homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Allow root CA to be added through config maps

Browse source
This commit is contained in:
Nelson Isioma 2025-03-11 15:38:05 +01:00 committed by GitHub
parent 30fe11eccf
commit ae4a00b4bc
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
16 changed files with 516 additions and 48 deletions
Download patch file Download diff file Expand all files Collapse all files

36
docs/content/migration/v3.md
View file

@ -192,6 +192,8 @@ To be consistent with the naming and other metrics providers, the metric now rep
### Kubernetes CRD Provider
#### Load-Balancing
In `v3.4`, the HTTP service definition has been updated.
The strategy field now supports two new values: `wrr` and `p2c` (please refer to the [HTTP Services Load Balancing documentation](../../routing/services/#load-balancing-strategy) for more details).
@ -202,3 +204,37 @@ kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v3.4/docs/con
```
Please note that the `RoundRobin` strategy value is now deprecated, but still supported and equivalent to `wrr`, and will be removed in the next major release.
#### ServersTransport CA Certificate
In `v3.4`, a new `rootCAs` option has been added to the `ServersTransport` and `ServersTransportTCP` CRDs.
It allows the configuration of CA certificates from both `ConfigMaps` and `Secrets`,
and replaces the `rootCAsSecrets` option, as shown below:
```yaml
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: foo
namespace: bar
spec:
rootCAs:
- configMap: ca-config-map
- secret: ca-secret
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransportTCP
metadata:
name: foo
namespace: bar
spec:
rootCAs:
- configMap: ca-config-map
- secret: ca-secret
```
The `rootCAsSecrets` option, which allows only `Secrets` references,
is still supported, but is now deprecated,
and will be removed in the next major release.

56
docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
View file

@ -2252,9 +2252,33 @@ spec:
description: PeerCertURI defines the peer cert URI used to match against
SAN URI during the peer certificate verification.
type: string
rootCAs:
description: RootCAs defines a list of CA certificate Secrets or ConfigMaps
used to validate server certificates.
items:
description: |-
RootCA defines a reference to a Secret or a ConfigMap that holds a CA certificate.
If both a Secret and a ConfigMap reference are defined, the Secret reference takes precedence.
properties:
configMap:
description: |-
ConfigMap defines the name of a ConfigMap that holds a CA certificate.
The referenced ConfigMap must contain a certificate under either a tls.ca or a ca.crt key.
type: string
secret:
description: |-
Secret defines the name of a Secret that holds a CA certificate.
The referenced Secret must contain a certificate under either a tls.ca or a ca.crt key.
type: string
type: object
x-kubernetes-validations:
- message: RootCA cannot have both Secret and ConfigMap defined.
rule: has(self.secret) && has(self.configMap)
type: array
rootCAsSecrets:
description: RootCAsSecrets defines a list of CA secret used to validate
self-signed certificate.
description: |-
RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
items:
type: string
type: array
@ -2373,9 +2397,33 @@ spec:
MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.
PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.
type: string
rootCAs:
description: RootCAs defines a list of CA certificate Secrets
or ConfigMaps used to validate server certificates.
items:
description: |-
RootCA defines a reference to a Secret or a ConfigMap that holds a CA certificate.
If both a Secret and a ConfigMap reference are defined, the Secret reference takes precedence.
properties:
configMap:
description: |-
ConfigMap defines the name of a ConfigMap that holds a CA certificate.
The referenced ConfigMap must contain a certificate under either a tls.ca or a ca.crt key.
type: string
secret:
description: |-
Secret defines the name of a Secret that holds a CA certificate.
The referenced Secret must contain a certificate under either a tls.ca or a ca.crt key.
type: string
type: object
x-kubernetes-validations:
- message: RootCA cannot have both Secret and ConfigMap defined.
rule: has(self.secret) && has(self.configMap)
type: array
rootCAsSecrets:
description: RootCAsSecrets defines a list of CA secret used to
validate self-signed certificates.
description: |-
RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
items:
type: string
type: array

28
docs/content/reference/dynamic-configuration/traefik.io_serverstransports.yaml
View file

@ -113,9 +113,33 @@ spec:
description: PeerCertURI defines the peer cert URI used to match against
SAN URI during the peer certificate verification.
type: string
rootCAs:
description: RootCAs defines a list of CA certificate Secrets or ConfigMaps
used to validate server certificates.
items:
description: |-
RootCA defines a reference to a Secret or a ConfigMap that holds a CA certificate.
If both a Secret and a ConfigMap reference are defined, the Secret reference takes precedence.
properties:
configMap:
description: |-
ConfigMap defines the name of a ConfigMap that holds a CA certificate.
The referenced ConfigMap must contain a certificate under either a tls.ca or a ca.crt key.
type: string
secret:
description: |-
Secret defines the name of a Secret that holds a CA certificate.
The referenced Secret must contain a certificate under either a tls.ca or a ca.crt key.
type: string
type: object
x-kubernetes-validations:
- message: RootCA cannot have both Secret and ConfigMap defined.
rule: has(self.secret) && has(self.configMap)
type: array
rootCAsSecrets:
description: RootCAsSecrets defines a list of CA secret used to validate
self-signed certificate.
description: |-
RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
items:
type: string
type: array

28
docs/content/reference/dynamic-configuration/traefik.io_serverstransporttcps.yaml
View file

@ -89,9 +89,33 @@ spec:
MaxIdleConnsPerHost controls the maximum idle (keep-alive) to keep per-host.
PeerCertURI defines the peer cert URI used to match against SAN URI during the peer certificate verification.
type: string
rootCAs:
description: RootCAs defines a list of CA certificate Secrets
or ConfigMaps used to validate server certificates.
items:
description: |-
RootCA defines a reference to a Secret or a ConfigMap that holds a CA certificate.
If both a Secret and a ConfigMap reference are defined, the Secret reference takes precedence.
properties:
configMap:
description: |-
ConfigMap defines the name of a ConfigMap that holds a CA certificate.
The referenced ConfigMap must contain a certificate under either a tls.ca or a ca.crt key.
type: string
secret:
description: |-
Secret defines the name of a Secret that holds a CA certificate.
The referenced Secret must contain a certificate under either a tls.ca or a ca.crt key.
type: string
type: object
x-kubernetes-validations:
- message: RootCA cannot have both Secret and ConfigMap defined.
rule: has(self.secret) && has(self.configMap)
type: array
rootCAsSecrets:
description: RootCAsSecrets defines a list of CA secret used to
validate self-signed certificates.
description: |-
RootCAsSecrets defines a list of CA secret used to validate self-signed certificate.
Deprecated: RootCAsSecrets is deprecated, please use the RootCAs option instead.
items:
type: string
type: array

46
docs/content/routing/providers/kubernetes-crd.md
View file

@ -1851,9 +1851,9 @@ Register the `TLSStore` kind in the Kubernetes cluster before creating `TLSStore
spec:
serverName: foobar # [1]
insecureSkipVerify: true # [2]
rootCAsSecrets: # [3]
- foobar
- foobar
rootCAs: # [3]
- configMap: foobar
- secret: foobar
certificatesSecrets: # [4]
- foobar
- foobar
@ -1871,22 +1871,22 @@ Register the `TLSStore` kind in the Kubernetes cluster before creating `TLSStore
trustDomain: "spiffe://trust-domain" # [14]
```
| Ref | Attribute | Purpose |
|------|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [1] | `serverName` | ServerName used to contact the server. |
| [2] | `insecureSkipVerify` | Controls whether the server's certificate chain and host name is verified. |
| [3] | `rootCAsSecrets` | Defines the set of root certificate authorities to use when verifying server certificates. The secret must contain a certificate under either a tls.ca or a ca.crt key. |
| [4] | `certificatesSecrets` | Certificates to present to the server for mTLS. |
| [5] | `maxIdleConnsPerHost` | Controls the maximum idle (keep-alive) connections to keep per-host. If zero, `defaultMaxIdleConnsPerHost` is used. |
| [6] | `forwardingTimeouts` | Timeouts for requests forwarded to the servers. |
| [7] | `dialTimeout` | The amount of time to wait until a connection to a server can be established. If zero, no timeout exists. |
| [8] | `responseHeaderTimeout` | The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. |
| [9] | `idleConnTimeout` | The maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout exists. |
| [10] | `peerCertURI` | URI used to match against SAN URIs during the server's certificate verification. |
| [11] | `disableHTTP2` | Disables HTTP/2 for connections with servers. |
| [12] | `spiffe` | The spiffe configuration. |
| [13] | `ids` | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). |
| [14] | `trustDomain` | Defines the allowed SPIFFE trust domain. |
| Ref | Attribute | Purpose |
|------|-------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [1] | `serverName` | ServerName used to contact the server. |
| [2] | `insecureSkipVerify` | Controls whether the server's certificate chain and host name is verified. |
| [3] | `rootCAs` | Defines the set of root certificate authorities to use when verifying server certificates. The referenced Secret or ConfigMap must contain a certificate under either a tls.ca or a ca.crt key. |
| [4] | `certificatesSecrets` | Certificates to present to the server for mTLS. |
| [5] | `maxIdleConnsPerHost` | Controls the maximum idle (keep-alive) connections to keep per-host. If zero, `defaultMaxIdleConnsPerHost` is used. |
| [6] | `forwardingTimeouts` | Timeouts for requests forwarded to the servers. |
| [7] | `dialTimeout` | The amount of time to wait until a connection to a server can be established. If zero, no timeout exists. |
| [8] | `responseHeaderTimeout` | The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists. |
| [9] | `idleConnTimeout` | The maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout exists. |
| [10] | `peerCertURI` | URI used to match against SAN URIs during the server's certificate verification. |
| [11] | `disableHTTP2` | Disables HTTP/2 for connections with servers. |
| [12] | `spiffe` | The spiffe configuration. |
| [13] | `ids` | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). |
| [14] | `trustDomain` | Defines the allowed SPIFFE trust domain. |
!!! info "CA Secret"
@ -1960,9 +1960,9 @@ The `default@internal` serversTransportTCP is created from the [static configura
serverName: foobar # [5]
insecureSkipVerify: true # [6]
peerCertURI: foobar # [7]
rootCAsSecrets: # [8]
- foobar
- foobar
rootCAs: # [8]
- secret: foobar
- configMap: foobar
certificatesSecrets: # [9]
- foobar
- foobar
@ -1982,7 +1982,7 @@ The `default@internal` serversTransportTCP is created from the [static configura
| [5] | `serverName` | ServerName used to contact the server. |
| [6] | `insecureSkipVerify` | Controls whether the server's certificate chain and host name is verified. |
| [7] | `peerCertURI` | URI used to match against SAN URIs during the server's certificate verification. |
| [8] | `rootCAsSecrets` | Defines the set of root certificate authorities to use when verifying server certificates. The secret must contain a certificate under either a tls.ca or a ca.crt key. |
| [8] | `rootCAs` | Defines the set of root certificate authorities to use when verifying server certificates. The referenced Secret or ConfigMap must contain a certificate under either a tls.ca or a ca.crt key. |
| [9] | `certificatesSecrets` | Certificates to present to the server for mTLS. |
| [10] | `spiffe` | The SPIFFE configuration. |
| [11] | `ids` | Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain). |