.
| [Simply.com](https://www.simply.com/en/domains/) | `simply` | `SIMPLY_ACCOUNT_NAME`, `SIMPLY_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/simply) |
| [Sonic](https://www.sonic.com/) | `sonic` | `SONIC_USER_ID`, `SONIC_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/sonic) |
| [Stackpath](https://www.stackpath.com/) | `stackpath` | `STACKPATH_CLIENT_ID`, `STACKPATH_CLIENT_SECRET`, `STACKPATH_STACK_ID` | [Additional configuration](https://go-acme.github.io/lego/dns/stackpath) |
| [Technitium](https://technitium.com) | `technitium` | `TECHNITIUM_SERVER_BASE_URL`, `TECHNITIUM_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/technitium) |
| [Tencent Cloud DNS](https://cloud.tencent.com/product/cns) | `tencentcloud` | `TENCENTCLOUD_SECRET_ID`, `TENCENTCLOUD_SECRET_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/tencentcloud) |
| [Timeweb Cloud](https://timeweb.cloud) | `timewebcloud` | `TIMEWEBCLOUD_AUTH_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/timewebcloud) |
| [TransIP](https://www.transip.nl/) | `transip` | `TRANSIP_ACCOUNT_NAME`, `TRANSIP_PRIVATE_KEY_PATH` | [Additional configuration](https://go-acme.github.io/lego/dns/transip) |
| [UKFast SafeDNS](https://docs.ukfast.co.uk/domains/safedns/index.html) | `safedns` | `SAFEDNS_AUTH_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/safedns) |
| [Ultradns](https://neustarsecurityservices.com/dns-services) | `ultradns` | `ULTRADNS_USERNAME`, `ULTRADNS_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/ultradns) |
@ -441,6 +445,7 @@ For complete details, refer to your provider's _Additional configuration_ link.
| [Versio](https://www.versio.nl/domeinnamen) | `versio` | `VERSIO_USERNAME`, `VERSIO_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/versio) |
| [VinylDNS](https://www.vinyldns.io) | `vinyldns` | `VINYLDNS_ACCESS_KEY`, `VINYLDNS_SECRET_KEY`, `VINYLDNS_HOST` | [Additional configuration](https://go-acme.github.io/lego/dns/vinyldns) |
| [VK Cloud](https://mcs.mail.ru/) | `vkcloud` | `VK_CLOUD_PASSWORD`, `VK_CLOUD_PROJECT_ID`, `VK_CLOUD_USERNAME` | [Additional configuration](https://go-acme.github.io/lego/dns/vkcloud) |
| [Volcano Engine](https://www.volcengine.com) | `volcengine` | `VOLC_ACCESSKEY`, `VOLC_SECRETKEY` | [Additional configuration](https://go-acme.github.io/lego/dns/volcengine) |
| [Vscale](https://vscale.io/) | `vscale` | `VSCALE_API_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/vscale) |
| [VULTR](https://www.vultr.com) | `vultr` | `VULTR_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/vultr) |
| [Webnames](https://www.webnames.ru/) | `webnames` | `WEBNAMES_API_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/webnames) |

7
docs/content/migration/v2.md
View file

@ -652,3 +652,10 @@ As a consequence, middlewares do not have access to those Connection headers,
and a new option has been introduced to specify which ones could go through the middleware chain before being removed: `<entrypoint>.forwardedHeaders.connection`.
Please check out the [entrypoint forwarded headers connection option configuration](../routing/entrypoints.md#forwarded-headers) documentation.
## v2.11.14
### X-Forwarded-Prefix
In `v2.11.14`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.

9
docs/content/migration/v3.md
View file

@ -80,7 +80,7 @@ Please use the `disableClusterScopeResources` option instead to avoid cluster sc
### Kubernetes CRD Provider
Starting with v3.2, the CRDs has been updated on [TraefikService](../routing/services#mirroring-service) (PR [#11032](https://github.com/traefik/traefik/pull/11032)) and on [RateLimit](../middlewares/http/ratelimit) & [InFlightReq](../middlewares/http/inflightreq) middlewares (PR [#9747](https://github.com/traefik/traefik/pull/9747)).
Starting with v3.2, the CRDs has been updated on [TraefikService](../routing/services#mirroring-service) (PR [#11032](https://github.com/traefik/traefik/pull/11032)), on [RateLimit](../middlewares/http/ratelimit) & [InFlightReq](../middlewares/http/inflightreq) middlewares (PR [#9747](https://github.com/traefik/traefik/pull/9747)) and on [Compress](../middlewares/http/compress) middleware (PR [#10943](https://github.com/traefik/traefik/pull/10943)).
This update adds only new optional fields.
CRDs can be updated with this command:
@ -153,3 +153,10 @@ the `configmaps`, `backendtlspolicies` and `backendtlspolicies/status` rights ha
- update
...
```
## v3.2.1
### X-Forwarded-Prefix
In `v3.2.1`, the `X-Forwarded-Prefix` header is now handled like the other `X-Forwarded-*` headers: Traefik removes it when it's sent from an untrusted source.
Please refer to the Forwarded headers [documentation](../routing/entrypoints.md#forwarded-headers) for more details.

14
docs/content/observability/access-logs.md
View file

@ -79,6 +79,20 @@ If the given format is unsupported, the default (CLF) is used instead.
<remote_IP_address> - <client_user_name_if_available> [<timestamp>] "<request_method> <request_path> <request_protocol>" <HTTP_status> <content-length> "<request_referrer>" "<request_user_agent>" <number_of_requests_received_since_Traefik_started> "<Traefik_router_name>" "<Traefik_server_URL>" <request_duration_in_ms>ms
```
```yaml tab="File (YAML)"
accessLog:
format: "json"
```
```toml tab="File (TOML)"
[accessLog]
format = "json"
```
```bash tab="CLI"
--accesslog.format=json
```
### `bufferingSize`
To write the logs in an asynchronous fashion, specify a `bufferingSize` option.

2
docs/content/operations/api.md
View file

@ -70,7 +70,7 @@ And then define a routing configuration on Traefik itself with the
### `insecure`
Enable the API in `insecure` mode, which means that the API will be available directly on the entryPoint named `traefik`.
Enable the API in `insecure` mode, which means that the API will be available directly on the entryPoint named `traefik`, on path `/api`.
!!! info
If the entryPoint named `traefik` is not configured, it will be automatically created on port 8080.

55
docs/content/operations/dashboard.md
View file

@ -37,32 +37,15 @@ Start by enabling the dashboard by using the following option from [Traefik's AP
on the [static configuration](../getting-started/configuration-overview.md#the-static-configuration):
```yaml tab="File (YAML)"
api:
# Dashboard
#
# Optional
# Default: true
#
dashboard: true
api: {}
```
```toml tab="File (TOML)"
[api]
# Dashboard
#
# Optional
# Default: true
#
dashboard = true
```
```bash tab="CLI"
# Dashboard
#
# Optional
# Default: true
#
--api.dashboard=true
--api=true
```
Then define a routing configuration on Traefik itself,
@ -106,27 +89,47 @@ rule = "Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashb
## Insecure Mode
This mode is not recommended because it does not allow the use of security features.
When _insecure_ mode is enabled, one can access the dashboard on the `traefik` port (default: `8080`) of the Traefik instance,
at the following URL: `http://<Traefik IP>:8080/dashboard/` (trailing slash is mandatory).
To enable the "insecure mode", use the following options from [Traefik's API](./api.md#insecure):
This mode is **not** recommended because it does not allow security features.
For example, it is not possible to add an authentication middleware with this mode.
It should be used for testing purpose **only**.
To enable the _insecure_ mode, use the following options from [Traefik's API](./api.md#insecure):
```yaml tab="File (YAML)"
api:
dashboard: true
insecure: true
```
```toml tab="File (TOML)"
[api]
dashboard = true
insecure = true
```
```bash tab="CLI"
--api.dashboard=true --api.insecure=true
--api.insecure=true
```
You can now access the dashboard on the port `8080` of the Traefik instance,
at the following URL: `http://<Traefik IP>:8080/dashboard/` (trailing slash is mandatory).
## Disable The Dashboard
By default, the dashboard is enabled when the API is enabled.
If necessary, the dashboard can be disabled by using the following option.
```yaml tab="File (YAML)"
api:
dashboard: false
```
```toml tab="File (TOML)"
[api]
dashboard = false
```
```bash tab="CLI"
--api.dashboard=false
```
{!traefik-for-business-applications.md!}

2
docs/content/providers/consul-catalog.md
View file

@ -525,7 +525,7 @@ providers:
```
```bash tab="CLI"
--providers.consulcatalog.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
--providers.consulcatalog.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
# ...
```

2
docs/content/providers/docker.md
View file

@ -455,7 +455,7 @@ providers:
```
```bash tab="CLI"
--providers.docker.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
--providers.docker.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
# ...
```

2
docs/content/providers/ecs.md
View file

@ -283,7 +283,7 @@ providers:
```
```bash tab="CLI"
--providers.ecs.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
--providers.ecs.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
# ...
```

2
docs/content/providers/nomad.md
View file

@ -432,7 +432,7 @@ providers:
```
```bash tab="CLI"
--providers.nomad.defaultRule="Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
--providers.nomad.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
# ...
```

7
docs/content/providers/swarm.md
View file

@ -455,7 +455,10 @@ _Optional, Default=""_
Defines a default docker network to use for connections to all containers.
This option can be overridden on a per-container basis with the `traefik.docker.network` label.
This option can be overridden on a per-container basis with the `traefik.docker.network` [routing label](../routing/providers/swarm.md#traefikdockernetwork).
!!! warning
The Docker Swarm provider still uses the same per-container mechanism as the Docker provider, so therefore the label still uses the `docker` keyword intentionally.
```yaml tab="File (YAML)"
providers:
@ -500,7 +503,7 @@ providers:
```
```bash tab="CLI"
--providers.swarm.defaultRule=Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)
--providers.swarm.defaultRule='Host(`{{ .Name }}.{{ index .Labels "customLabel"}}`)'
# ...
```

19
docs/content/reference/static-configuration/env.md
View file

@ -5,4 +5,23 @@ description: "Reference the environment variables for static configuration in Tr
# Static Configuration: Environment variables
!!! warning "Environment Variable Casing"
Traefik normalizes the environment variable key-value pairs by lowercasing them.
This means that when you interpolate a string in an environment variable's name,
that string will be treated as lowercase, regardless of its original casing.
For example, assuming you have set environment variables as follows:
```bash
export TRAEFIK_ENTRYPOINTS_WEB=true
export TRAEFIK_ENTRYPOINTS_WEB_ADDRESS=:80
export TRAEFIK_CERTIFICATESRESOLVERS_myResolver=true
export TRAEFIK_CERTIFICATESRESOLVERS_myResolver_ACME_CASERVER=....
```
Although the Entrypoint is named `WEB` and the Certificate Resolver is named `myResolver`,
they have to be referenced respectively as `web`, and `myresolver` in the configuration.
--8<-- "content/reference/static-configuration/env-ref.md"

2
docs/content/routing/entrypoints.md
View file

@ -579,7 +579,7 @@ Setting them has no effect for UDP entryPoints.
If zero, no timeout exists.
Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration) or as raw values (digits).
If no units are provided, the value is parsed assuming seconds.
We strongly suggest to adapt this value accordingly to the your needs.
We strongly suggest adapting this value accordingly to your needs.
```yaml tab="File (YAML)"
## Static configuration

6
docs/content/routing/providers/swarm.md
View file

@ -667,6 +667,9 @@ Overrides the default docker network to use for connections to the container.
If a container is linked to several networks, be sure to set the proper network name (you can check this with `docker inspect <container_id>`),
otherwise it will randomly pick one (depending on how docker is returning them).
!!! warning
The Docker Swarm provider still uses the same per-container mechanism as the Docker provider, so therefore the label still uses the `docker` keyword intentionally.
!!! warning
When deploying a stack from a compose file `stack`, the networks defined are prefixed with `stack`.
@ -680,3 +683,6 @@ Enables Swarm's inbuilt load balancer (only relevant in Swarm Mode).
If you enable this option, Traefik will use the virtual IP provided by docker swarm instead of the containers IPs.
Which means that Traefik will not perform any kind of load balancing and will delegate this task to swarm.
!!! warning
The Docker Swarm provider still uses the same per-container mechanism as the Docker provider, so therefore the label still uses the `docker` keyword intentionally.

183
docs/content/user-guides/cert-manager.md Normal file
View file

@ -0,0 +1,183 @@
---
title: "Integration with cert-manager"
description: "Learn how to use cert-manager certificates with Traefik Proxy for your routers. Read the technical documentation."
---
# cert-manager
Provision TLS Certificate for Traefik Proxy with cert-manager on Kubernetes
{: .subtitle }
## Pre-requisites
To obtain certificates from cert-manager that can be used in Traefik Proxy, you will need to:
1. Have cert-manager properly configured
2. Have Traefik Proxy configured
The certificates can then be used in an Ingress / IngressRoute / HTTPRoute.
## Example with ACME and HTTP challenge
!!! example "ACME issuer for HTTP challenge"
```yaml tab="Issuer"
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: acme
spec:
acme:
# Production server is on https://acme-v02.api.letsencrypt.org/directory
# Use staging by default.
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: acme
solvers:
- http01:
ingress:
ingressClassName: traefik
```
```yaml tab="Certificate"
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: whoami
namespace: traefik
spec:
secretName: domain-tls # <=== Name of secret where the generated certificate will be stored.
dnsNames:
- "domain.example.com"
issuerRef:
name: acme
kind: Issuer
```
Let's see now how to use it with the various Kubernetes providers of Traefik Proxy.
The enabled providers can be seen on the [dashboard](../../operations/dashboard/) of Traefik Proxy and also in the INFO logs when Traefik Proxy starts.
### With an Ingress
To use this certificate with an Ingress, the [Kubernetes Ingress](../../providers/kubernetes-ingress/) provider has to be enabled.
!!! info Traefik Helm Chart
This provider is enabled by default in the Traefik Helm Chart.
!!! example "Route with this Certificate"
```yaml tab="Ingress"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: domain
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
rules:
- host: domain.example.com
http:
paths:
- path: /
pathType: Exact
backend:
service:
name: domain-service
port:
number: 80
tls:
- secretName: domain-tls # <=== Use the name defined in Certificate resource.
```
### With an IngressRoute
To use this certificate with an IngressRoute, the [Kubernetes CRD](../../providers/kubernetes-crd) provider has to be enabled.
!!! info Traefik Helm Chart
This provider is enabled by default in the Traefik Helm Chart.
!!! example "Route with this Certificate"
```yaml tab="IngressRoute"
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: domain
spec:
entryPoints:
- websecure
routes:
- match: Host(`domain.example.com`)
kind: Rule
services:
- name: domain-service
port: 80
tls:
secretName: domain-tls # <=== Use the name defined in Certificate resource.
```
### With an HTTPRoute
To use this certificate with an HTTPRoute, the [Kubernetes Gateway](../../routing/providers/kubernetes-gateway) provider has to be enabled.
!!! info Traefik Helm Chart
This provider is disabled by default in the Traefik Helm Chart.
!!! example "Route with this Certificate"
```yaml tab="HTTPRoute"
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: domain-gateway
spec:
gatewayClassName: traefik
listeners:
- name: websecure
port: 8443
protocol: HTTPS
hostname: domain.example.com
tls:
certificateRefs:
- name: domain-tls # <==== Use the name defined in Certificate resource.
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: domain
spec:
parentRefs:
- name: domain-gateway
hostnames:
- domain.example.com
rules:
- matches:
- path:
type: Exact
value: /
backendRefs:
- name: domain-service
port: 80
weight: 1
```
## Troubleshooting
There are multiple event sources available to investigate when using cert-manager:
1. Kubernetes events in `Certificate` and `CertificateRequest` resources
2. cert-manager logs
3. Dashboard and/or (debug) logs from Traefik Proxy
cert-manager documentation provides a [detailed guide](https://cert-manager.io/docs/troubleshooting/) on how to troubleshoot a certificate request.
{!traefik-for-business-applications.md!}