diff --git a/docs/content/routing/providers/kubernetes-crd.md b/docs/content/routing/providers/kubernetes-crd.md index fca592beb..44f3caa85 100644 --- a/docs/content/routing/providers/kubernetes-crd.md +++ b/docs/content/routing/providers/kubernetes-crd.md @@ -1156,48 +1156,50 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube serversTransport: transport # [13] nativeLB: true # [14] nodePortLB: true # [15] + tls: false # [16] - tls: # [16] - secretName: supersecret # [17] - options: # [18] - name: opt # [19] - namespace: default # [20] - certResolver: foo # [21] - domains: # [22] - - main: example.net # [23] - sans: # [24] + tls: # [17] + secretName: supersecret # [18] + options: # [19] + name: opt # [20] + namespace: default # [21] + certResolver: foo # [22] + domains: # [23] + - main: example.net # [24] + sans: # [25] - a.example.net - b.example.net - passthrough: false # [25] + passthrough: false # [26] ``` -| Ref | Attribute | Purpose | -|------|-------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| [1] | `entryPoints` | List of [entrypoints](../routers/index.md#entrypoints_1) names | -| [2] | `routes` | List of routes | -| [3] | `routes[n].match` | Defines the [rule](../routers/index.md#rule_1) of the underlying router | -| [4] | `routes[n].priority` | Defines the [priority](../routers/index.md#priority_1) to disambiguate rules of the same length, for route matching | -| [5] | `middlewares[n].name` | Defines the [MiddlewareTCP](#kind-middlewaretcp) name | -| [6] | `middlewares[n].namespace` | Defines the [MiddlewareTCP](#kind-middlewaretcp) namespace | -| [7] | `routes[n].services` | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions (See below for `ExternalName Service` setup) | -| [8] | `services[n].name` | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) | -| [9] | `services[n].port` | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port. | -| [10] | `services[n].weight` | Defines the weight to apply to the server load balancing | -| [11] | `services[n].proxyProtocol` | Defines the [PROXY protocol](../services/index.md#proxy-protocol) configuration | -| [12] | `services[n].proxyProtocol.version` | Defines the [PROXY protocol](../services/index.md#proxy-protocol) version | -| [13] | `services[n].serversTransport` | Defines the reference to a [ServersTransportTCP](#kind-serverstransporttcp). The ServersTransport namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace (see [ServersTransport reference](#serverstransport-reference)). | -| [14] | `services[n].nativeLB` | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. | -| [15] | `services[n].nodePortLB` | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is | -| [16] | `tls` | Defines [TLS](../routers/index.md#tls_1) certificate configuration | -| [17] | `tls.secretName` | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace) | -| [18] | `tls.options` | Defines the reference to a [TLSOption](#kind-tlsoption) | -| [19] | `tls.options.name` | Defines the [TLSOption](#kind-tlsoption) name | -| [20] | `tls.options.namespace` | Defines the [TLSOption](#kind-tlsoption) namespace | -| [21] | `tls.certResolver` | Defines the reference to a [CertResolver](../routers/index.md#certresolver_1) | -| [22] | `tls.domains` | List of [domains](../routers/index.md#domains_1) | -| [23] | `tls.domains[n].main` | Defines the main domain name | -| [24] | `tls.domains[n].sans` | List of SANs (alternative domains) | -| [25] | `tls.passthrough` | If `true`, delegates the TLS termination to the backend | +| Ref | Attribute | Purpose | +|------|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| [1] | `entryPoints` | List of [entrypoints](../routers/index.md#entrypoints_1) names | +| [2] | `routes` | List of routes | +| [3] | `routes[n].match` | Defines the [rule](../routers/index.md#rule_1) of the underlying router | +| [4] | `routes[n].priority` | Defines the [priority](../routers/index.md#priority_1) to disambiguate rules of the same length, for route matching | +| [5] | `middlewares[n].name` | Defines the [MiddlewareTCP](#kind-middlewaretcp) name | +| [6] | `middlewares[n].namespace` | Defines the [MiddlewareTCP](#kind-middlewaretcp) namespace | +| [7] | `routes[n].services` | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions (See below for `ExternalName Service` setup) | +| [8] | `services[n].name` | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) | +| [9] | `services[n].port` | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port. | +| [10] | `services[n].weight` | Defines the weight to apply to the server load balancing | +| [11] | `services[n].proxyProtocol` | Defines the [PROXY protocol](../services/index.md#proxy-protocol) configuration | +| [12] | `services[n].proxyProtocol.version` | Defines the [PROXY protocol](../services/index.md#proxy-protocol) version | +| [13] | `services[n].serversTransport` | Defines the reference to a [ServersTransportTCP](#kind-serverstransporttcp). The ServersTransport namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace (see [ServersTransport reference](#serverstransport-reference)). | +| [14] | `services[n].nativeLB` | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. | +| [15] | `services[n].nodePortLB` | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs when the service type is of type NodePort. | +| [16] | `services[n].tls` | Defines whether to use TLS when dialing with the target service. | +| [17] | `tls` | Defines [TLS](../routers/index.md#tls_1) certificate configuration | +| [18] | `tls.secretName` | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace) | +| [19] | `tls.options` | Defines the reference to a [TLSOption](#kind-tlsoption) | +| [20] | `tls.options.name` | Defines the [TLSOption](#kind-tlsoption) name | +| [21] | `tls.options.namespace` | Defines the [TLSOption](#kind-tlsoption) namespace | +| [22] | `tls.certResolver` | Defines the reference to a [CertResolver](../routers/index.md#certresolver_1) | +| [23] | `tls.domains` | List of [domains](../routers/index.md#domains_1) | +| [24] | `tls.domains[n].main` | Defines the main domain name | +| [25] | `tls.domains[n].sans` | List of SANs (alternative domains) | +| [26] | `tls.passthrough` | If `true`, delegates the TLS termination to the backend | ??? example "Declaring an IngressRouteTCP" diff --git a/pkg/provider/kubernetes/crd/fixtures/tcp/with_tls_service.yml b/pkg/provider/kubernetes/crd/fixtures/tcp/with_tls_service.yml new file mode 100644 index 000000000..977e0ec24 --- /dev/null +++ b/pkg/provider/kubernetes/crd/fixtures/tcp/with_tls_service.yml @@ -0,0 +1,16 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRouteTCP +metadata: + name: test.route + namespace: default + +spec: + entryPoints: + - foo + + routes: + - match: HostSNI(`foo.com`) + services: + - name: whoamitcp + port: 8000 + tls: true diff --git a/pkg/provider/kubernetes/crd/kubernetes_tcp.go b/pkg/provider/kubernetes/crd/kubernetes_tcp.go index 63795c0a3..1eb3eed84 100644 --- a/pkg/provider/kubernetes/crd/kubernetes_tcp.go +++ b/pkg/provider/kubernetes/crd/kubernetes_tcp.go @@ -257,6 +257,7 @@ func (p *Provider) loadTCPServers(client Client, namespace string, svc traefikv1 if addr.Type == corev1.NodeInternalIP { servers = append(servers, dynamic.TCPServer{ Address: net.JoinHostPort(addr.Address, strconv.Itoa(int(svcPort.NodePort))), + TLS: svc.TLS, }) } } @@ -272,6 +273,7 @@ func (p *Provider) loadTCPServers(client Client, namespace string, svc traefikv1 if service.Spec.Type == corev1.ServiceTypeExternalName { servers = append(servers, dynamic.TCPServer{ Address: net.JoinHostPort(service.Spec.ExternalName, strconv.Itoa(int(svcPort.Port))), + TLS: svc.TLS, }) } else { nativeLB := p.NativeLBByDefault @@ -284,7 +286,7 @@ func (p *Provider) loadTCPServers(client Client, namespace string, svc traefikv1 return nil, fmt.Errorf("getting native Kubernetes Service address: %w", err) } - return []dynamic.TCPServer{{Address: address}}, nil + return []dynamic.TCPServer{{Address: address, TLS: svc.TLS}}, nil } endpointSlices, err := client.GetEndpointSlicesForService(namespace, svc.Name) @@ -318,6 +320,7 @@ func (p *Provider) loadTCPServers(client Client, namespace string, svc traefikv1 addresses[address] = struct{}{} servers = append(servers, dynamic.TCPServer{ Address: net.JoinHostPort(address, strconv.Itoa(int(port))), + TLS: svc.TLS, }) } } diff --git a/pkg/provider/kubernetes/crd/kubernetes_test.go b/pkg/provider/kubernetes/crd/kubernetes_test.go index ec979151d..fe3131c74 100644 --- a/pkg/provider/kubernetes/crd/kubernetes_test.go +++ b/pkg/provider/kubernetes/crd/kubernetes_test.go @@ -111,6 +111,50 @@ func TestLoadIngressRouteTCPs(t *testing.T) { TLS: &dynamic.TLSConfiguration{}, }, }, + { + desc: "Simple Ingress Route, with foo entrypoint, tls encryption to service", + paths: []string{"tcp/services.yml", "tcp/with_tls_service.yml"}, + expected: &dynamic.Configuration{ + UDP: &dynamic.UDPConfiguration{ + Routers: map[string]*dynamic.UDPRouter{}, + Services: map[string]*dynamic.UDPService{}, + }, + HTTP: &dynamic.HTTPConfiguration{ + Routers: map[string]*dynamic.Router{}, + Middlewares: map[string]*dynamic.Middleware{}, + Services: map[string]*dynamic.Service{}, + ServersTransports: map[string]*dynamic.ServersTransport{}, + }, + TCP: &dynamic.TCPConfiguration{ + Routers: map[string]*dynamic.TCPRouter{ + "default-test.route-fdd3e9338e47a45efefc": { + EntryPoints: []string{"foo"}, + Service: "default-test.route-fdd3e9338e47a45efefc", + Rule: "HostSNI(`foo.com`)", + }, + }, + Middlewares: map[string]*dynamic.TCPMiddleware{}, + Services: map[string]*dynamic.TCPService{ + "default-test.route-fdd3e9338e47a45efefc": { + LoadBalancer: &dynamic.TCPServersLoadBalancer{ + Servers: []dynamic.TCPServer{ + { + Address: "10.10.0.1:8000", + TLS: true, + }, + { + Address: "10.10.0.2:8000", + TLS: true, + }, + }, + }, + }, + }, + ServersTransports: map[string]*dynamic.TCPServersTransport{}, + }, + TLS: &dynamic.TLSConfiguration{}, + }, + }, { desc: "Simple Ingress Route, with foo entrypoint and middleware", paths: []string{"tcp/services.yml", "tcp/with_middleware.yml"},