Merge branch v3.1 into master

2024-08-06 16:38:39 +02:00 · 2024-08-06 16:38:39 +02:00 · b611f967b7
commit b611f967b7
parent bd93e224de 4c4780f886
36 changed files with 2917 additions and 2537 deletions
--- a/docs/content/index.md
+++ b/docs/content/index.md
@ -7,16 +7,22 @@ description: "Traefik Proxy, an open source Edge Router, auto-discovers configur

 ![Architecture](assets/img/traefik-architecture.png)

-Traefik is an [open-source](https://github.com/traefik/traefik) *Edge Router* that makes publishing your services a fun and easy experience. 
-It receives requests on behalf of your system and finds out which components are responsible for handling them. 
+Traefik is an [open-source](https://github.com/traefik/traefik) *Application Proxy* that makes publishing your services a fun and easy experience. 
+It receives requests on behalf of your system and identifies which components are responsible for handling them, and routes them securely. 

 What sets Traefik apart, besides its many features, is that it automatically discovers the right configuration for your services. 
 The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request. 

-Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker, Docker Swarm, AWS, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
+Traefik is natively compliant with every major cluster technology, such as Kubernetes, Docker Swarm, AWS, and [the list goes on](providers/overview.md); and can handle many at the same time. (It even works for legacy software running on bare metal.)
 
 With Traefik, there is no need to maintain and synchronize a separate configuration file: everything happens automatically, in real time (no restarts, no connection interruptions).
-With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.   
+With Traefik, you spend time developing and deploying new features to your system, not on configuring and maintaining its working state.
+
+And if your needs change, you can add API gateway and API management capabilities seamlessly to your existing Traefik deployments. It takes less than a minute, there’s no rip-and-replace, and all your configurations are preserved. See how it works in this video:
+
+<div style="text-align: center;">
+    <iframe src="https://www.youtube.com/embed/zriUO5YPgFg?modestbranding=1&rel=0&controls=1" width="560" height="315" title="Upgrade Traefik Proxy to API Gateway and API Management in Seconds // Traefik Labs" frameborder="0" allowfullscreen></iframe>
+</div>

 Developing Traefik, our main goal is to make it effortless to use, and we're sure you'll enjoy it.

@ -26,4 +32,4 @@ Developing Traefik, our main goal is to make it effortless to use, and we're sur

    Join our user friendly and active [Community Forum](https://community.traefik.io "Link to Traefik Community Forum") to discuss, learn, and connect with the Traefik community.

-    Using Traefik OSS in Production? Add enterprise-grade API Gateway and API Management capabilities to your existing deployments seamlessly. No rip and replace. No learning curve. Learn more from [this short video](https://info.traefik.io/traefik-upgrade-walkthrough)
+    Using Traefik OSS in Production? Consider our enterprise-grade [API Gateway](https://traefik.io/traefik-hub-api-gateway/), [API Management](https://traefik.io/traefik-hub/), and [Commercial Support](https://info.traefik.io/request-commercial-support) solutions.
--- a/docs/content/migration/v2-to-v3-details.md
+++ b/docs/content/migration/v2-to-v3-details.md
@ -591,6 +591,11 @@ Please take a look at the observability documentation for more information:
 - [Metrics](../observability/metrics/overview.md#addinternals)
 - [Tracing](../observability/tracing/overview.md#addinternals)

+#### Access logs
+
+In v3, the `ServiceURL` field is not an object anymore but a string representation.
+An update may be required if you index access logs.
+
 ## Dynamic Configuration Changes

 ### Router Rule Matchers
--- a/docs/content/migration/v2.md
+++ b/docs/content/migration/v2.md
@ -455,7 +455,7 @@ To enable HTTP/3 on an EntryPoint, please check out the [HTTP/3 configuration](.

 In `v2.6`, the [Kubernetes Gateway API provider](../providers/kubernetes-gateway.md) now only supports the version [v1alpha2](https://gateway-api.sigs.k8s.io/v1alpha2/guides/) of the specification and 
 [route namespaces](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1beta1.RouteNamespaces) selectors, which requires Traefik to fetch and watch the cluster namespaces.
-Therefore, the [RBAC](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) and [CRD](../reference/dynamic-configuration/kubernetes-gateway.md#definitions) definitions must be updated.
+Therefore, the RBAC and CRD definitions must be updated.

 ## v2.6.0 to v2.6.1

--- a/docs/content/migration/v3.md
+++ b/docs/content/migration/v3.md
@ -10,9 +10,11 @@ description: "Learn the steps needed to migrate to new Traefik Proxy v3 versions
 ### Kubernetes Provider RBACs

 Starting with v3.1, the Kubernetes Providers now use the [EndpointSlices API](https://kubernetes.io/docs/concepts/services-networking/endpoint-slices/) (Kubernetes >=v1.21) to discover service endpoint addresses.
+It also brings NodePort load-balancing which requires Nodes resources lookup.

-Therefore, in the corresponding RBACs (see [KubernetesIngress](../routing/providers/kubernetes-ingress.md#configuration-example), [KubernetesCRD](../reference/dynamic-configuration/kubernetes-crd.md#rbac), and [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway.md#rbac) provider RBACs), 
-the `endpoints` right has to be removed and the following `endpointslices` right has to be added.
+Therefore, in the corresponding RBACs (see [KubernetesIngress](../routing/providers/kubernetes-ingress.md#configuration-example), [KubernetesCRD](../reference/dynamic-configuration/kubernetes-crd.md#rbac), and [KubernetesGateway](../reference/dynamic-configuration/kubernetes-gateway-rbac.yml) provider RBACs):
+
+- the `endpoints` right has to be removed and the following `endpointslices` right has to be added:

 ```yaml
  ... 
@ -26,6 +28,21 @@ the `endpoints` right has to be removed and the following `endpointslices` right
  ...
 ```

+- the `nodes` right has to be added:
+
+```yaml
+  ...
+  - apiGroups:
+      - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+      - list
+      - watch
+  ...
+```
+
 #### Gateway API: KubernetesGateway Provider

 In v3.1, the KubernetesGateway Provider is no longer an experimental feature.
@ -51,3 +68,10 @@ It can be enabled without the associated `experimental.kubernetesgateway` option

 The `kubernetesgateway` option should be removed from the experimental section of the static configuration.
 To configure `kubernetesgateway`, please check out the [KubernetesGateway Provider documentation](../providers/kubernetes-gateway.md).
+
+## v3.1.0 to v3.1.1
+
+### IngressClass Lookup
+
+The Kubernetes Ingress provider option `disableIngressClassLookup` has been deprecated in v3.1.1, and will be removed in the next major version.
+Please use the `disableClusterScopeResources` option instead to avoid cluster scope resources discovery (IngressClass, Nodes).
--- a/docs/content/providers/http.md
+++ b/docs/content/providers/http.md
@ -84,8 +84,9 @@ Defines custom headers to be sent to the endpoint.

 ```yaml tab="File (YAML)"
 providers:
-  headers:
-    name: value
+  http:
+    headers:
+      name: value
 ```

 ```toml tab="File (TOML)"
@ -95,6 +96,7 @@ providers:

 ```bash tab="CLI"
 --providers.http.headers.name=value
+```

 ### `tls`

--- a/docs/content/providers/kubernetes-gateway.md
+++ b/docs/content/providers/kubernetes-gateway.md
@ -8,7 +8,7 @@ description: "Learn how to use the Kubernetes Gateway API as a provider for conf
 The Kubernetes Gateway provider is a Traefik implementation of the [Gateway API](https://gateway-api.sigs.k8s.io/) 
 specification from the Kubernetes Special Interest Groups (SIGs).

-This provider supports version [v1.1.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.1.0) of the Gateway API specification. 
+This provider supports Standard version [v1.1.0](https://github.com/kubernetes-sigs/gateway-api/releases/tag/v1.1.0) of the Gateway API specification. 

 It fully supports all HTTP core and some extended features, as well as the `TCPRoute` and `TLSRoute` resources from the [Experimental channel](https://gateway-api.sigs.k8s.io/concepts/versioning/?h=#release-channels).

@ -26,10 +26,10 @@ For more details, check out the conformance [report](https://github.com/kubernet
 1. Install/update the Kubernetes Gateway API CRDs.

    ```bash
-    # Install Gateway API CRDs from the Experimental channel.
-    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/experimental-install.yaml
+    # Install Gateway API CRDs from the Standard channel.
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/standard-install.yaml
    ```
-    
+
 2. Install/update the Traefik [RBAC](../reference/dynamic-configuration/kubernetes-gateway.md#rbac).

    ```bash
@ -38,7 +38,7 @@ For more details, check out the conformance [report](https://github.com/kubernet
    ```

 3. Deploy Traefik and enable the `kubernetesGateway` provider in the static configuration as detailed below:
-       
+
       ```yaml tab="File (YAML)"
       providers:
         kubernetesGateway: {}
@ -269,6 +269,15 @@ providers:
 --providers.kubernetesgateway.experimentalchannel=true
 ```

+!!! info "Experimental Channel"
+
+    When enabling experimental channel resources support, the experimental CRDs (Custom Resource Definitions) needs to be deployed too.
+
+    ```bash
+    # Install Gateway API CRDs from the Experimental channel.
+    kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.1.0/experimental-install.yaml
+    ```
+
 ### `labelselector`

 _Optional, Default: ""_
--- a/docs/content/providers/kubernetes-ingress.md
+++ b/docs/content/providers/kubernetes-ingress.md
@ -287,6 +287,11 @@ providers:

 _Optional, Default: false_

+??? warning "Deprecated"
+
+    The Kubernetes Ingress provider option `disableIngressClassLookup` has been deprecated in v3.1, and will be removed in the next major version.
+	Please use the `disableClusterScopeResources` option instead.
+
 If the parameter is set to `true`,
 Traefik will not discover IngressClasses in the cluster.
 By doing so, it alleviates the requirement of giving Traefik the rights to look IngressClasses up.
@ -312,6 +317,33 @@ providers:
 --providers.kubernetesingress.disableingressclasslookup=true
 ```

+### `disableClusterScopeResources`
+
+_Optional, Default: false_
+
+When this parameter is set to `true`,
+Traefik will not discover cluster scope resources (`IngressClass` and `Nodes`).
+By doing so, it alleviates the requirement of giving Traefik the rights to look up for cluster resources.
+Furthermore, Traefik will not handle Ingresses with IngressClass references, therefore such Ingresses will be ignored (please note that annotations are not affected by this option).
+This will also prevent from using the `NodePortLB` options on services.
+
+```yaml tab="File (YAML)"
+providers:
+  kubernetesIngress:
+    disableClusterScopeResources: true
+    # ...
+```
+
+```toml tab="File (TOML)"
+[providers.kubernetesIngress]
+  disableClusterScopeResources = true
+  # ...
+```
+
+```bash tab="CLI"
+--providers.kubernetesingress.disableClusterScopeResources=true
+```
+
 ### `ingressEndpoint`

 #### `hostname`
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@ -732,6 +732,9 @@ Allow ExternalName services. (Default: ```false```)
 `--providers.kubernetescrd.certauthfilepath`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).

+`--providers.kubernetescrd.disableclusterscoperesources`:  
+Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). (Default: ```false```)
+
 `--providers.kubernetescrd.endpoint`:  
 Kubernetes server endpoint (required for external cluster client).

@ -804,8 +807,11 @@ Allow ExternalName services. (Default: ```false```)
 `--providers.kubernetesingress.certauthfilepath`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).

+`--providers.kubernetesingress.disableclusterscoperesources`:  
+Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). (Default: ```false```)
+
 `--providers.kubernetesingress.disableingressclasslookup`:  
-Disables the lookup of IngressClasses. (Default: ```false```)
+Disables the lookup of IngressClasses (Deprecated, please use DisableClusterScopeResources). (Default: ```false```)

 `--providers.kubernetesingress.endpoint`:  
 Kubernetes server endpoint (required for external cluster client).
--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@ -732,6 +732,9 @@ Allow ExternalName services. (Default: ```false```)
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_CERTAUTHFILEPATH`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).

+`TRAEFIK_PROVIDERS_KUBERNETESCRD_DISABLECLUSTERSCOPERESOURCES`:  
+Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_KUBERNETESCRD_ENDPOINT`:  
 Kubernetes server endpoint (required for external cluster client).

@ -804,8 +807,11 @@ Allow ExternalName services. (Default: ```false```)
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS_CERTAUTHFILEPATH`:  
 Kubernetes certificate authority file path (not needed for in-cluster client).

+`TRAEFIK_PROVIDERS_KUBERNETESINGRESS_DISABLECLUSTERSCOPERESOURCES`:  
+Disables the lookup of cluster scope resources (incompatible with IngressClasses and NodePortLB enabled services). (Default: ```false```)
+
 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS_DISABLEINGRESSCLASSLOOKUP`:  
-Disables the lookup of IngressClasses. (Default: ```false```)
+Disables the lookup of IngressClasses (Deprecated, please use DisableClusterScopeResources). (Default: ```false```)

 `TRAEFIK_PROVIDERS_KUBERNETESINGRESS_ENDPOINT`:  
 Kubernetes server endpoint (required for external cluster client).
--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@ -128,6 +128,7 @@
    allowEmptyServices = true
    allowExternalNameServices = true
    disableIngressClassLookup = true
+    disableClusterScopeResources = true
    nativeLBByDefault = true
    [providers.kubernetesIngress.ingressEndpoint]
      ip = "foobar"
@ -145,6 +146,7 @@
    throttleDuration = "42s"
    allowEmptyServices = true
    nativeLBByDefault = true
+    disableClusterScopeResources = true
  [providers.kubernetesGateway]
    endpoint = "foobar"
    token = "foobar"
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@ -145,6 +145,7 @@ providers:
    allowEmptyServices: true
    allowExternalNameServices: true
    disableIngressClassLookup: true
+    disableClusterScopeResources: true
    nativeLBByDefault: true
  kubernetesCRD:
    endpoint: foobar
@ -160,6 +161,7 @@ providers:
    throttleDuration: 42s
    allowEmptyServices: true
    nativeLBByDefault: true
+    disableClusterScopeResources: true
  kubernetesGateway:
    endpoint: foobar
    token: foobar