Merge branch v2.10 into v3.0

pkg/provider/kubernetes/crd/traefikio/v1alpha1/doc.go

@@ -0,0 +1,6 @@
+// +k8s:deepcopy-gen=package
+
+// Package v1alpha1 is the v1alpha1 version of the API.
+// +groupName=traefik.io
+// +groupGoName=Traefik
+package v1alpha1

pkg/provider/kubernetes/crd/traefikio/v1alpha1/ingressroute.go

@@ -0,0 +1,175 @@
+package v1alpha1
+
+import (
+	"github.com/traefik/traefik/v3/pkg/config/dynamic"
+	"github.com/traefik/traefik/v3/pkg/types"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// IngressRouteSpec defines the desired state of IngressRoute.
+type IngressRouteSpec struct {
+	// Routes defines the list of routes.
+	Routes []Route `json:"routes"`
+	// EntryPoints defines the list of entry point names to bind to.
+	// Entry points have to be configured in the static configuration.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
+	// Default: all.
+	EntryPoints []string `json:"entryPoints,omitempty"`
+	// TLS defines the TLS configuration.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls
+	TLS *TLS `json:"tls,omitempty"`
+}
+
+// Route holds the HTTP route configuration.
+type Route struct {
+	// Match defines the router's rule.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule
+	Match string `json:"match"`
+	// Kind defines the kind of the route.
+	// Rule is the only supported kind.
+	// +kubebuilder:validation:Enum=Rule
+	Kind string `json:"kind"`
+	// Priority defines the router's priority.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority
+	Priority int `json:"priority,omitempty"`
+	// Services defines the list of Service.
+	// It can contain any combination of TraefikService and/or reference to a Kubernetes Service.
+	Services []Service `json:"services,omitempty"`
+	// Middlewares defines the list of references to Middleware resources.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-middleware
+	Middlewares []MiddlewareRef `json:"middlewares,omitempty"`
+}
+
+// TLS holds the TLS configuration.
+// More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls
+type TLS struct {
+	// SecretName is the name of the referenced Kubernetes Secret to specify the certificate details.
+	SecretName string `json:"secretName,omitempty"`
+	// Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
+	// If not defined, the `default` TLSOption is used.
+	// More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options
+	Options *TLSOptionRef `json:"options,omitempty"`
+	// Store defines the reference to the TLSStore, that will be used to store certificates.
+	// Please note that only `default` TLSStore can be used.
+	Store *TLSStoreRef `json:"store,omitempty"`
+	// CertResolver defines the name of the certificate resolver to use.
+	// Cert resolvers have to be configured in the static configuration.
+	// More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers
+	CertResolver string `json:"certResolver,omitempty"`
+	// Domains defines the list of domains that will be used to issue certificates.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains
+	Domains []types.Domain `json:"domains,omitempty"`
+}
+
+// TLSOptionRef is a reference to a TLSOption resource.
+type TLSOptionRef struct {
+	// Name defines the name of the referenced TLSOption.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption
+	Name string `json:"name"`
+	// Namespace defines the namespace of the referenced TLSOption.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsoption
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// TLSStoreRef is a reference to a TLSStore resource.
+type TLSStoreRef struct {
+	// Name defines the name of the referenced TLSStore.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore
+	Name string `json:"name"`
+	// Namespace defines the namespace of the referenced TLSStore.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-tlsstore
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// LoadBalancerSpec defines the desired state of LoadBalancer.
+// It can reference either a Kubernetes Service object (a load-balancer of servers),
+// or a TraefikService object (a load-balancer of Traefik services).
+type LoadBalancerSpec struct {
+	// Name defines the name of the referenced Kubernetes Service or TraefikService.
+	// The differentiation between the two is specified in the Kind field.
+	Name string `json:"name"`
+	// Kind defines the kind of the Service.
+	// +kubebuilder:validation:Enum=Service;TraefikService
+	Kind string `json:"kind,omitempty"`
+	// Namespace defines the namespace of the referenced Kubernetes Service or TraefikService.
+	Namespace string `json:"namespace,omitempty"`
+	// Sticky defines the sticky sessions configuration.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/services/#sticky-sessions
+	Sticky *dynamic.Sticky `json:"sticky,omitempty"`
+	// Port defines the port of a Kubernetes Service.
+	// This can be a reference to a named port.
+	Port intstr.IntOrString `json:"port,omitempty"`
+	// Scheme defines the scheme to use for the request to the upstream Kubernetes Service.
+	// It defaults to https when Kubernetes Service port is 443, http otherwise.
+	Scheme string `json:"scheme,omitempty"`
+	// Strategy defines the load balancing strategy between the servers.
+	// RoundRobin is the only supported value at the moment.
+	Strategy string `json:"strategy,omitempty"`
+	// PassHostHeader defines whether the client Host header is forwarded to the upstream Kubernetes Service.
+	// By default, passHostHeader is true.
+	PassHostHeader *bool `json:"passHostHeader,omitempty"`
+	// ResponseForwarding defines how Traefik forwards the response from the upstream Kubernetes Service to the client.
+	ResponseForwarding *ResponseForwarding `json:"responseForwarding,omitempty"`
+	// ServersTransport defines the name of ServersTransport resource to use.
+	// It allows to configure the transport between Traefik and your servers.
+	// Can only be used on a Kubernetes Service.
+	ServersTransport string `json:"serversTransport,omitempty"`
+	// Weight defines the weight and should only be specified when Name references a TraefikService object
+	// (and to be precise, one that embeds a Weighted Round Robin).
+	Weight *int `json:"weight,omitempty"`
+	// NativeLB controls, when creating the load-balancer,
+	// whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+	// The Kubernetes Service itself does load-balance to the pods.
+	// By default, NativeLB is false.
+	NativeLB bool `json:"nativeLB,omitempty"`
+}
+
+type ResponseForwarding struct {
+	// FlushInterval defines the interval, in milliseconds, in between flushes to the client while copying the response body.
+	// A negative value means to flush immediately after each write to the client.
+	// This configuration is ignored when ReverseProxy recognizes a response as a streaming response;
+	// for such responses, writes are flushed to the client immediately.
+	// Default: 100ms
+	FlushInterval string `json:"flushInterval,omitempty"`
+}
+
+// Service defines an upstream HTTP service to proxy traffic to.
+type Service struct {
+	LoadBalancerSpec `json:",inline"`
+}
+
+// MiddlewareRef is a reference to a Middleware resource.
+type MiddlewareRef struct {
+	// Name defines the name of the referenced Middleware resource.
+	Name string `json:"name"`
+	// Namespace defines the namespace of the referenced Middleware resource.
+	Namespace string `json:"namespace,omitempty"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:storageversion
+
+// IngressRoute is the CRD implementation of a Traefik HTTP Router.
+type IngressRoute struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata"`
+
+	Spec IngressRouteSpec `json:"spec"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// IngressRouteList is a collection of IngressRoute.
+type IngressRouteList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	// Items is the list of IngressRoute.
+	Items []IngressRoute `json:"items"`
+}

pkg/provider/kubernetes/crd/traefikio/v1alpha1/ingressroutetcp.go

@@ -0,0 +1,113 @@
+package v1alpha1
+
+import (
+	"github.com/traefik/traefik/v3/pkg/config/dynamic"
+	"github.com/traefik/traefik/v3/pkg/types"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// IngressRouteTCPSpec defines the desired state of IngressRouteTCP.
+type IngressRouteTCPSpec struct {
+	// Routes defines the list of routes.
+	Routes []RouteTCP `json:"routes"`
+	// EntryPoints defines the list of entry point names to bind to.
+	// Entry points have to be configured in the static configuration.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
+	// Default: all.
+	EntryPoints []string `json:"entryPoints,omitempty"`
+	// TLS defines the TLS configuration on a layer 4 / TCP Route.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls_1
+	TLS *TLSTCP `json:"tls,omitempty"`
+}
+
+// RouteTCP holds the TCP route configuration.
+type RouteTCP struct {
+	// Match defines the router's rule.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#rule_1
+	Match string `json:"match"`
+	// Priority defines the router's priority.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#priority_1
+	Priority int `json:"priority,omitempty"`
+	// Services defines the list of TCP services.
+	Services []ServiceTCP `json:"services,omitempty"`
+	// Middlewares defines the list of references to MiddlewareTCP resources.
+	Middlewares []ObjectReference `json:"middlewares,omitempty"`
+}
+
+// TLSTCP holds the TLS configuration for an IngressRouteTCP.
+// More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#tls_1
+type TLSTCP struct {
+	// SecretName is the name of the referenced Kubernetes Secret to specify the certificate details.
+	SecretName string `json:"secretName,omitempty"`
+	// Passthrough defines whether a TLS router will terminate the TLS connection.
+	Passthrough bool `json:"passthrough,omitempty"`
+	// Options defines the reference to a TLSOption, that specifies the parameters of the TLS connection.
+	// If not defined, the `default` TLSOption is used.
+	// More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options
+	Options *ObjectReference `json:"options,omitempty"`
+	// Store defines the reference to the TLSStore, that will be used to store certificates.
+	// Please note that only `default` TLSStore can be used.
+	Store *ObjectReference `json:"store,omitempty"`
+	// CertResolver defines the name of the certificate resolver to use.
+	// Cert resolvers have to be configured in the static configuration.
+	// More info: https://doc.traefik.io/traefik/v3.0/https/acme/#certificate-resolvers
+	CertResolver string `json:"certResolver,omitempty"`
+	// Domains defines the list of domains that will be used to issue certificates.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/routers/#domains
+	Domains []types.Domain `json:"domains,omitempty"`
+}
+
+// ServiceTCP defines an upstream TCP service to proxy traffic to.
+type ServiceTCP struct {
+	// Name defines the name of the referenced Kubernetes Service.
+	Name string `json:"name"`
+	// Namespace defines the namespace of the referenced Kubernetes Service.
+	Namespace string `json:"namespace,omitempty"`
+	// Port defines the port of a Kubernetes Service.
+	// This can be a reference to a named port.
+	Port intstr.IntOrString `json:"port"`
+	// Weight defines the weight used when balancing requests between multiple Kubernetes Service.
+	Weight *int `json:"weight,omitempty"`
+	// ProxyProtocol defines the PROXY protocol configuration.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/services/#proxy-protocol
+	ProxyProtocol *dynamic.ProxyProtocol `json:"proxyProtocol,omitempty"`
+	// ServersTransport defines the name of ServersTransportTCP resource to use.
+	// It allows to configure the transport between Traefik and your servers.
+	// Can only be used on a Kubernetes Service.
+	ServersTransport string `json:"serversTransport,omitempty"`
+	// TLS determines whether to use TLS when dialing with the backend.
+	TLS bool `json:"tls,omitempty"`
+	// NativeLB controls, when creating the load-balancer,
+	// whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+	// The Kubernetes Service itself does load-balance to the pods.
+	// By default, NativeLB is false.
+	NativeLB bool `json:"nativeLB,omitempty"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:storageversion
+
+// IngressRouteTCP is the CRD implementation of a Traefik TCP Router.
+type IngressRouteTCP struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata"`
+
+	Spec IngressRouteTCPSpec `json:"spec"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// IngressRouteTCPList is a collection of IngressRouteTCP.
+type IngressRouteTCPList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	// Items is the list of IngressRouteTCP.
+	Items []IngressRouteTCP `json:"items"`
+}

pkg/provider/kubernetes/crd/traefikio/v1alpha1/ingressrouteudp.go

@@ -0,0 +1,68 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.
+type IngressRouteUDPSpec struct {
+	// Routes defines the list of routes.
+	Routes []RouteUDP `json:"routes"`
+	// EntryPoints defines the list of entry point names to bind to.
+	// Entry points have to be configured in the static configuration.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/entrypoints/
+	// Default: all.
+	EntryPoints []string `json:"entryPoints,omitempty"`
+}
+
+// RouteUDP holds the UDP route configuration.
+type RouteUDP struct {
+	// Services defines the list of UDP services.
+	Services []ServiceUDP `json:"services,omitempty"`
+}
+
+// ServiceUDP defines an upstream UDP service to proxy traffic to.
+type ServiceUDP struct {
+	// Name defines the name of the referenced Kubernetes Service.
+	Name string `json:"name"`
+	// Namespace defines the namespace of the referenced Kubernetes Service.
+	Namespace string `json:"namespace,omitempty"`
+	// Port defines the port of a Kubernetes Service.
+	// This can be a reference to a named port.
+	Port intstr.IntOrString `json:"port"`
+	// Weight defines the weight used when balancing requests between multiple Kubernetes Service.
+	Weight *int `json:"weight,omitempty"`
+	// NativeLB controls, when creating the load-balancer,
+	// whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP.
+	// The Kubernetes Service itself does load-balance to the pods.
+	// By default, NativeLB is false.
+	NativeLB bool `json:"nativeLB,omitempty"`
+}
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:storageversion
+
+// IngressRouteUDP is a CRD implementation of a Traefik UDP Router.
+type IngressRouteUDP struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata"`
+
+	Spec IngressRouteUDPSpec `json:"spec"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// IngressRouteUDPList is a collection of IngressRouteUDP.
+type IngressRouteUDPList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	// Items is the list of IngressRouteUDP.
+	Items []IngressRouteUDP `json:"items"`
+}

pkg/provider/kubernetes/crd/traefikio/v1alpha1/middleware.go

@@ -0,0 +1,223 @@
+package v1alpha1
+
+import (
+	"github.com/traefik/traefik/v3/pkg/config/dynamic"
+	apiextensionv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:storageversion
+
+// Middleware is the CRD implementation of a Traefik Middleware.
+// More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/overview/
+type Middleware struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata"`
+
+	Spec MiddlewareSpec `json:"spec"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// MiddlewareSpec defines the desired state of a Middleware.
+type MiddlewareSpec struct {
+	AddPrefix         *dynamic.AddPrefix         `json:"addPrefix,omitempty"`
+	StripPrefix       *dynamic.StripPrefix       `json:"stripPrefix,omitempty"`
+	StripPrefixRegex  *dynamic.StripPrefixRegex  `json:"stripPrefixRegex,omitempty"`
+	ReplacePath       *dynamic.ReplacePath       `json:"replacePath,omitempty"`
+	ReplacePathRegex  *dynamic.ReplacePathRegex  `json:"replacePathRegex,omitempty"`
+	Chain             *Chain                     `json:"chain,omitempty"`
+	IPAllowList       *dynamic.IPAllowList       `json:"ipAllowList,omitempty"`
+	Headers           *dynamic.Headers           `json:"headers,omitempty"`
+	Errors            *ErrorPage                 `json:"errors,omitempty"`
+	RateLimit         *RateLimit                 `json:"rateLimit,omitempty"`
+	RedirectRegex     *dynamic.RedirectRegex     `json:"redirectRegex,omitempty"`
+	RedirectScheme    *dynamic.RedirectScheme    `json:"redirectScheme,omitempty"`
+	BasicAuth         *BasicAuth                 `json:"basicAuth,omitempty"`
+	DigestAuth        *DigestAuth                `json:"digestAuth,omitempty"`
+	ForwardAuth       *ForwardAuth               `json:"forwardAuth,omitempty"`
+	InFlightReq       *dynamic.InFlightReq       `json:"inFlightReq,omitempty"`
+	Buffering         *dynamic.Buffering         `json:"buffering,omitempty"`
+	CircuitBreaker    *CircuitBreaker            `json:"circuitBreaker,omitempty"`
+	Compress          *dynamic.Compress          `json:"compress,omitempty"`
+	PassTLSClientCert *dynamic.PassTLSClientCert `json:"passTLSClientCert,omitempty"`
+	Retry             *Retry                     `json:"retry,omitempty"`
+	ContentType       *dynamic.ContentType       `json:"contentType,omitempty"`
+	GrpcWeb           *dynamic.GrpcWeb           `json:"grpcWeb,omitempty"`
+	// Plugin defines the middleware plugin configuration.
+	// More info: https://doc.traefik.io/traefik/plugins/
+	Plugin map[string]apiextensionv1.JSON `json:"plugin,omitempty"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// ErrorPage holds the custom error middleware configuration.
+// This middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes.
+// More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/
+type ErrorPage struct {
+	// Status defines which status or range of statuses should result in an error page.
+	// It can be either a status code as a number (500),
+	// as multiple comma-separated numbers (500,502),
+	// as ranges by separating two codes with a dash (500-599),
+	// or a combination of the two (404,418,500-599).
+	Status []string `json:"status,omitempty"`
+	// Service defines the reference to a Kubernetes Service that will serve the error page.
+	// More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/errorpages/#service
+	Service Service `json:"service,omitempty"`
+	// Query defines the URL for the error page (hosted by service).
+	// The {status} variable can be used in order to insert the status code in the URL.
+	Query string `json:"query,omitempty"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// CircuitBreaker holds the circuit breaker configuration.
+type CircuitBreaker struct {
+	// Expression is the condition that triggers the tripped state.
+	Expression string `json:"expression,omitempty" toml:"expression,omitempty" yaml:"expression,omitempty" export:"true"`
+	// CheckPeriod is the interval between successive checks of the circuit breaker condition (when in standby state).
+	CheckPeriod *intstr.IntOrString `json:"checkPeriod,omitempty" toml:"checkPeriod,omitempty" yaml:"checkPeriod,omitempty" export:"true"`
+	// FallbackDuration is the duration for which the circuit breaker will wait before trying to recover (from a tripped state).
+	FallbackDuration *intstr.IntOrString `json:"fallbackDuration,omitempty" toml:"fallbackDuration,omitempty" yaml:"fallbackDuration,omitempty" export:"true"`
+	// RecoveryDuration is the duration for which the circuit breaker will try to recover (as soon as it is in recovering state).
+	RecoveryDuration *intstr.IntOrString `json:"recoveryDuration,omitempty" toml:"recoveryDuration,omitempty" yaml:"recoveryDuration,omitempty" export:"true"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// Chain holds the configuration of the chain middleware.
+// This middleware enables to define reusable combinations of other pieces of middleware.
+// More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/chain/
+type Chain struct {
+	// Middlewares is the list of MiddlewareRef which composes the chain.
+	Middlewares []MiddlewareRef `json:"middlewares,omitempty"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// BasicAuth holds the basic auth middleware configuration.
+// This middleware restricts access to your services to known users.
+// More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/
+type BasicAuth struct {
+	// Secret is the name of the referenced Kubernetes Secret containing user credentials.
+	Secret string `json:"secret,omitempty"`
+	// Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
+	// Default: traefik.
+	Realm string `json:"realm,omitempty"`
+	// RemoveHeader sets the removeHeader option to true to remove the authorization header before forwarding the request to your service.
+	// Default: false.
+	RemoveHeader bool `json:"removeHeader,omitempty"`
+	// HeaderField defines a header field to store the authenticated user.
+	// More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield
+	HeaderField string `json:"headerField,omitempty"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// DigestAuth holds the digest auth middleware configuration.
+// This middleware restricts access to your services to known users.
+// More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/digestauth/
+type DigestAuth struct {
+	// Secret is the name of the referenced Kubernetes Secret containing user credentials.
+	Secret string `json:"secret,omitempty"`
+	// RemoveHeader defines whether to remove the authorization header before forwarding the request to the backend.
+	RemoveHeader bool `json:"removeHeader,omitempty"`
+	// Realm allows the protected resources on a server to be partitioned into a set of protection spaces, each with its own authentication scheme.
+	// Default: traefik.
+	Realm string `json:"realm,omitempty"`
+	// HeaderField defines a header field to store the authenticated user.
+	// More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/basicauth/#headerfield
+	HeaderField string `json:"headerField,omitempty"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// ForwardAuth holds the forward auth middleware configuration.
+// This middleware delegates the request authentication to a Service.
+// More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/
+type ForwardAuth struct {
+	// Address defines the authentication server address.
+	Address string `json:"address,omitempty"`
+	// TrustForwardHeader defines whether to trust (ie: forward) all X-Forwarded-* headers.
+	TrustForwardHeader bool `json:"trustForwardHeader,omitempty"`
+	// AuthResponseHeaders defines the list of headers to copy from the authentication server response and set on forwarded request, replacing any existing conflicting headers.
+	AuthResponseHeaders []string `json:"authResponseHeaders,omitempty"`
+	// AuthResponseHeadersRegex defines the regex to match headers to copy from the authentication server response and set on forwarded request, after stripping all headers that match the regex.
+	// More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/forwardauth/#authresponseheadersregex
+	AuthResponseHeadersRegex string `json:"authResponseHeadersRegex,omitempty"`
+	// AuthRequestHeaders defines the list of the headers to copy from the request to the authentication server.
+	// If not set or empty then all request headers are passed.
+	AuthRequestHeaders []string `json:"authRequestHeaders,omitempty"`
+	// TLS defines the configuration used to secure the connection to the authentication server.
+	TLS *ClientTLS `json:"tls,omitempty"`
+}
+
+// ClientTLS holds the client TLS configuration.
+type ClientTLS struct {
+	// CASecret is the name of the referenced Kubernetes Secret containing the CA to validate the server certificate.
+	// The CA certificate is extracted from key `tls.ca` or `ca.crt`.
+	CASecret string `json:"caSecret,omitempty"`
+	// CertSecret is the name of the referenced Kubernetes Secret containing the client certificate.
+	// The client certificate is extracted from the keys `tls.crt` and `tls.key`.
+	CertSecret string `json:"certSecret,omitempty"`
+	// InsecureSkipVerify defines whether the server certificates should be validated.
+	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// RateLimit holds the rate limit configuration.
+// This middleware ensures that services will receive a fair amount of requests, and allows one to define what fair is.
+// More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/ratelimit/
+type RateLimit struct {
+	// Average is the maximum rate, by default in requests/s, allowed for the given source.
+	// It defaults to 0, which means no rate limiting.
+	// The rate is actually defined by dividing Average by Period. So for a rate below 1req/s,
+	// one needs to define a Period larger than a second.
+	Average int64 `json:"average,omitempty"`
+	// Period, in combination with Average, defines the actual maximum rate, such as:
+	// r = Average / Period. It defaults to a second.
+	Period *intstr.IntOrString `json:"period,omitempty"`
+	// Burst is the maximum number of requests allowed to arrive in the same arbitrarily small period of time.
+	// It defaults to 1.
+	Burst *int64 `json:"burst,omitempty"`
+	// SourceCriterion defines what criterion is used to group requests as originating from a common source.
+	// If several strategies are defined at the same time, an error will be raised.
+	// If none are set, the default is to use the request's remote address field (as an ipStrategy).
+	SourceCriterion *dynamic.SourceCriterion `json:"sourceCriterion,omitempty"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// Retry holds the retry middleware configuration.
+// This middleware reissues requests a given number of times to a backend server if that server does not reply.
+// As soon as the server answers, the middleware stops retrying, regardless of the response status.
+// More info: https://doc.traefik.io/traefik/v3.0/middlewares/http/retry/
+type Retry struct {
+	// Attempts defines how many times the request should be retried.
+	Attempts int `json:"attempts,omitempty"`
+	// InitialInterval defines the first wait time in the exponential backoff series.
+	// The maximum interval is calculated as twice the initialInterval.
+	// If unspecified, requests will be retried immediately.
+	// The value of initialInterval should be provided in seconds or as a valid duration format,
+	// see https://pkg.go.dev/time#ParseDuration.
+	InitialInterval intstr.IntOrString `json:"initialInterval,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// MiddlewareList is a collection of Middleware resources.
+type MiddlewareList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	// Items is the list of Middleware.
+	Items []Middleware `json:"items"`
+}

pkg/provider/kubernetes/crd/traefikio/v1alpha1/middlewaretcp.go

@@ -0,0 +1,43 @@
+package v1alpha1
+
+import (
+	"github.com/traefik/traefik/v3/pkg/config/dynamic"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
+// More info: https://doc.traefik.io/traefik/v3.0/middlewares/overview/
+type MiddlewareTCP struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata"`
+
+	Spec MiddlewareTCPSpec `json:"spec"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.
+type MiddlewareTCPSpec struct {
+	// InFlightConn defines the InFlightConn middleware configuration.
+	InFlightConn *dynamic.TCPInFlightConn `json:"inFlightConn,omitempty"`
+	// IPAllowList defines the IPAllowList middleware configuration.
+	IPAllowList *dynamic.TCPIPAllowList `json:"ipAllowList,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// MiddlewareTCPList is a collection of MiddlewareTCP resources.
+type MiddlewareTCPList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	// Items is the list of MiddlewareTCP.
+	Items []MiddlewareTCP `json:"items"`
+}

pkg/provider/kubernetes/crd/traefikio/v1alpha1/objectreference.go

@@ -0,0 +1,9 @@
+package v1alpha1
+
+// ObjectReference is a generic reference to a Traefik resource.
+type ObjectReference struct {
+	// Name defines the name of the referenced Traefik resource.
+	Name string `json:"name"`
+	// Namespace defines the namespace of the referenced Traefik resource.
+	Namespace string `json:"namespace,omitempty"`
+}

pkg/provider/kubernetes/crd/traefikio/v1alpha1/register.go

@@ -0,0 +1,59 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/runtime/schema"
+)
+
+// GroupName is the group name for Traefik.
+const GroupName = "traefik.io"
+
+var (
+	// SchemeBuilder collects the scheme builder functions.
+	SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes)
+
+	// AddToScheme applies the SchemeBuilder functions to a specified scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)
+
+// SchemeGroupVersion is group version used to register these objects.
+var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}
+
+// Kind takes an unqualified kind and returns back a Group qualified GroupKind.
+func Kind(kind string) schema.GroupKind {
+	return SchemeGroupVersion.WithKind(kind).GroupKind()
+}
+
+// Resource takes an unqualified resource and returns a Group qualified GroupResource.
+func Resource(resource string) schema.GroupResource {
+	return SchemeGroupVersion.WithResource(resource).GroupResource()
+}
+
+// Adds the list of known types to Scheme.
+func addKnownTypes(scheme *runtime.Scheme) error {
+	scheme.AddKnownTypes(SchemeGroupVersion,
+		&IngressRoute{},
+		&IngressRouteList{},
+		&IngressRouteTCP{},
+		&IngressRouteTCPList{},
+		&IngressRouteUDP{},
+		&IngressRouteUDPList{},
+		&Middleware{},
+		&MiddlewareList{},
+		&MiddlewareTCP{},
+		&MiddlewareTCPList{},
+		&TLSOption{},
+		&TLSOptionList{},
+		&TLSStore{},
+		&TLSStoreList{},
+		&TraefikService{},
+		&TraefikServiceList{},
+		&ServersTransport{},
+		&ServersTransportList{},
+		&ServersTransportTCP{},
+		&ServersTransportTCPList{},
+	)
+	metav1.AddToGroupVersion(scheme, SchemeGroupVersion)
+	return nil
+}

pkg/provider/kubernetes/crd/traefikio/v1alpha1/serverstransport.go

@@ -0,0 +1,77 @@
+package v1alpha1
+
+import (
+	"github.com/traefik/traefik/v3/pkg/config/dynamic"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:storageversion
+
+// ServersTransport is the CRD implementation of a ServersTransport.
+// If no serversTransport is specified, the default@internal will be used.
+// The default@internal serversTransport is created from the static configuration.
+// More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_1
+type ServersTransport struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata"`
+
+	Spec ServersTransportSpec `json:"spec"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// ServersTransportSpec defines the desired state of a ServersTransport.
+type ServersTransportSpec struct {
+	// ServerName defines the server name used to contact the server.
+	ServerName string `json:"serverName,omitempty"`
+	// InsecureSkipVerify disables SSL certificate verification.
+	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
+	// RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
+	RootCAsSecrets []string `json:"rootCAsSecrets,omitempty"`
+	// CertificatesSecrets defines a list of secret storing client certificates for mTLS.
+	CertificatesSecrets []string `json:"certificatesSecrets,omitempty"`
+	// MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.
+	MaxIdleConnsPerHost int `json:"maxIdleConnsPerHost,omitempty"`
+	// ForwardingTimeouts defines the timeouts for requests forwarded to the backend servers.
+	ForwardingTimeouts *ForwardingTimeouts `json:"forwardingTimeouts,omitempty"`
+	// DisableHTTP2 disables HTTP/2 for connections with backend servers.
+	DisableHTTP2 bool `json:"disableHTTP2,omitempty"`
+	// PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.
+	PeerCertURI string `json:"peerCertURI,omitempty"`
+	// Spiffe defines the SPIFFE configuration.
+	Spiffe *dynamic.Spiffe `json:"spiffe,omitempty"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// ForwardingTimeouts holds the timeout configurations for forwarding requests to the backend servers.
+type ForwardingTimeouts struct {
+	// DialTimeout is the amount of time to wait until a connection to a backend server can be established.
+	DialTimeout *intstr.IntOrString `json:"dialTimeout,omitempty"`
+	// ResponseHeaderTimeout is the amount of time to wait for a server's response headers after fully writing the request (including its body, if any).
+	ResponseHeaderTimeout *intstr.IntOrString `json:"responseHeaderTimeout,omitempty"`
+	// IdleConnTimeout is the maximum period for which an idle HTTP keep-alive connection will remain open before closing itself.
+	IdleConnTimeout *intstr.IntOrString `json:"idleConnTimeout,omitempty"`
+	// ReadIdleTimeout is the timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection.
+	ReadIdleTimeout *intstr.IntOrString `json:"readIdleTimeout,omitempty"`
+	// PingTimeout is the timeout after which the HTTP/2 connection will be closed if a response to ping is not received.
+	PingTimeout *intstr.IntOrString `json:"pingTimeout,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ServersTransportList is a collection of ServersTransport resources.
+type ServersTransportList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	// Items is the list of ServersTransport.
+	Items []ServersTransport `json:"items"`
+}

pkg/provider/kubernetes/crd/traefikio/v1alpha1/serverstransporttcp.go

@@ -0,0 +1,68 @@
+package v1alpha1
+
+import (
+	"github.com/traefik/traefik/v3/pkg/config/dynamic"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:storageversion
+
+// ServersTransportTCP is the CRD implementation of a TCPServersTransport.
+// If no tcpServersTransport is specified, a default one named default@internal will be used.
+// The default@internal tcpServersTransport can be configured in the static configuration.
+// More info: https://doc.traefik.io/traefik/v3.0/routing/services/#serverstransport_3
+type ServersTransportTCP struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata"`
+
+	Spec ServersTransportTCPSpec `json:"spec"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// ServersTransportTCPSpec defines the desired state of a ServersTransportTCP.
+type ServersTransportTCPSpec struct {
+	// DialTimeout is the amount of time to wait until a connection to a backend server can be established.
+	DialTimeout *intstr.IntOrString `json:"dialTimeout,omitempty"`
+	// DialKeepAlive is the interval between keep-alive probes for an active network connection. If zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are disabled.
+	DialKeepAlive *intstr.IntOrString `json:"dialKeepAlive,omitempty"`
+	// TerminationDelay defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability.
+	TerminationDelay *intstr.IntOrString `json:"terminationDelay,omitempty"`
+	// TLS defines the TLS configuration
+	TLS *TLSClientConfig `description:"Defines the TLS configuration." json:"tls,omitempty"`
+}
+
+// TLSClientConfig defines the desired state of a TLSClientConfig.
+type TLSClientConfig struct {
+	// ServerName defines the server name used to contact the server.
+	ServerName string `json:"serverName,omitempty"`
+	// InsecureSkipVerify disables TLS certificate verification.
+	InsecureSkipVerify bool `json:"insecureSkipVerify,omitempty"`
+	// RootCAsSecrets defines a list of CA secret used to validate self-signed certificates.
+	RootCAsSecrets []string `json:"rootCAsSecrets,omitempty"`
+	// CertificatesSecrets defines a list of secret storing client certificates for mTLS.
+	CertificatesSecrets []string `json:"certificatesSecrets,omitempty"`
+	// MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.
+	// PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.
+	PeerCertURI string `json:"peerCertURI,omitempty"`
+	// Spiffe defines the SPIFFE configuration.
+	Spiffe *dynamic.Spiffe `json:"spiffe,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// ServersTransportTCPList is a collection of ServersTransportTCP resources.
+type ServersTransportTCPList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	// Items is the list of ServersTransportTCP.
+	Items []ServersTransportTCP `json:"items"`
+}

pkg/provider/kubernetes/crd/traefikio/v1alpha1/service.go

@@ -0,0 +1,85 @@
+package v1alpha1
+
+import (
+	"github.com/traefik/traefik/v3/pkg/config/dynamic"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:storageversion
+
+// TraefikService is the CRD implementation of a Traefik Service.
+// TraefikService object allows to:
+// - Apply weight to Services on load-balancing
+// - Mirror traffic on services
+// More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#kind-traefikservice
+type TraefikService struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata"`
+
+	Spec TraefikServiceSpec `json:"spec"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// TraefikServiceList is a collection of TraefikService resources.
+type TraefikServiceList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	// Items is the list of TraefikService.
+	Items []TraefikService `json:"items"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// TraefikServiceSpec defines the desired state of a TraefikService.
+type TraefikServiceSpec struct {
+	// Weighted defines the Weighted Round Robin configuration.
+	Weighted *WeightedRoundRobin `json:"weighted,omitempty"`
+	// Mirroring defines the Mirroring service configuration.
+	Mirroring *Mirroring `json:"mirroring,omitempty"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// Mirroring holds the mirroring service configuration.
+// More info: https://doc.traefik.io/traefik/v3.0/routing/services/#mirroring-service
+type Mirroring struct {
+	LoadBalancerSpec `json:",inline"`
+
+	// MaxBodySize defines the maximum size allowed for the body of the request.
+	// If the body is larger, the request is not mirrored.
+	// Default value is -1, which means unlimited size.
+	MaxBodySize *int64 `json:"maxBodySize,omitempty"`
+	// Mirrors defines the list of mirrors where Traefik will duplicate the traffic.
+	Mirrors []MirrorService `json:"mirrors,omitempty"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// MirrorService holds the mirror configuration.
+type MirrorService struct {
+	LoadBalancerSpec `json:",inline"`
+
+	// Percent defines the part of the traffic to mirror.
+	// Supported values: 0 to 100.
+	Percent int `json:"percent,omitempty"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// WeightedRoundRobin holds the weighted round-robin configuration.
+// More info: https://doc.traefik.io/traefik/v3.0/routing/services/#weighted-round-robin-service
+type WeightedRoundRobin struct {
+	// Services defines the list of Kubernetes Service and/or TraefikService to load-balance, with weight.
+	Services []Service `json:"services,omitempty"`
+	// Sticky defines whether sticky sessions are enabled.
+	// More info: https://doc.traefik.io/traefik/v3.0/routing/providers/kubernetes-crd/#stickiness-and-load-balancing
+	Sticky *dynamic.Sticky `json:"sticky,omitempty"`
+}

pkg/provider/kubernetes/crd/traefikio/v1alpha1/tlsoption.go

@@ -0,0 +1,71 @@
+package v1alpha1
+
+import (
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:storageversion
+
+// TLSOption is the CRD implementation of a Traefik TLS Option, allowing to configure some parameters of the TLS connection.
+// More info: https://doc.traefik.io/traefik/v3.0/https/tls/#tls-options
+type TLSOption struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata"`
+
+	Spec TLSOptionSpec `json:"spec"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// TLSOptionSpec defines the desired state of a TLSOption.
+type TLSOptionSpec struct {
+	// MinVersion defines the minimum TLS version that Traefik will accept.
+	// Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+	// Default: VersionTLS10.
+	MinVersion string `json:"minVersion,omitempty"`
+	// MaxVersion defines the maximum TLS version that Traefik will accept.
+	// Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13.
+	// Default: None.
+	MaxVersion string `json:"maxVersion,omitempty"`
+	// CipherSuites defines the list of supported cipher suites for TLS versions up to TLS 1.2.
+	// More info: https://doc.traefik.io/traefik/v3.0/https/tls/#cipher-suites
+	CipherSuites []string `json:"cipherSuites,omitempty"`
+	// CurvePreferences defines the preferred elliptic curves in a specific order.
+	// More info: https://doc.traefik.io/traefik/v3.0/https/tls/#curve-preferences
+	CurvePreferences []string `json:"curvePreferences,omitempty"`
+	// ClientAuth defines the server's policy for TLS Client Authentication.
+	ClientAuth ClientAuth `json:"clientAuth,omitempty"`
+	// SniStrict defines whether Traefik allows connections from clients connections that do not specify a server_name extension.
+	SniStrict bool `json:"sniStrict,omitempty"`
+	// ALPNProtocols defines the list of supported application level protocols for the TLS handshake, in order of preference.
+	// More info: https://doc.traefik.io/traefik/v3.0/https/tls/#alpn-protocols
+	ALPNProtocols []string `json:"alpnProtocols,omitempty"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// ClientAuth holds the TLS client authentication configuration.
+type ClientAuth struct {
+	// SecretNames defines the names of the referenced Kubernetes Secret storing certificate details.
+	SecretNames []string `json:"secretNames,omitempty"`
+	// ClientAuthType defines the client authentication type to apply.
+	// +kubebuilder:validation:Enum=NoClientCert;RequestClientCert;RequireAnyClientCert;VerifyClientCertIfGiven;RequireAndVerifyClientCert
+	ClientAuthType string `json:"clientAuthType,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// TLSOptionList is a collection of TLSOption resources.
+type TLSOptionList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	// Items is the list of TLSOption.
+	Items []TLSOption `json:"items"`
+}

pkg/provider/kubernetes/crd/traefikio/v1alpha1/tlsstore.go

@@ -0,0 +1,58 @@
+package v1alpha1
+
+import (
+	"github.com/traefik/traefik/v3/pkg/tls"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+// +kubebuilder:storageversion
+
+// TLSStore is the CRD implementation of a Traefik TLS Store.
+// For the time being, only the TLSStore named default is supported.
+// This means that you cannot have two stores that are named default in different Kubernetes namespaces.
+// More info: https://doc.traefik.io/traefik/v3.0/https/tls/#certificates-stores
+type TLSStore struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ObjectMeta `json:"metadata"`
+
+	Spec TLSStoreSpec `json:"spec"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// TLSStoreSpec defines the desired state of a TLSStore.
+type TLSStoreSpec struct {
+	// DefaultCertificate defines the default certificate configuration.
+	DefaultCertificate *Certificate `json:"defaultCertificate,omitempty"`
+
+	// DefaultGeneratedCert defines the default generated certificate configuration.
+	DefaultGeneratedCert *tls.GeneratedCert `json:"defaultGeneratedCert,omitempty"`
+
+	// Certificates is a list of secret names, each secret holding a key/certificate pair to add to the store.
+	Certificates []Certificate `json:"certificates,omitempty"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// Certificate holds a secret name for the TLSStore resource.
+type Certificate struct {
+	// SecretName is the name of the referenced Kubernetes Secret to specify the certificate details.
+	SecretName string `json:"secretName"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// TLSStoreList is a collection of TLSStore resources.
+type TLSStoreList struct {
+	metav1.TypeMeta `json:",inline"`
+	// Standard object's metadata.
+	// More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
+	metav1.ListMeta `json:"metadata"`
+
+	// Items is the list of TLSStore.
+	Items []TLSStore `json:"items"`
+}