Pass TLS bool from IngressRouteTCP to TCPService
This commit is contained in:
Philipp
GitHub
parent
8983e45fcf
commit
189db8d990
4 changed files with 103 additions and 38 deletions
|
|
@ -1156,48 +1156,50 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube
|
|||
serversTransport: transport # [13]
|
||||
nativeLB: true # [14]
|
||||
nodePortLB: true # [15]
|
||||
tls: false # [16]
|
||||
|
||||
tls: # [16]
|
||||
secretName: supersecret # [17]
|
||||
options: # [18]
|
||||
name: opt # [19]
|
||||
namespace: default # [20]
|
||||
certResolver: foo # [21]
|
||||
domains: # [22]
|
||||
- main: example.net # [23]
|
||||
sans: # [24]
|
||||
tls: # [17]
|
||||
secretName: supersecret # [18]
|
||||
options: # [19]
|
||||
name: opt # [20]
|
||||
namespace: default # [21]
|
||||
certResolver: foo # [22]
|
||||
domains: # [23]
|
||||
- main: example.net # [24]
|
||||
sans: # [25]
|
||||
- a.example.net
|
||||
- b.example.net
|
||||
passthrough: false # [25]
|
||||
passthrough: false # [26]
|
||||
```
|
||||
|
||||
| Ref | Attribute | Purpose |
|
||||
|------|-------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| [1] | `entryPoints` | List of [entrypoints](../routers/index.md#entrypoints_1) names |
|
||||
| [2] | `routes` | List of routes |
|
||||
| [3] | `routes[n].match` | Defines the [rule](../routers/index.md#rule_1) of the underlying router |
|
||||
| [4] | `routes[n].priority` | Defines the [priority](../routers/index.md#priority_1) to disambiguate rules of the same length, for route matching |
|
||||
| [5] | `middlewares[n].name` | Defines the [MiddlewareTCP](#kind-middlewaretcp) name |
|
||||
| [6] | `middlewares[n].namespace` | Defines the [MiddlewareTCP](#kind-middlewaretcp) namespace |
|
||||
| [7] | `routes[n].services` | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions (See below for `ExternalName Service` setup) |
|
||||
| [8] | `services[n].name` | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) |
|
||||
| [9] | `services[n].port` | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port. |
|
||||
| [10] | `services[n].weight` | Defines the weight to apply to the server load balancing |
|
||||
| [11] | `services[n].proxyProtocol` | Defines the [PROXY protocol](../services/index.md#proxy-protocol) configuration |
|
||||
| [12] | `services[n].proxyProtocol.version` | Defines the [PROXY protocol](../services/index.md#proxy-protocol) version |
|
||||
| [13] | `services[n].serversTransport` | Defines the reference to a [ServersTransportTCP](#kind-serverstransporttcp). The ServersTransport namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace (see [ServersTransport reference](#serverstransport-reference)). |
|
||||
| [14] | `services[n].nativeLB` | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. |
|
||||
| [15] | `services[n].nodePortLB` | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is |
|
||||
| [16] | `tls` | Defines [TLS](../routers/index.md#tls_1) certificate configuration |
|
||||
| [17] | `tls.secretName` | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace) |
|
||||
| [18] | `tls.options` | Defines the reference to a [TLSOption](#kind-tlsoption) |
|
||||
| [19] | `tls.options.name` | Defines the [TLSOption](#kind-tlsoption) name |
|
||||
| [20] | `tls.options.namespace` | Defines the [TLSOption](#kind-tlsoption) namespace |
|
||||
| [21] | `tls.certResolver` | Defines the reference to a [CertResolver](../routers/index.md#certresolver_1) |
|
||||
| [22] | `tls.domains` | List of [domains](../routers/index.md#domains_1) |
|
||||
| [23] | `tls.domains[n].main` | Defines the main domain name |
|
||||
| [24] | `tls.domains[n].sans` | List of SANs (alternative domains) |
|
||||
| [25] | `tls.passthrough` | If `true`, delegates the TLS termination to the backend |
|
||||
| Ref | Attribute | Purpose |
|
||||
|------|-------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
|
||||
| [1] | `entryPoints` | List of [entrypoints](../routers/index.md#entrypoints_1) names |
|
||||
| [2] | `routes` | List of routes |
|
||||
| [3] | `routes[n].match` | Defines the [rule](../routers/index.md#rule_1) of the underlying router |
|
||||
| [4] | `routes[n].priority` | Defines the [priority](../routers/index.md#priority_1) to disambiguate rules of the same length, for route matching |
|
||||
| [5] | `middlewares[n].name` | Defines the [MiddlewareTCP](#kind-middlewaretcp) name |
|
||||
| [6] | `middlewares[n].namespace` | Defines the [MiddlewareTCP](#kind-middlewaretcp) namespace |
|
||||
| [7] | `routes[n].services` | List of [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) definitions (See below for `ExternalName Service` setup) |
|
||||
| [8] | `services[n].name` | Defines the name of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) |
|
||||
| [9] | `services[n].port` | Defines the port of a [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/). This can be a reference to a named port. |
|
||||
| [10] | `services[n].weight` | Defines the weight to apply to the server load balancing |
|
||||
| [11] | `services[n].proxyProtocol` | Defines the [PROXY protocol](../services/index.md#proxy-protocol) configuration |
|
||||
| [12] | `services[n].proxyProtocol.version` | Defines the [PROXY protocol](../services/index.md#proxy-protocol) version |
|
||||
| [13] | `services[n].serversTransport` | Defines the reference to a [ServersTransportTCP](#kind-serverstransporttcp). The ServersTransport namespace is assumed to be the [Kubernetes service](https://kubernetes.io/docs/concepts/services-networking/service/) namespace (see [ServersTransport reference](#serverstransport-reference)). |
|
||||
| [14] | `services[n].nativeLB` | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. |
|
||||
| [15] | `services[n].nodePortLB` | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs when the service type is of type NodePort. |
|
||||
| [16] | `services[n].tls` | Defines whether to use TLS when dialing with the target service. |
|
||||
| [17] | `tls` | Defines [TLS](../routers/index.md#tls_1) certificate configuration |
|
||||
| [18] | `tls.secretName` | Defines the [secret](https://kubernetes.io/docs/concepts/configuration/secret/) name used to store the certificate (in the `IngressRoute` namespace) |
|
||||
| [19] | `tls.options` | Defines the reference to a [TLSOption](#kind-tlsoption) |
|
||||
| [20] | `tls.options.name` | Defines the [TLSOption](#kind-tlsoption) name |
|
||||
| [21] | `tls.options.namespace` | Defines the [TLSOption](#kind-tlsoption) namespace |
|
||||
| [22] | `tls.certResolver` | Defines the reference to a [CertResolver](../routers/index.md#certresolver_1) |
|
||||
| [23] | `tls.domains` | List of [domains](../routers/index.md#domains_1) |
|
||||
| [24] | `tls.domains[n].main` | Defines the main domain name |
|
||||
| [25] | `tls.domains[n].sans` | List of SANs (alternative domains) |
|
||||
| [26] | `tls.passthrough` | If `true`, delegates the TLS termination to the backend |
|
||||
|
||||
??? example "Declaring an IngressRouteTCP"
|
||||
|
||||
|
|
|
|||
|
|
@ -0,0 +1,16 @@
|
|||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRouteTCP
|
||||
metadata:
|
||||
name: test.route
|
||||
namespace: default
|
||||
|
||||
spec:
|
||||
entryPoints:
|
||||
- foo
|
||||
|
||||
routes:
|
||||
- match: HostSNI(`foo.com`)
|
||||
services:
|
||||
- name: whoamitcp
|
||||
port: 8000
|
||||
tls: true
|
||||
|
|
@ -257,6 +257,7 @@ func (p *Provider) loadTCPServers(client Client, namespace string, svc traefikv1
|
|||
if addr.Type == corev1.NodeInternalIP {
|
||||
servers = append(servers, dynamic.TCPServer{
|
||||
Address: net.JoinHostPort(addr.Address, strconv.Itoa(int(svcPort.NodePort))),
|
||||
TLS: svc.TLS,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
@ -272,6 +273,7 @@ func (p *Provider) loadTCPServers(client Client, namespace string, svc traefikv1
|
|||
if service.Spec.Type == corev1.ServiceTypeExternalName {
|
||||
servers = append(servers, dynamic.TCPServer{
|
||||
Address: net.JoinHostPort(service.Spec.ExternalName, strconv.Itoa(int(svcPort.Port))),
|
||||
TLS: svc.TLS,
|
||||
})
|
||||
} else {
|
||||
nativeLB := p.NativeLBByDefault
|
||||
|
|
@ -284,7 +286,7 @@ func (p *Provider) loadTCPServers(client Client, namespace string, svc traefikv1
|
|||
return nil, fmt.Errorf("getting native Kubernetes Service address: %w", err)
|
||||
}
|
||||
|
||||
return []dynamic.TCPServer{{Address: address}}, nil
|
||||
return []dynamic.TCPServer{{Address: address, TLS: svc.TLS}}, nil
|
||||
}
|
||||
|
||||
endpointSlices, err := client.GetEndpointSlicesForService(namespace, svc.Name)
|
||||
|
|
@ -318,6 +320,7 @@ func (p *Provider) loadTCPServers(client Client, namespace string, svc traefikv1
|
|||
addresses[address] = struct{}{}
|
||||
servers = append(servers, dynamic.TCPServer{
|
||||
Address: net.JoinHostPort(address, strconv.Itoa(int(port))),
|
||||
TLS: svc.TLS,
|
||||
})
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -111,6 +111,50 @@ func TestLoadIngressRouteTCPs(t *testing.T) {
|
|||
TLS: &dynamic.TLSConfiguration{},
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "Simple Ingress Route, with foo entrypoint, tls encryption to service",
|
||||
paths: []string{"tcp/services.yml", "tcp/with_tls_service.yml"},
|
||||
expected: &dynamic.Configuration{
|
||||
UDP: &dynamic.UDPConfiguration{
|
||||
Routers: map[string]*dynamic.UDPRouter{},
|
||||
Services: map[string]*dynamic.UDPService{},
|
||||
},
|
||||
HTTP: &dynamic.HTTPConfiguration{
|
||||
Routers: map[string]*dynamic.Router{},
|
||||
Middlewares: map[string]*dynamic.Middleware{},
|
||||
Services: map[string]*dynamic.Service{},
|
||||
ServersTransports: map[string]*dynamic.ServersTransport{},
|
||||
},
|
||||
TCP: &dynamic.TCPConfiguration{
|
||||
Routers: map[string]*dynamic.TCPRouter{
|
||||
"default-test.route-fdd3e9338e47a45efefc": {
|
||||
EntryPoints: []string{"foo"},
|
||||
Service: "default-test.route-fdd3e9338e47a45efefc",
|
||||
Rule: "HostSNI(`foo.com`)",
|
||||
},
|
||||
},
|
||||
Middlewares: map[string]*dynamic.TCPMiddleware{},
|
||||
Services: map[string]*dynamic.TCPService{
|
||||
"default-test.route-fdd3e9338e47a45efefc": {
|
||||
LoadBalancer: &dynamic.TCPServersLoadBalancer{
|
||||
Servers: []dynamic.TCPServer{
|
||||
{
|
||||
Address: "10.10.0.1:8000",
|
||||
TLS: true,
|
||||
},
|
||||
{
|
||||
Address: "10.10.0.2:8000",
|
||||
TLS: true,
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
},
|
||||
ServersTransports: map[string]*dynamic.TCPServersTransport{},
|
||||
},
|
||||
TLS: &dynamic.TLSConfiguration{},
|
||||
},
|
||||
},
|
||||
{
|
||||
desc: "Simple Ingress Route, with foo entrypoint and middleware",
|
||||
paths: []string{"tcp/services.yml", "tcp/with_middleware.yml"},
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue