Add Support for Consul Connect

Co-authored-by: Florian Apolloner <apollo13@users.noreply.github.com>
2021-07-15 17:32:11 +05:30 · 2021-07-15 17:32:11 +05:30 · 7e43e5615e
commit 7e43e5615e
parent 3a180e2afc
36 changed files with 2118 additions and 644 deletions
--- a/docs/content/providers/consul-catalog.md
+++ b/docs/content/providers/consul-catalog.md
@ -556,6 +556,81 @@ providers:
 # ...
 ```

+### `connectAware`
+
+_Optional, Default=false_
+
+Enable Consul Connect support.
+If set to `true`, Traefik will be enabled to communicate with Connect services.
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  connectAware = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    connectAware: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.connectAware=true
+# ...
+```
+
+### `connectByDefault`
+
+_Optional, Default=false_
+
+Consider every service as Connect capable by default.
+If set to `true`, Traefik will consider every Consul Catalog service to be Connect capable by default.
+The option can be overridden on an instance basis with the `traefik.consulcatalog.connect` tag.
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  connectByDefault = true
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    connectByDefault: true
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.connectByDefault=true
+# ...
+```
+
+### `serviceName`
+
+_Optional, Default="traefik"_
+
+Name of the Traefik service in Consul Catalog.
+
+```toml tab="File (TOML)"
+[providers.consulCatalog]
+  serviceName = "test"
+  # ...
+```
+
+```yaml tab="File (YAML)"
+providers:
+  consulCatalog:
+    serviceName: test
+    # ...
+```
+
+```bash tab="CLI"
+--providers.consulcatalog.serviceName=test
+# ...
+```
+
 ### `constraints`

 _Optional, Default=""_
--- a/docs/content/reference/dynamic-configuration/consul-catalog.yml
+++ b/docs/content/reference/dynamic-configuration/consul-catalog.yml
@ -1 +1,2 @@
 - "traefik.enable=true"
+- "traefik.consulcatalog.connect=true"
--- a/docs/content/reference/dynamic-configuration/file.toml
+++ b/docs/content/reference/dynamic-configuration/file.toml
@ -278,6 +278,7 @@
      rootCAs = ["foobar", "foobar"]
      maxIdleConnsPerHost = 42
      disableHTTP2 = true
+      peerCertURI = "foobar"

      [[http.serversTransports.ServersTransport0.certificates]]
        certFile = "foobar"
@ -296,6 +297,7 @@
      rootCAs = ["foobar", "foobar"]
      maxIdleConnsPerHost = 42
      disableHTTP2 = true
+      peerCertURI = "foobar"

      [[http.serversTransports.ServersTransport1.certificates]]
        certFile = "foobar"
--- a/docs/content/reference/dynamic-configuration/file.yaml
+++ b/docs/content/reference/dynamic-configuration/file.yaml
@ -329,6 +329,7 @@ http:
        responseHeaderTimeout: 42s
        idleConnTimeout: 42s
      disableHTTP2: true
+      peerCertURI: foobar
    ServersTransport1:
      serverName: foobar
      insecureSkipVerify: true
@ -346,6 +347,7 @@ http:
        responseHeaderTimeout: 42s
        idleConnTimeout: 42s
      disableHTTP2: true
+      peerCertURI: foobar
 tcp:
  routers:
    TCPRouter0:
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
@ -299,6 +299,7 @@ spec:
                      type: string
                    type: object
                  featurePolicy:
+                    description: 'Deprecated: use PermissionsPolicy instead.'
                    type: string
                  forceSTSHeader:
                    type: boolean
@ -310,6 +311,8 @@ spec:
                    type: array
                  isDevelopment:
                    type: boolean
+                  permissionsPolicy:
+                    type: string
                  publicKey:
                    type: string
                  referrerPolicy:
--- a/docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml
+++ b/docs/content/reference/dynamic-configuration/traefik.containo.us_serverstransports.yaml
@ -78,6 +78,10 @@ spec:
                description: If non-zero, controls the maximum idle (keep-alive) to
                  keep per-host. If zero, DefaultMaxIdleConnsPerHost is used.
                type: integer
+              peerCertURI:
+                description: URI used to match against SAN URI during the peer certificate
+                  verification.
+                type: string
              rootCAsSecrets:
                description: Add cert file for self-signed certificate.
                items:
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@ -369,6 +369,12 @@ Enable ConsulCatalog backend with default settings. (Default: ```false```)
 `--providers.consulcatalog.cache`:  
 Use local agent caching for catalog reads. (Default: ```false```)

+`--providers.consulcatalog.connectaware`:  
+Enable Consul Connect support. (Default: ```false```)
+
+`--providers.consulcatalog.connectbydefault`:  
+Consider every service as Connect capable by default. (Default: ```false```)
+
 `--providers.consulcatalog.constraints`:  
 Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.

@ -376,7 +382,7 @@ Constraints is an expression that Traefik matches against the container's labels
 Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)

 `--providers.consulcatalog.endpoint.address`:  
-The address of the Consul server (Default: ```127.0.0.1:8500```)
+The address of the Consul server

 `--providers.consulcatalog.endpoint.datacenter`:  
 Data center to use. If not provided, the default agent data center is used
@ -423,6 +429,9 @@ Interval for check Consul API. Default 15s (Default: ```15```)
 `--providers.consulcatalog.requireconsistent`:  
 Forces the read to be fully consistent. (Default: ```false```)

+`--providers.consulcatalog.servicename`:  
+Name of the Traefik service in Consul Catalog (needs to be registered via the orchestrator or manually). (Default: ```traefik```)
+
 `--providers.consulcatalog.stale`:  
 Use stale consistency for catalog reads. (Default: ```false```)

--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@ -342,6 +342,12 @@ Enable ConsulCatalog backend with default settings. (Default: ```false```)
 `TRAEFIK_PROVIDERS_CONSULCATALOG_CACHE`:  
 Use local agent caching for catalog reads. (Default: ```false```)

+`TRAEFIK_PROVIDERS_CONSULCATALOG_CONNECTAWARE`:  
+Enable Consul Connect support. (Default: ```false```)
+
+`TRAEFIK_PROVIDERS_CONSULCATALOG_CONNECTBYDEFAULT`:  
+Consider every service as Connect capable by default. (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_CONSULCATALOG_CONSTRAINTS`:  
 Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.

@ -349,7 +355,7 @@ Constraints is an expression that Traefik matches against the container's labels
 Default rule. (Default: ```Host(`{{ normalize .Name }}`)```)

 `TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_ADDRESS`:  
-The address of the Consul server (Default: ```127.0.0.1:8500```)
+The address of the Consul server

 `TRAEFIK_PROVIDERS_CONSULCATALOG_ENDPOINT_DATACENTER`:  
 Data center to use. If not provided, the default agent data center is used
@ -396,6 +402,9 @@ Interval for check Consul API. Default 15s (Default: ```15```)
 `TRAEFIK_PROVIDERS_CONSULCATALOG_REQUIRECONSISTENT`:  
 Forces the read to be fully consistent. (Default: ```false```)

+`TRAEFIK_PROVIDERS_CONSULCATALOG_SERVICENAME`:  
+Name of the Traefik service in Consul Catalog (needs to be registered via the orchestrator or manually). (Default: ```traefik```)
+
 `TRAEFIK_PROVIDERS_CONSULCATALOG_STALE`:  
 Use stale consistency for catalog reads. (Default: ```false```)

--- a/docs/content/routing/providers/consul-catalog.md
+++ b/docs/content/routing/providers/consul-catalog.md
@ -454,6 +454,16 @@ You can tell Traefik to consider (or not) the service by setting `traefik.enable

 This option overrides the value of `exposedByDefault`.

+#### `traefik.consulcatalog.connect`
+
+```yaml
+traefik.consulcatalog.connect=true
+```
+
+You can tell Traefik to consider (or not) the service as a Connect capable one by setting `traefik.consulcatalog.connect` to true or false.
+
+This option overrides the value of `connectByDefault`.
+
 #### Port Lookup

 Traefik is capable of detecting the port to use, by following the default consul Catalog flow.
--- a/docs/content/routing/providers/kubernetes-crd.md
+++ b/docs/content/routing/providers/kubernetes-crd.md
@ -1648,19 +1648,21 @@ or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`Ingres
        dialTimeout: 42s               # [7]
        responseHeaderTimeout: 42s     # [8]
        idleConnTimeout: 42s           # [9]
+      peerCertURI: foobar              # [10]
    ```

-| Ref | Attribute               | Purpose                                                                                                                                              |
-|-----|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
-| [1] | `serverName`            | ServerName used to contact the server.                                                                                                               |
-| [2] | `insecureSkipVerify`    | Disable SSL certificate verification.                                                                                                                |
-| [3] | `rootCAsSecrets`        | Add cert file for self-signed certificate. The secret must contain a certificate under either a tls.ca or a ca.crt key.                              |
-| [4] | `certificatesSecrets`   | Certificates for mTLS.                                                                                                                               |
-| [5] | `maxIdleConnsPerHost`   | If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, `defaultMaxIdleConnsPerHost` is used.                                 |
-| [6] | `forwardingTimeouts`    | Timeouts for requests forwarded to the backend servers.                                                                                              |
-| [7] | `dialTimeout`           | The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists.                                    |
-| [8] | `responseHeaderTimeout` | The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. |
-| [9] | `idleConnTimeout`       | The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself.                                              |
+| Ref  | Attribute               | Purpose                                                                                                                                              |
+|------|-------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------|
+| [1]  | `serverName`            | ServerName used to contact the server.                                                                                                               |
+| [2]  | `insecureSkipVerify`    | Disable SSL certificate verification.                                                                                                                |
+| [3]  | `rootCAsSecrets`        | Add cert file for self-signed certificate. The secret must contain a certificate under either a tls.ca or a ca.crt key.                              |
+| [4]  | `certificatesSecrets`   | Certificates for mTLS.                                                                                                                               |
+| [5]  | `maxIdleConnsPerHost`   | If non-zero, controls the maximum idle (keep-alive) to keep per-host. If zero, `defaultMaxIdleConnsPerHost` is used.                                 |
+| [6]  | `forwardingTimeouts`    | Timeouts for requests forwarded to the backend servers.                                                                                              |
+| [7]  | `dialTimeout`           | The amount of time to wait until a connection to a backend server can be established. If zero, no timeout exists.                                    |
+| [8]  | `responseHeaderTimeout` | The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. |
+| [9]  | `idleConnTimeout`       | The maximum period for which an idle HTTP keep-alive connection will remain open before closing itself.                                              |
+| [10] | `peerCertURI`           | URI used to match with service certificate.                                                                                                          |

 !!! info "CA Secret"

--- a/docs/content/routing/services/index.md
+++ b/docs/content/routing/services/index.md
@ -738,6 +738,37 @@ spec:
    disableHTTP2: true
 ```

+#### `peerCertURI`
+
+_Optional, Default=false_
+
+`peerCertURI` defines the URI used to match against SAN URI during the peer certificate verification.
+
+```toml tab="File (TOML)"
+## Dynamic configuration
+[http.serversTransports.mytransport]
+  peerCertURI = "foobar"
+```
+
+```yaml tab="File (YAML)"
+## Dynamic configuration
+http:
+  serversTransports:
+    mytransport:
+      peerCertURI: foobar
+```
+
+```yaml tab="Kubernetes"
+apiVersion: traefik.containo.us/v1alpha1
+kind: ServersTransport
+metadata:
+  name: mytransport
+  namespace: default
+
+spec:
+    peerCertURI: foobar
+```
+
 #### `forwardingTimeouts`

 `forwardingTimeouts` is about a number of timeouts relevant to when forwarding requests to the backend servers.