homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge current v2.5 into master

Browse source
This commit is contained in:
Tom Moulard 2021-12-06 17:19:29 +01:00
commit 89cd9e8ddd
No known key found for this signature in database
GPG key ID: 521ABE0C1A0DEAF6
102 changed files with 2402 additions and 1429 deletions
Download patch file Download diff file Expand all files Collapse all files

38
docs/content/middlewares/http/forwardauth.md
View file

@ -349,12 +349,16 @@ http:
### `tls`
The `tls` option is the TLS configuration from Traefik to the authentication server.
_Optional_
#### `tls.ca`
Defines the TLS configuration used for the secure connection to the authentication server.
Certificate Authority used for the secured connection to the authentication server,
defaults to the system bundle.
#### `ca`
_Optional_
`ca` is the path to the certificate authority used for the secured connection to the authentication server,
it defaults to the system bundle.
```yaml tab="Docker"
labels:
@ -417,13 +421,15 @@ http:
ca = "path/to/local.crt"
```
#### `tls.caOptional`
#### `caOptional`
The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the authentication server.
_Optional_
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the authentication server.
!!! warning ""
If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
@ -479,9 +485,12 @@ http:
caOptional = true
```
#### `tls.cert`
#### `cert`
The public certificate used for the secure connection to the authentication server.
_Optional_
`cert` is the path to the public certificate used for the secure connection to the authentication server.
When using this option, setting the `key` option is required.
```yaml tab="Docker"
labels:
@ -554,9 +563,12 @@ http:
For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
#### `tls.key`
#### `key`
The private certificate used for the secure connection to the authentication server.
_Optional_
`key` is the path to the private key used for the secure connection to the authentication server.
When using this option, setting the `cert` option is required.
```yaml tab="Docker"
labels:
@ -629,7 +641,9 @@ http:
For security reasons, the field does not exist for Kubernetes IngressRoute, and one should use the `secret` field instead.
#### `tls.insecureSkipVerify`
#### `insecureSkipVerify`
_Optional, Default=false_
If `insecureSkipVerify` is `true`, the TLS connection to the authentication server accepts any certificate presented by the server regardless of the hostnames it covers.

16
docs/content/observability/metrics/overview.md
View file

@ -7,22 +7,6 @@ Traefik supports 4 metrics backends:
- [Prometheus](./prometheus.md)
- [StatsD](./statsd.md)
## Configuration
To enable metrics:
```yaml tab="File (YAML)"
metrics: {}
```
```toml tab="File (TOML)"
[metrics]
```
```bash tab="CLI"
--metrics=true
```
## Server Metrics
| Metric | DataDog | InfluxDB | Prometheus | StatsD |

18
docs/content/providers/consul-catalog.md
View file

@ -362,14 +362,14 @@ providers:
_Optional_
Defines TLS options for Consul server endpoint.
Defines the TLS configuration used for the secure connection to Consul Catalog.
##### `ca`
_Optional_
Certificate Authority used for the secure connection to Consul,
defaults to the system bundle.
`ca` is the path to the certificate authority used for the secure connection to Consul Catalog,
it defaults to the system bundle.
```yaml tab="File (YAML)"
providers:
@ -392,11 +392,11 @@ providers:
_Optional_
The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul Catalog.
!!! warning ""
If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
@ -423,8 +423,7 @@ providers:
_Optional_
`cert` is the path to the public certificate to use for Consul communication.
`cert` is the path to the public certificate used for the secure connection to Consul Catalog.
When using this option, setting the `key` option is required.
```yaml tab="File (YAML)"
@ -451,8 +450,7 @@ providers:
_Optional_
`key` is the path to the private key for Consul communication.
`key` is the path to the private key used for the secure connection to Consul Catalog.
When using this option, setting the `cert` option is required.
```yaml tab="File (YAML)"
@ -477,7 +475,7 @@ providers:
##### `insecureSkipVerify`
_Optional_
_Optional, Default=false_
If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.

36
docs/content/providers/consul.md
View file

@ -104,10 +104,14 @@ providers:
_Optional_
#### `tls.ca`
Defines the TLS configuration used for the secure connection to Consul.
Certificate Authority used for the secure connection to Consul,
defaults to the system bundle.
#### `ca`
_Optional_
`ca` is the path to the certificate authority used for the secure connection to Consul,
it defaults to the system bundle.
```yaml tab="File (YAML)"
providers:
@ -125,13 +129,15 @@ providers:
--providers.consul.tls.ca=path/to/ca.crt
```
#### `tls.caOptional`
#### `caOptional`
The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
_Optional_
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
!!! warning ""
If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
@ -153,9 +159,12 @@ providers:
--providers.consul.tls.caOptional=true
```
#### `tls.cert`
#### `cert`
Public certificate used for the secure connection to Consul.
_Optional_
`cert` is the path to the public certificate used for the secure connection to Consul.
When using this option, setting the `key` option is required.
```yaml tab="File (YAML)"
providers:
@ -176,9 +185,12 @@ providers:
--providers.consul.tls.key=path/to/foo.key
```
#### `tls.key`
#### `key`
Private certificate used for the secure connection to Consul.
_Optional_
`key` is the path to the private key used for the secure connection to Consul.
When using this option, setting the `cert` option is required.
```yaml tab="File (YAML)"
providers:
@ -199,7 +211,9 @@ providers:
--providers.consul.tls.key=path/to/foo.key
```
#### `tls.insecureSkipVerify`
#### `insecureSkipVerify`
_Optional, Default=false_
If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.

34
docs/content/providers/docker.md
View file

@ -613,10 +613,14 @@ providers:
_Optional_
#### `tls.ca`
Defines the TLS configuration used for the secure connection to Docker.
Certificate Authority used for the secure connection to Docker,
defaults to the system bundle.
#### `ca`
_Optional_
`ca` is the path to the certificate authority used for the secure connection to Docker,
it defaults to the system bundle.
```yaml tab="File (YAML)"
providers:
@ -634,13 +638,15 @@ providers:
--providers.docker.tls.ca=path/to/ca.crt
```
#### `tls.caOptional`
#### `caOptional`
The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Docker.
_Optional_
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Docker.
!!! warning ""
If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
@ -662,9 +668,10 @@ providers:
--providers.docker.tls.caOptional=true
```
#### `tls.cert`
#### `cert`
Public certificate used for the secure connection to Docker.
`cert` is the path to the public certificate used for the secure connection to Docker.
When using this option, setting the `key` option is required.
```yaml tab="File (YAML)"
providers:
@ -685,9 +692,12 @@ providers:
--providers.docker.tls.key=path/to/foo.key
```
#### `tls.key`
#### `key`
Private certificate used for the secure connection to Docker.
_Optional_
`key` is the path to the private key used for the secure connection Docker.
When using this option, setting the `cert` option is required.
```yaml tab="File (YAML)"
providers:
@ -708,7 +718,9 @@ providers:
--providers.docker.tls.key=path/to/foo.key
```
#### `tls.insecureSkipVerify`
#### `insecureSkipVerify`
_Optional, Default=false_
If `insecureSkipVerify` is `true`, the TLS connection to Docker accepts any certificate presented by the server regardless of the hostnames it covers.

36
docs/content/providers/etcd.md
View file

@ -104,10 +104,14 @@ providers:
_Optional_
#### `tls.ca`
Defines the TLS configuration used for the secure connection to etcd.
Certificate Authority used for the secure connection to etcd,
defaults to the system bundle.
#### `ca`
_Optional_
`ca` is the path to the certificate authority used for the secure connection to etcd,
it defaults to the system bundle.
```yaml tab="File (YAML)"
providers:
@ -125,13 +129,15 @@ providers:
--providers.etcd.tls.ca=path/to/ca.crt
```
#### `tls.caOptional`
#### `caOptional`
The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to etcd.
_Optional_
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to etcd.
!!! warning ""
If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
@ -153,9 +159,12 @@ providers:
--providers.etcd.tls.caOptional=true
```
#### `tls.cert`
#### `cert`
Public certificate used for the secure connection to etcd.
_Optional_
`cert` is the path to the public certificate used for the secure connection to etcd.
When using this option, setting the `key` option is required.
```yaml tab="File (YAML)"
providers:
@ -176,9 +185,12 @@ providers:
--providers.etcd.tls.key=path/to/foo.key
```
#### `tls.key`
#### `key`
Private certificate used for the secure connection to etcd.
_Optional_
`key` is the path to the private key used for the secure connection to etcd.
When using this option, setting the `cert` option is required.
```yaml tab="File (YAML)"
providers:
@ -199,7 +211,9 @@ providers:
--providers.etcd.tls.key=path/to/foo.key
```
#### `tls.insecureSkipVerify`
#### `insecureSkipVerify`
_Optional, Default=false_
If `insecureSkipVerify` is `true`, the TLS connection to etcd accepts any certificate presented by the server regardless of the hostnames it covers.

38
docs/content/providers/http.md
View file

@ -55,7 +55,7 @@ providers:
_Optional, Default="5s"_
Defines the polling timeout when connecting to the configured endpoint.
Defines the polling timeout when connecting to the endpoint.
```yaml tab="File (YAML)"
providers:
@ -76,10 +76,14 @@ providers:
_Optional_
#### `tls.ca`
Defines the TLS configuration used for the secure connection to the endpoint.
Certificate Authority used for the secure connection to the configured endpoint,
defaults to the system bundle.
#### `ca`
_Optional_
`ca` is the path to the certificate authority used for the secure connection to the endpoint,
it defaults to the system bundle.
```yaml tab="File (YAML)"
providers:
@ -97,13 +101,15 @@ providers:
--providers.http.tls.ca=path/to/ca.crt
```
#### `tls.caOptional`
#### `caOptional`
The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the configured endpoint.
_Optional_
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the endpoint.
!!! warning ""
If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
@ -125,9 +131,12 @@ providers:
--providers.http.tls.caOptional=true
```
#### `tls.cert`
#### `cert`
Public certificate used for the secure connection to the configured endpoint.
_Optional_
`cert` is the path to the public certificate used for the secure connection to the endpoint.
When using this option, setting the `key` option is required.
```yaml tab="File (YAML)"
providers:
@ -148,9 +157,12 @@ providers:
--providers.http.tls.key=path/to/foo.key
```
#### `tls.key`
#### `key`
Private certificate used for the secure connection to the configured endpoint.
_Optional_
`key` is the path to the private key used for the secure connection to the endpoint.
When using this option, setting the `cert` option is required.
```yaml tab="File (YAML)"
providers:
@ -171,7 +183,9 @@ providers:
--providers.http.tls.key=path/to/foo.key
```
#### `tls.insecureSkipVerify`
#### `insecureSkipVerify`
_Optional, Default=false_
If `insecureSkipVerify` is `true`, the TLS connection to the endpoint accepts any certificate presented by the server regardless of the hostnames it covers.

40
docs/content/providers/marathon.md
View file

@ -404,10 +404,12 @@ providers:
_Optional_
#### `tls.ca`
Defines the TLS configuration used for the secure connection to Marathon.
Certificate Authority used for the secure connection to Marathon,
defaults to the system bundle.
#### `ca`
`ca` is the path to the certificate authority used for the secure connection to Marathon,
it defaults to the system bundle.
```yaml tab="File (YAML)"
providers:
@ -425,13 +427,15 @@ providers:
--providers.marathon.tls.ca=path/to/ca.crt
```
#### `tls.caOptional`
#### `caOptional`
The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Marathon.
_Optional_
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Marathon.
!!! warning ""
If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
@ -453,9 +457,12 @@ providers:
--providers.marathon.tls.caOptional=true
```
#### `tls.cert`
#### `cert`
Public certificate used for the secure connection to Marathon.
_Optional_
`cert` is the path to the public certificate used for the secure connection to Marathon.
When using this option, setting the `key` option is required.
```yaml tab="File (YAML)"
providers:
@ -476,9 +483,12 @@ providers:
--providers.marathon.tls.key=path/to/foo.key
```
#### `tls.key`
#### `key`
Private certificate used for the secure connection to Marathon.
_Optional_
`key` is the path to the private key used for the secure connection to Marathon.
When using this option, setting the `cert` option is required.
```yaml tab="File (YAML)"
providers:
@ -499,7 +509,9 @@ providers:
--providers.marathon.tls.key=path/to/foo.key
```
#### `tls.insecureSkipVerify`
#### `insecureSkipVerify`
_Optional, Default=false_
If `insecureSkipVerify` is `true`, the TLS connection to Marathon accepts any certificate presented by the server regardless of the hostnames it covers.
@ -532,18 +544,18 @@ see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
```yaml tab="File (YAML)"
providers:
marathon:
responseHeaderTimeout: "10s"
tlsHandshakeTimeout: "10s"
# ...
```
```toml tab="File (TOML)"
[providers.marathon]
responseHeaderTimeout = "10s"
tlsHandshakeTimeout = "10s"
# ...
```
```bash tab="CLI"
--providers.marathon.responseHeaderTimeout=10s
--providers.marathon.tlsHandshakeTimeout=10s
# ...
```

36
docs/content/providers/redis.md
View file

@ -104,10 +104,14 @@ providers:
_Optional_
#### `tls.ca`
Defines the TLS configuration used for the secure connection to Redis.
Certificate Authority used for the secure connection to Redis,
defaults to the system bundle.
#### `ca`
_Optional_
`ca` is the path to the certificate authority used for the secure connection to Redis,
it defaults to the system bundle.
```yaml tab="File (YAML)"
providers:
@ -125,13 +129,15 @@ providers:
--providers.redis.tls.ca=path/to/ca.crt
```
#### `tls.caOptional`
#### `caOptional`
The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Redis.
_Optional_
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Redis.
!!! warning ""
If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
@ -153,9 +159,12 @@ providers:
--providers.redis.tls.caOptional=true
```
#### `tls.cert`
#### `cert`
Public certificate used for the secure connection to Redis.
_Optional_
`cert` is the path to the public certificate used for the secure connection to Redis.
When using this option, setting the `key` option is required.
```yaml tab="File (YAML)"
providers:
@ -176,9 +185,12 @@ providers:
--providers.redis.tls.key=path/to/foo.key
```
#### `tls.key`
#### `key`
Private certificate used for the secure connection to Redis.
_Optional_
`key` is the path to the private key used for the secure connection to Redis.
When using this option, setting the `cert` option is required.
```yaml tab="File (YAML)"
providers:
@ -199,7 +211,9 @@ providers:
--providers.redis.tls.key=path/to/foo.key
```
#### `tls.insecureSkipVerify`
#### `insecureSkipVerify`
_Optional, Default=false_
If `insecureSkipVerify` is `true`, the TLS connection to Redis accepts any certificate presented by the server regardless of the hostnames it covers.

36
docs/content/providers/zookeeper.md
View file

@ -104,10 +104,14 @@ providers:
_Optional_
#### `tls.ca`
Defines the TLS configuration used for the secure connection to ZooKeeper.
Certificate Authority used for the secure connection to ZooKeeper,
defaults to the system bundle.
#### `ca`
_Optional_
`ca` is the path to the certificate authority used for the secure connection to ZooKeeper,
it defaults to the system bundle.
```yaml tab="File (YAML)"
providers:
@ -125,13 +129,15 @@ providers:
--providers.zookeeper.tls.ca=path/to/ca.crt
```
#### `tls.caOptional`
#### `caOptional`
The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Zookeeper.
_Optional_
The value of `caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Zookeeper.
!!! warning ""
If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
If `ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
@ -153,9 +159,12 @@ providers:
--providers.zookeeper.tls.caOptional=true
```
#### `tls.cert`
#### `cert`
Public certificate used for the secure connection to ZooKeeper.
_Optional_
`cert` is the path to the public certificate used for the secure connection to ZooKeeper.
When using this option, setting the `key` option is required.
```yaml tab="File (YAML)"
providers:
@ -176,9 +185,12 @@ providers:
--providers.zookeeper.tls.key=path/to/foo.key
```
#### `tls.key`
#### `key`
Private certificate used for the secure connection to ZooKeeper.
_Optional_
`key` is the path to the private key used for the secure connection to ZooKeeper.
When using this option, setting the `cert` option is required.
```yaml tab="File (YAML)"
providers:
@ -199,7 +211,9 @@ providers:
--providers.zookeeper.tls.key=path/to/foo.key
```
#### `tls.insecureSkipVerify`
#### `insecureSkipVerify`
_Optional, Default=false_
If `insecureSkipVerify` is `true`, the TLS connection to Zookeeper accepts any certificate presented by the server regardless of the hostnames it covers.

4
docs/content/routing/providers/consul-catalog.md
View file

@ -63,7 +63,7 @@ For example, to change the rule, you could add the tag ```traefik.http.routers.m
See [tls](../routers/index.md#tls) for more information.
```yaml
traefik.http.routers.myrouter>.tls=true
traefik.http.routers.myrouter.tls=true
```
??? info "`traefik.http.routers.<router_name>.tls.certresolver`"
@ -136,7 +136,7 @@ you'd add the tag `traefik.http.services.{name-of-your-choice}.loadbalancer.pass
See [serverstransport](../services/index.md#serverstransport) for more information.
```yaml
traefik.http.services.<service_name>.loadbalancer.serverstransport=foobar@file
traefik.http.services.myservice.loadbalancer.serverstransport=foobar@file
```
??? info "`traefik.http.services.<service_name>.loadbalancer.passhostheader`"

2
docs/content/routing/routers/index.md
View file

@ -251,7 +251,7 @@ The table below lists all the available matchers:
`HostRegexp` and `Path` accept an expression with zero or more groups enclosed by curly braces.
Named groups can be like `{name:pattern}` that matches the given regexp pattern or like `{name}` that matches anything until the next dot.
The group name (`name` is the above examples) is an arbitrary value.
The group name (`name` in the above examples) is an arbitrary value.
Any pattern supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used (example: `{subdomain:[a-z]+}.{domain}.com`).
!!! info "Combining Matchers Using Operators and Parenthesis"

8
docs/content/routing/services/index.md
View file

@ -336,11 +336,11 @@ Below are the available options for the health check mechanism:
Traefik keeps monitoring the health of unhealthy servers.
If a server has recovered (returning `2xx` -> `3xx` responses again), it will be added back to the load balancer rotation pool.
!!! warning "Health check in Kubernetes"
!!! warning "Health check with Kubernetes"
The Traefik health check is not available for `kubernetesCRD` and `kubernetesIngress` providers because Kubernetes
already has a health check mechanism.
Unhealthy pods will be removed by kubernetes. (cf [liveness documentation](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-http-request))
Kubernetes has an health check mechanism to remove unhealthy pods from Kubernetes services (cf [readiness probe](https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-readiness-probes)).
As unhealthy pods have no Kubernetes endpoints, Traefik will not forward traffic to them.
Therefore, Traefik health check is not available for `kubernetesCRD` and `kubernetesIngress` providers.
??? example "Custom Interval & Timeout -- Using the [File Provider](../../providers/file.md)"