Add TCP Servers Transports support

Co-authored-by: Romain <rtribotte@users.noreply.github.com>
2022-12-09 09:58:05 +01:00 · 2022-12-09 09:58:05 +01:00 · 3eeea2bb2b
commit 3eeea2bb2b
parent c2dac39da1
101 changed files with 5956 additions and 1669 deletions
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@ -1020,6 +1020,33 @@ Defines the allowed SPIFFE trust domain.
 `--spiffe.workloadapiaddr`:  
 Defines the workload API address.

+`--tcpserverstransport.dialkeepalive`:  
+Defines the interval between keep-alive probes for an active network connection. If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are disabled (Default: ```15```)
+
+`--tcpserverstransport.dialtimeout`:  
+Defines the amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
+
+`--tcpserverstransport.terminationdelay`:  
+Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. (Default: ```0```)
+
+`--tcpserverstransport.tls`:  
+Defines the TLS configuration. (Default: ```false```)
+
+`--tcpserverstransport.tls.insecureskipverify`:  
+Disables SSL certificate verification. (Default: ```false```)
+
+`--tcpserverstransport.tls.rootcas`:  
+Defines a list of CA secret used to validate self-signed certificate
+
+`--tcpserverstransport.tls.spiffe`:  
+Defines the SPIFFE TLS configuration. (Default: ```false```)
+
+`--tcpserverstransport.tls.spiffe.ids`:  
+Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).
+
+`--tcpserverstransport.tls.spiffe.trustdomain`:  
+Defines the allowed SPIFFE trust domain.
+
 `--tracing`:  
 OpenTracing configuration. (Default: ```false```)

--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@ -1020,6 +1020,33 @@ Defines the allowed SPIFFE trust domain.
 `TRAEFIK_SPIFFE_WORKLOADAPIADDR`:  
 Defines the workload API address.

+`TRAEFIK_TCPSERVERSTRANSPORT_DIALKEEPALIVE`:  
+Defines the interval between keep-alive probes for an active network connection. If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are disabled (Default: ```15```)
+
+`TRAEFIK_TCPSERVERSTRANSPORT_DIALTIMEOUT`:  
+Defines the amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists. (Default: ```30```)
+
+`TRAEFIK_TCPSERVERSTRANSPORT_TERMINATIONDELAY`:  
+Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. (Default: ```0```)
+
+`TRAEFIK_TCPSERVERSTRANSPORT_TLS`:  
+Defines the TLS configuration. (Default: ```false```)
+
+`TRAEFIK_TCPSERVERSTRANSPORT_TLS_INSECURESKIPVERIFY`:  
+Disables SSL certificate verification. (Default: ```false```)
+
+`TRAEFIK_TCPSERVERSTRANSPORT_TLS_ROOTCAS`:  
+Defines a list of CA secret used to validate self-signed certificate
+
+`TRAEFIK_TCPSERVERSTRANSPORT_TLS_SPIFFE`:  
+Defines the SPIFFE TLS configuration. (Default: ```false```)
+
+`TRAEFIK_TCPSERVERSTRANSPORT_TLS_SPIFFE_IDS`:  
+Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).
+
+`TRAEFIK_TCPSERVERSTRANSPORT_TLS_SPIFFE_TRUSTDOMAIN`:  
+Defines the allowed SPIFFE trust domain.
+
 `TRAEFIK_TRACING`:  
 OpenTracing configuration. (Default: ```false```)

--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@ -6,10 +6,29 @@
  insecureSkipVerify = true
  rootCAs = ["foobar", "foobar"]
  maxIdleConnsPerHost = 42
+
  [serversTransport.forwardingTimeouts]
    dialTimeout = "42s"
    responseHeaderTimeout = "42s"
    idleConnTimeout = "42s"
+    readIdleTimeout = "42s"
+    pingTimeout = "42s"
+
+  [serversTransport.spiffe]
+    ids = ["foobar", "foobar"]
+    trustDomain = "foobar"
+
+[tcpServersTransport]
+  dialTimeout = "42s"
+  dialKeepAlive = "42s"
+
+  [tcpServersTransport.tls]
+    insecureSkipVerify = true
+    rootCAs = ["foobar", "foobar"]
+
+    [tcpServersTransport.tls.spiffe]
+      ids = ["foobar", "foobar"]
+      trustDomain = "foobar"

 [entryPoints]
  [entryPoints.EntryPoint0]
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@ -1,7 +1,7 @@
 global:
  checkNewVersion: true
  sendAnonymousUsage: true
-serversTransport:
+serversTransports:
  insecureSkipVerify: true
  rootCAs:
    - foobar
@ -11,6 +11,26 @@ serversTransport:
    dialTimeout: 42s
    responseHeaderTimeout: 42s
    idleConnTimeout: 42s
+    readIdleTimeout: 42s
+    pingTimeout: 42s
+  spiffe:
+    ids:
+      - foobar
+      - foobar
+    trustDomain: foobar
+tcpServersTransport:
+  dialTimeout: 42s
+  dialKeepAlive: 42s
+  tls:
+    insecureSkipVerify: true
+    rootCAs:
+      - foobar
+      - foobar
+    spiffe:
+      ids:
+        - foobar
+        - foobar
+      trustDomain: foobar
 entryPoints:
  EntryPoint0:
    address: foobar