homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'v2.1' into master

Browse source
This commit is contained in:
Fernandez Ludovic 2019-12-11 22:14:26 +01:00
commit 2d3fc613ec
44 changed files with 923 additions and 392 deletions
Download patch file Download diff file Expand all files Collapse all files

8
docs/check.Dockerfile
View file

@ -15,8 +15,12 @@ RUN gem install html-proofer --version 3.13.0 --no-document -- --use-system-libr
RUN apk --no-cache --no-progress add \
git \
nodejs \
npm \
&& npm install --global \
npm
# To handle 'not get uid/gid'
RUN npm config set unsafe-perm true
RUN npm install --global \
markdownlint@0.17.2 \
markdownlint-cli@0.19.0

4
docs/content/https/.markdownlint.json Normal file
View file

@ -0,0 +1,4 @@
{
"extends": "../../.markdownlint.json",
"MD041": false
}

76
docs/content/https/acme.md
View file

@ -8,6 +8,45 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
!!! warning "Let's Encrypt and Rate Limiting"
Note that Let's Encrypt API has [rate limiting](https://letsencrypt.org/docs/rate-limits).
Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
when experimenting to avoid hitting this limit too fast.
## Certificate Resolvers
Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration),
which are responsible for retrieving certificates from an ACME server.
Then, each ["router"](../routing/routers/index.md) is configured to enable TLS,
and is associated to a certificate resolver through the [`tls.certresolver` configuration option](../routing/routers/index.md#certresolver).
Certificates are requested for domain names retrieved from the router's [dynamic configuration](../getting-started/configuration-overview.md#the-dynamic-configuration).
You can read more about this retrieval mechanism in the following section: [ACME Domain Definition](#domain-definition).
## Domain Definition
Certificate resolvers request certificates for a set of the domain names
inferred from routers, with the following logic:
- If the router has a [`tls.domains`](../routing/routers/index.md#domains) option set,
then the certificate resolver uses the `main` (and optionally `sans`) option of `tls.domains` to know the domain names for this router.
- If no [`tls.domains`](../routing/routers/index.md#domains) option is set,
then the certificate resolver uses the [router's rule](../routing/routers/index.md#rule),
by checking the `Host()` matchers.
Please note that [multiple `Host()` matchers can be used](../routing/routers/index.md#certresolver)) for specifying multiple domain names for this router.
Please note that:
- When multiple domain names are inferred from a given router,
only **one** certificate is requested with the first domain name as the main domain,
and the other domains as ["SANs" (Subject Alternative Name)](https://en.wikipedia.org/wiki/Subject_Alternative_Name).
- As [ACME V2 supports "wildcard domains"](#wildcard-domains),
any router can provide a [wildcard domain](https://en.wikipedia.org/wiki/Wildcard_certificate) name, as "main" domain or as "SAN" domain.
Please check the [configuration examples below](#configuration-examples) for more details.
## Configuration Examples
??? example "Enabling ACME"
@ -75,6 +114,26 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom
--8<-- "content/https/ref-acme.txt"
```
??? example "Single Domain from Router's Rule Example"
* A certificate for the domain `company.com` is requested:
--8<-- "content/https/include-acme-single-domain-example.md"
??? example "Multiple Domains from Router's Rule Example"
* A certificate for the domains `company.com` (main) and `blog.company.org`
is requested:
--8<-- "content/https/include-acme-multiple-domains-from-rule-example.md"
??? example "Multiple Domains from Router's `tls.domain` Example"
* A certificate for the domains `company.com` (main) and `*.company.org` (SAN)
is requested:
--8<-- "content/https/include-acme-multiple-domains-example.md"
## Automatic Renewals
Traefik automatically tracks the expiry date of ACME certificates it generates.
@ -84,6 +143,13 @@ If there are less than 30 days remaining before the certificate expires, Traefik
!!! info ""
Certificates that are no longer used may still be renewed, as Traefik does not currently check if the certificate is being used before renewing.
## Using LetsEncrypt with Kubernetes
When using LetsEncrypt with kubernetes, there are some known caveats with both the [ingress](../providers/kubernetes-ingress.md) and [crd](../providers/kubernetes-crd.md) providers.
!!! info ""
If you intend to run multiple instances of Traefik with LetsEncrypt, please ensure you read the sections on those provider pages.
## The Different ACME Challenges
!!! important "Defining a certificates resolver does not result in all routers automatically using it. Each router that is supposed to use the resolver must [reference](../routing/routers/index.md#certresolver) it."
@ -220,7 +286,7 @@ For example, `CF_API_EMAIL_FILE=/run/secrets/traefik_cf-api-email` could be used
| [Bindman](https://github.com/labbsr0x/bindman-dns-webhook) | `bindman` | `BINDMAN_MANAGER_ADDRESS` | [Additional configuration](https://go-acme.github.io/lego/dns/bindman) |
| [Blue Cat](https://www.bluecatnetworks.com/) | `bluecat` | `BLUECAT_SERVER_URL`, `BLUECAT_USER_NAME`, `BLUECAT_PASSWORD`, `BLUECAT_CONFIG_NAME`, `BLUECAT_DNS_VIEW` | [Additional configuration](https://go-acme.github.io/lego/dns/bluecat) |
| [ClouDNS](https://www.cloudns.net/) | `cloudns` | `CLOUDNS_AUTH_ID`, `CLOUDNS_AUTH_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/cloudns) |
| [Cloudflare](https://www.cloudflare.com) | `cloudflare` | `CF_API_EMAIL`, `CF_API_KEY` or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]` [^5] | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare) |
| [Cloudflare](https://www.cloudflare.com) | `cloudflare` | `CF_API_EMAIL`, `CF_API_KEY` [^5] or `CF_DNS_API_TOKEN`, `[CF_ZONE_API_TOKEN]` | [Additional configuration](https://go-acme.github.io/lego/dns/cloudflare) |
| [CloudXNS](https://www.cloudxns.net) | `cloudxns` | `CLOUDXNS_API_KEY`, `CLOUDXNS_SECRET_KEY` | [Additional configuration](https://go-acme.github.io/lego/dns/cloudxns) |
| [ConoHa](https://www.conoha.jp) | `conoha` | `CONOHA_TENANT_ID`, `CONOHA_API_USERNAME`, `CONOHA_API_PASSWORD` | [Additional configuration](https://go-acme.github.io/lego/dns/conoha) |
| [DigitalOcean](https://www.digitalocean.com) | `digitalocean` | `DO_AUTH_TOKEN` | [Additional configuration](https://go-acme.github.io/lego/dns/digitalocean) |
@ -320,7 +386,9 @@ certificatesResolvers:
[ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).
## `caServer`
## More Configuration
### `caServer`
??? example "Using the Let's Encrypt staging server"
@ -346,7 +414,7 @@ As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/stagi
# ...
```
## `storage`
### `storage`
The `storage` option sets the location where your ACME certificates are saved to.
@ -376,7 +444,7 @@ The value can refer to some kinds of storage:
- a JSON file
### In a File
#### In a File
ACME certificates can be stored in a JSON file that needs to have a `600` file mode .

88
docs/content/https/include-acme-multiple-domains-example.md Normal file
View file

@ -0,0 +1,88 @@
```yaml tab="Docker"
## Dynamic configuration
labels:
- traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
- traefik.http.routers.blog.tls=true
- traefik.http.routers.blog.tls.certresolver=le
- traefik.http.routers.blog.tls.domains[0].main=company.org
- traefik.http.routers.blog.tls.domains[0].sans=*.company.org
```
```yaml tab="Docker (Swarm)"
## Dynamic configuration
deploy:
labels:
- traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
- traefik.http.services.blog-svc.loadbalancer.server.port=8080"
- traefik.http.routers.blog.tls=true
- traefik.http.routers.blog.tls.certresolver=le
- traefik.http.routers.blog.tls.domains[0].main=company.org
- traefik.http.routers.blog.tls.domains[0].sans=*.company.org
```
```yaml tab="Kubernetes"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: blogtls
spec:
entryPoints:
- websecure
routes:
- match: Host(`company.com`) && Path(`/blog`)
kind: Rule
services:
- name: blog
port: 8080
tls:
certResolver: le
```
```json tab="Marathon"
labels: {
"traefik.http.routers.blog.rule": "Host(`company.com`) && Path(`/blog`)",
"traefik.http.routers.blog.tls": "true",
"traefik.http.routers.blog.tls.certresolver": "le",
"traefik.http.routers.blog.tls.domains[0].main": "company.com",
"traefik.http.routers.blog.tls.domains[0].sans": "*.company.com",
"traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
}
```
```yaml tab="Rancher"
## Dynamic configuration
labels:
- traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
- traefik.http.routers.blog.tls=true
- traefik.http.routers.blog.tls.certresolver=le
- traefik.http.routers.blog.tls.domains[0].main=company.org
- traefik.http.routers.blog.tls.domains[0].sans=*.company.org
```
```toml tab="File (TOML)"
## Dynamic configuration
[http.routers]
[http.routers.blog]
rule = "Host(`company.com`) && Path(`/blog`)"
[http.routers.blog.tls]
certResolver = "le" # From static configuration
[[http.routers.blog.tls.domains]]
main = "company.org"
sans = ["*.company.org"]
```
```yaml tab="File (YAML)"
## Dynamic configuration
http:
routers:
blog:
rule: "Host(`company.com`) && Path(`/blog`)"
tls:
certResolver: le
domains:
- main: "company.org"
sans:
- "*.company.org"
```

72
docs/content/https/include-acme-multiple-domains-from-rule-example.md Normal file
View file

@ -0,0 +1,72 @@
```yaml tab="Docker"
## Dynamic configuration
labels:
- traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
- traefik.http.routers.blog.tls=true
- traefik.http.routers.blog.tls.certresolver=le
```
```yaml tab="Docker (Swarm)"
## Dynamic configuration
deploy:
labels:
- traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
- traefik.http.services.blog-svc.loadbalancer.server.port=8080"
- traefik.http.routers.blog.tls=true
- traefik.http.routers.blog.tls.certresolver=le
```
```yaml tab="Kubernetes"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: blogtls
spec:
entryPoints:
- websecure
routes:
- match: (Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
kind: Rule
services:
- name: blog
port: 8080
tls: {}
```
```json tab="Marathon"
labels: {
"traefik.http.routers.blog.rule": "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)",
"traefik.http.routers.blog.tls": "true",
"traefik.http.routers.blog.tls.certresolver": "le",
"traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
}
```
```yaml tab="Rancher"
## Dynamic configuration
labels:
- traefik.http.routers.blog.rule=(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)
- traefik.http.routers.blog.tls=true
- traefik.http.routers.blog.tls.certresolver=le
```
```toml tab="File (TOML)"
## Dynamic configuration
[http.routers]
[http.routers.blog]
rule = "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)"
[http.routers.blog.tls]
certResolver = "le" # From static configuration
```
```yaml tab="File (YAML)"
## Dynamic configuration
http:
routers:
blog:
rule: "(Host(`company.com`) && Path(`/blog`)) || Host(`blog.company.org`)"
tls:
certResolver: le
```

72
docs/content/https/include-acme-single-domain-example.md Normal file
View file

@ -0,0 +1,72 @@
```yaml tab="Docker"
## Dynamic configuration
labels:
- traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
- traefik.http.routers.blog.tls=true
- traefik.http.routers.blog.tls.certresolver=le
```
```yaml tab="Docker (Swarm)"
## Dynamic configuration
deploy:
labels:
- traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
- traefik.http.services.blog-svc.loadbalancer.server.port=8080"
- traefik.http.routers.blog.tls=true
- traefik.http.routers.blog.tls.certresolver=le
```
```yaml tab="Kubernetes"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: blogtls
spec:
entryPoints:
- websecure
routes:
- match: Host(`company.com`) && Path(`/blog`)
kind: Rule
services:
- name: blog
port: 8080
tls: {}
```
```json tab="Marathon"
labels: {
"traefik.http.routers.blog.rule": "Host(`company.com`) && Path(`/blog`)",
"traefik.http.routers.blog.tls": "true",
"traefik.http.routers.blog.tls.certresolver": "le",
"traefik.http.services.blog-svc.loadbalancer.server.port": "8080"
}
```
```yaml tab="Rancher"
## Dynamic configuration
labels:
- traefik.http.routers.blog.rule=Host(`company.com`) && Path(`/blog`)
- traefik.http.routers.blog.tls=true
- traefik.http.routers.blog.tls.certresolver=le
```
```toml tab="Single Domain"
## Dynamic configuration
[http.routers]
[http.routers.blog]
rule = "Host(`company.com`) && Path(`/blog`)"
[http.routers.blog.tls]
certResolver = "le" # From static configuration
```
```yaml tab="File (YAML)"
## Dynamic configuration
http:
routers:
blog:
rule: "Host(`company.com`) && Path(`/blog`)"
tls:
certResolver: le
```

2
docs/content/index.md
View file

@ -20,4 +20,4 @@ Developing Traefik, our main goal is to make it simple to use, and we're sure yo
!!! info
If you're a business running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://containo.us/services/#commercial-support) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik.
If you're a business running critical services behind Traefik, know that [Containous](https://containo.us), the company that sponsors Traefik's development, can provide [commercial support](https://info.containo.us/commercial-services) and develops an [Enterprise Edition](https://containo.us/traefikee/) of Traefik.

12
docs/content/middlewares/passtlsclientcert.md
View file

@ -406,7 +406,7 @@ In the example, it is the part between `-----BEGIN CERTIFICATE-----` and `-----E
!!! info "Extracted data"
The delimiters and `\n` will be removed.
If there are more than one certificate, they are separated by a "`;`".
If there are more than one certificate, they are separated by a "`,`".
!!! warning "`X-Forwarded-Tls-Client-Cert` value could exceed the web server header size limit"
@ -421,12 +421,12 @@ The value of the header will be an escaped concatenation of all the selected cer
The following example shows an unescaped result that uses all the available fields:
```text
Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com",Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2",NB=1544094616,NA=1607166616,SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
Subject="DC=org,DC=cheese,C=FR,C=US,ST=Cheese org state,ST=Cheese com state,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=*.cheese.com";Issuer="DC=org,DC=cheese,C=FR,C=US,ST=Signing State,ST=Signing State 2,L=TOULOUSE,L=LYON,O=Cheese,O=Cheese 2,CN=Simple Signing CA 2";NB="1544094616";NA="1607166616";SAN="*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2"
```
!!! info "Multiple certificates"
If there are more than one certificate, they are separated by a `;`.
If there are more than one certificate, they are separated by a `,`.
#### `info.notAfter`
@ -442,7 +442,7 @@ The data are taken from the following certificate part:
The escape `notAfter` info part will be like:
```text
NA=1607166616
NA="1607166616"
```
#### `info.notBefore`
@ -459,7 +459,7 @@ Validity
The escape `notBefore` info part will be like:
```text
NB=1544094616
NB="1544094616"
```
#### `info.sans`
@ -476,7 +476,7 @@ The data are taken from the following certificate part:
The escape SANs info part will be like:
```text
SAN=*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2
SAN="*.cheese.org,*.cheese.net,*.cheese.com,test@cheese.org,test@cheese.net,10.0.1.0,10.0.1.2"
```
!!! info "multiple values"

10
docs/content/migration/v1-to-v2.md
View file

@ -560,8 +560,8 @@ with the path `/admin` stripped, e.g. to `http://<IP>:<port>/`. In this case, yo
```yaml tab="Docker"
labels:
- "traefik.http.routers.admin.rule=Host(`company.org`) && PathPrefix(`/admin`)"
- "traefik.http.routers.admin.middlewares=admin-stripprefix"
- "traefik.http.middlewares.admin-stripprefix.stripprefix.prefixes=/admin"
- "traefik.http.routers.web.middlewares=admin-stripprefix@docker"
```
```yaml tab="Kubernetes IngressRoute"
@ -1029,12 +1029,12 @@ As the dashboard access is now secured by default you can either:
[api]
[providers.file]
filename = "/dynamic-conf.toml"
directory = "/path/to/dynamic/config"
##---------------------##
## dynamic configuration
# dynamic-conf.toml
# /path/to/dynamic/config/dynamic-conf.toml
[http.routers.api]
rule = "Host(`traefik.docker.localhost`)"
@ -1061,12 +1061,12 @@ As the dashboard access is now secured by default you can either:
providers:
file:
filename: /dynamic-conf.yaml
directory: /path/to/dynamic/config
##---------------------##
## dynamic configuration
# dynamic-conf.yaml
# /path/to/dynamic/config/dynamic-conf.yaml
http:
routers:

8
docs/content/operations/dashboard.md
View file

@ -85,19 +85,17 @@ We recommend to use a "Host Based rule" as ```Host(`traefik.domain.com`)``` to m
or to make sure that the defined rule captures both prefixes:
```bash tab="Host Rule"
# Matches http://traefik.domain.com/api or http://traefik.domain.com/dashboard
# The dashboard can be accessed on http://traefik.domain.com/dashboard/
rule = "Host(`traefik.domain.com`)"
```
```bash tab="Path Prefix Rule"
# Matches http://traefik.domain.com/api , http://domain.com/api or http://traefik.domain.com/dashboard
# but does not match http://traefik.domain.com/hello
# The dashboard can be accessed on http://domain.com/dashboard/ or http://traefik.domain.com/dashboard/
rule = "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
```
```bash tab="Combination of Rules"
# Matches http://traefik.domain.com/api or http://traefik.domain.com/dashboard
# but does not match http://traefik.domain.com/hello
# The dashboard can be accessed on http://traefik.domain.com/dashboard/
rule = "Host(`traefik.domain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
```

2
docs/content/operations/ping.md
View file

@ -59,7 +59,7 @@ ping:
--ping.entryPoint=ping
```
#### `manualRouting`
### `manualRouting`
_Optional, Default=false_

28
docs/content/providers/file.md
View file

@ -23,17 +23,17 @@ You can write one of these mutually exclusive configuration elements:
```toml tab="File (TOML)"
[providers.file]
filename = "/my/path/to/dynamic-conf.toml"
directory = "/path/to/dynamic/conf"
```
```yaml tab="File (YAML)"
providers:
file:
filename: "/my/path/to/dynamic-conf.yml"
directory: "/path/to/dynamic/conf"
```
```bash tab="CLI"
--providers.file.filename=/my/path/to/dynamic_conf.toml
--providers.file.directory=/path/to/dynamic/conf
```
Declaring Routers, Middlewares & Services:
@ -100,6 +100,22 @@ You can write one of these mutually exclusive configuration elements:
If you're in a hurry, maybe you'd rather go through the [dynamic configuration](../reference/dynamic-configuration/file.md) references and the [static configuration](../reference/static-configuration/overview.md).
!!! warning "Limitations"
With the file provider, Traefik listens for file system notifications to update the dynamic configuration.
If you use a mounted/bound file system in your orchestrator (like docker or kubernetes), the way the files are linked may be a source of errors.
If the link between the file systems is broken, when a source file/directory is changed/renamed, nothing will be reported to the linked file/directory, so the file system notifications will be neither triggered nor caught.
For example, in docker, if the host file is renamed, the link to the mounted file will be broken and the container's file will not be updated.
To avoid this kind of issue, a good practice is to:
* set the Traefik [**directory**](#directory) configuration with the parent directory
* mount/bind the parent directory
As it is very difficult to listen to all file system notifications, Traefik use [fsnotify](https://github.com/fsnotify/fsnotify).
If using a directory with a mounted directory does not fix your issue, please check your file system compatibility with fsnotify.
### `filename`
Defines the path of the configuration file.
@ -148,19 +164,19 @@ It works with both the `filename` and the `directory` options.
```toml tab="File (TOML)"
[providers]
[providers.file]
filename = "dynamic_conf.toml"
directory = "/path/to/dynamic/conf"
watch = true
```
```yaml tab="File (YAML)"
providers:
file:
filename: dynamic_conf.yml
directory: /path/to/dynamic/conf
watch: true
```
```bash tab="CLI"
--providers.file.filename=dynamic_conf.toml
--providers.file.directory=/my/path/to/dynamic/conf
--providers.file.watch=true
```

17
docs/content/providers/kubernetes-crd.md
View file

@ -12,6 +12,23 @@ we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/co
See the dedicated section in [routing](../routing/providers/kubernetes-crd.md).
## LetsEncrypt Support with the Custom Resource Definition Provider
By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration.
For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.
When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure.
Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
If you are wanting to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot interface directly with the CRDs _yet_, but this is being worked on by our team.
A workaround it to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.
Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once created, Cert-Manager will keep the certificate renewed.
## Provider Configuration
### `endpoint`

14
docs/content/providers/kubernetes-ingress.md
View file

@ -47,6 +47,20 @@ spec:
servicePort: 80
```
## LetsEncrypt Support with the Ingress Provider
By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration.
For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.
When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure.
Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses.
Previous versions of Traefik used a [KV store](https://docs.traefik.io/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0.
If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [TraefikEE](https://containo.us/traefikee/) where distributed LetsEncrypt is a supported feature.
If you are wanting to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
## Provider Configuration
### `endpoint`

24
docs/content/routing/overview.md
View file

@ -33,9 +33,9 @@ Static configuration:
address = ":8081"
[providers]
# Enable the file provider to define routers / middlewares / services in a file
# Enable the file provider to define routers / middlewares / services in file
[providers.file]
filename = "dynamic_conf.toml"
directory = "/path/to/dynamic/conf"
```
```yaml tab="File (YAML)"
@ -45,17 +45,17 @@ entryPoints:
address: :8081
providers:
# Enable the file provider to define routers / middlewares / services in a file
# Enable the file provider to define routers / middlewares / services in file
file:
filename: dynamic_conf.yml
directory: /path/to/dynamic/conf
```
```bash tab="CLI"
# Listen on port 8081 for incoming requests
--entryPoints.web.address=:8081
# Enable the file provider to define routers / middlewares / services in a file
--providers.file.filename=dynamic_conf.toml
# Enable the file provider to define routers / middlewares / services in file
--providers.file.directory=/path/to/dynamic/conf
```
Dynamic configuration:
@ -133,9 +133,9 @@ http:
address = ":8081"
[providers]
# Enable the file provider to define routers / middlewares / services in a file
# Enable the file provider to define routers / middlewares / services in file
[providers.file]
filename = "dynamic_conf.toml"
directory = "/path/to/dynamic/conf"
```
```yaml tab="File (YAML)"
@ -144,17 +144,17 @@ http:
# Listen on port 8081 for incoming requests
address: :8081
providers:
# Enable the file provider to define routers / middlewares / services in a file
# Enable the file provider to define routers / middlewares / services in file
file:
filename: dynamic_conf.yml
directory: /path/to/dynamic/conf
```
```bash tab="CLI"
# Listen on port 8081 for incoming requests
--entryPoints.web.address=:8081
# Enable the file provider to define routers / middlewares / services in a file
--providers.file.filename=dynamic_conf.toml
# Enable the file provider to define routers / middlewares / services in file
--providers.file.directory=/path/to/dynamic/conf
```
**Dynamic Configuration**

2
docs/content/routing/providers/marathon.md
View file

@ -91,7 +91,7 @@ For example, to change the routing rule, you could add the label ```"traefik.htt
See [tls](../routers/index.md#tls) for more information.
```json
"traefik.http.routers.myrouter>.tls": "true"
"traefik.http.routers.myrouter.tls": "true"
```
??? info "`traefik.http.routers.<router_name>.tls.certresolver`"

12
docs/content/routing/services/index.md
View file

@ -387,7 +387,9 @@ The WRR is able to load balance the requests between multiple services based on
This strategy is only available to load balance between [services](./index.md) and not between [servers](./index.md#servers).
!!! info "This strategy can be defined only with [File](../../providers/file.md)."
!!! info "Supported Providers"
This strategy can be defined currently with the [File](../../providers/file.md) or [IngressRoute](../../providers/kubernetes-crd.md) providers.
```toml tab="TOML"
## Dynamic configuration
@ -438,7 +440,9 @@ http:
The mirroring is able to mirror requests sent to a service to other services.
!!! info "This strategy can be defined only with [File](../../providers/file.md)."
!!! info "Supported Providers"
This strategy can be defined currently with the [File](../../providers/file.md) or [IngressRoute](../../providers/kubernetes-crd.md) providers.
```toml tab="TOML"
## Dynamic configuration
@ -583,7 +587,9 @@ The Weighted Round Robin (alias `WRR`) load-balancer of services is in charge of
This strategy is only available to load balance between [services](./index.md) and not between [servers](./index.md#servers).
This strategy can only be defined with [File](../../providers/file.md).
!!! info "Supported Providers"
This strategy can be defined currently with the [File](../../providers/file.md) or [IngressRoute](../../providers/kubernetes-crd.md) providers.
```toml tab="TOML"
## Dynamic configuration

16
docs/content/user-guides/grpc.md
View file

@ -16,7 +16,7 @@ Static configuration:
[api]
[providers.file]
filename = "dynamic_conf.toml"
directory = "/path/to/dynamic/config"
```
```yaml tab="File (YAML)"
@ -26,18 +26,18 @@ entryPoints:
providers:
file:
filename: dynamic_conf.yml
directory: /path/to/dynamic/config
api: {}
```
```yaml tab="CLI"
--entryPoints.web.address=:80
--providers.file.filename=dynamic_conf.toml
--providers.file.directory=/path/to/dynamic/config
--api.insecure=true
```
`dynamic_conf.{toml,yml}`:
`/path/to/dynamic/config/dynamic_conf.{toml,yml}`:
```toml tab="TOML"
## dynamic configuration ##
@ -132,7 +132,7 @@ Static configuration:
[api]
[provider.file]
filename = "dynamic_conf.toml"
directory = "/path/to/dynamic/config"
```
```yaml tab="File (YAML)"
@ -147,7 +147,7 @@ serversTransport:
providers:
file:
filename: dynamic_conf.yml
directory: /path/to/dynamic/config
api: {}
```
@ -156,11 +156,11 @@ api: {}
--entryPoints.websecure.address=:4443
# For secure connection on backend.local
--serversTransport.rootCAs=./backend.cert
--providers.file.filename=dynamic_conf.toml
--providers.file.directory=/path/to/dynamic/config
--api.insecure=true
```
`dynamic_conf.{toml,yml}`:
`/path/to/dynamic/config/dynamic_conf.{toml,yml}`:
```toml tab="TOML"
## dynamic configuration ##

2
docs/mkdocs.yml
View file

@ -44,7 +44,7 @@ plugins:
- search
- exclude:
glob:
- include-*.md
- "**/include-*.md"
# https://squidfunk.github.io/mkdocs-material/extensions/admonition/
# https://facelessuser.github.io/pymdown-extensions/