homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge current v2.4 into master

Browse source
This commit is contained in:
romain 2021-06-22 14:05:57 +02:00
commit ce2e02b690
119 changed files with 4628 additions and 4165 deletions
Download patch file Download diff file Expand all files Collapse all files

654
docs/content/routing/entrypoints.md
View file

File diff suppressed because it is too large Load diff

246
docs/content/routing/overview.md
View file

@ -26,18 +26,6 @@ In the process, Traefik will make sure that the user is authenticated (using the
Static configuration:
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
# Listen on port 8081 for incoming requests
address = ":8081"
[providers]
# Enable the file provider to define routers / middlewares / services in file
[providers.file]
directory = "/path/to/dynamic/conf"
```
```yaml tab="File (YAML)"
entryPoints:
web:
@ -50,6 +38,18 @@ providers:
directory: /path/to/dynamic/conf
```
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
# Listen on port 8081 for incoming requests
address = ":8081"
[providers]
# Enable the file provider to define routers / middlewares / services in file
[providers.file]
directory = "/path/to/dynamic/conf"
```
```bash tab="CLI"
# Listen on port 8081 for incoming requests
--entryPoints.web.address=:8081
@ -60,30 +60,6 @@ providers:
Dynamic configuration:
```toml tab="TOML"
# http routing section
[http]
[http.routers]
# Define a connection between requests and services
[http.routers.to-whoami]
rule = "Host(`example.com`) && PathPrefix(`/whoami/`)"
# If the rule matches, applies the middleware
middlewares = ["test-user"]
# If the rule matches, forward to the whoami service (declared below)
service = "whoami"
[http.middlewares]
# Define an authentication mechanism
[http.middlewares.test-user.basicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.services]
# Define how to reach an existing service on our infrastructure
[http.services.whoami.loadBalancer]
[[http.services.whoami.loadBalancer.servers]]
url = "http://private/whoami-service"
```
```yaml tab="YAML"
# http routing section
http:
@ -112,6 +88,30 @@ http:
- url: http://private/whoami-service
```
```toml tab="TOML"
# http routing section
[http]
[http.routers]
# Define a connection between requests and services
[http.routers.to-whoami]
rule = "Host(`example.com`) && PathPrefix(`/whoami/`)"
# If the rule matches, applies the middleware
middlewares = ["test-user"]
# If the rule matches, forward to the whoami service (declared below)
service = "whoami"
[http.middlewares]
# Define an authentication mechanism
[http.middlewares.test-user.basicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.services]
# Define how to reach an existing service on our infrastructure
[http.services.whoami.loadBalancer]
[[http.services.whoami.loadBalancer.servers]]
url = "http://private/whoami-service"
```
!!! info ""
In this example, we use the [file provider](../providers/file.md).
@ -125,7 +125,18 @@ http:
??? example "Adding a TCP route for TLS requests on whoami.example.com"
**Static Configuration**
```yaml tab="File (YAML)"
entryPoints:
web:
# Listen on port 8081 for incoming requests
address: :8081
providers:
# Enable the file provider to define routers / middlewares / services in file
file:
directory: /path/to/dynamic/conf
```
```toml tab="File (TOML)"
[entryPoints]
[entryPoints.web]
@ -137,64 +148,17 @@ http:
[providers.file]
directory = "/path/to/dynamic/conf"
```
```yaml tab="File (YAML)"
entryPoints:
web:
# Listen on port 8081 for incoming requests
address: :8081
providers:
# Enable the file provider to define routers / middlewares / services in file
file:
directory: /path/to/dynamic/conf
```
```bash tab="CLI"
# Listen on port 8081 for incoming requests
--entryPoints.web.address=:8081
# Enable the file provider to define routers / middlewares / services in file
--providers.file.directory=/path/to/dynamic/conf
```
**Dynamic Configuration**
```toml tab="TOML"
# http routing section
[http]
[http.routers]
# Define a connection between requests and services
[http.routers.to-whoami]
rule = "Host(`example.com`) && PathPrefix(`/whoami/`)"
# If the rule matches, applies the middleware
middlewares = ["test-user"]
# If the rule matches, forward to the whoami service (declared below)
service = "whoami"
[http.middlewares]
# Define an authentication mechanism
[http.middlewares.test-user.basicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.services]
# Define how to reach an existing service on our infrastructure
[http.services.whoami.loadBalancer]
[[http.services.whoami.loadBalancer.servers]]
url = "http://private/whoami-service"
[tcp]
[tcp.routers]
[tcp.routers.to-whoami-tcp]
rule = "HostSNI(`whoami-tcp.example.com`)"
service = "whoami-tcp"
[tcp.routers.to-whoami-tcp.tls]
[tcp.services]
[tcp.services.whoami-tcp.loadBalancer]
[[tcp.services.whoami-tcp.loadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
```
```yaml tab="YAML"
# http routing section
http:
@ -237,6 +201,42 @@ http:
- address: xx.xx.xx.xx:xx
```
```toml tab="TOML"
# http routing section
[http]
[http.routers]
# Define a connection between requests and services
[http.routers.to-whoami]
rule = "Host(`example.com`) && PathPrefix(`/whoami/`)"
# If the rule matches, applies the middleware
middlewares = ["test-user"]
# If the rule matches, forward to the whoami service (declared below)
service = "whoami"
[http.middlewares]
# Define an authentication mechanism
[http.middlewares.test-user.basicAuth]
users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"]
[http.services]
# Define how to reach an existing service on our infrastructure
[http.services.whoami.loadBalancer]
[[http.services.whoami.loadBalancer.servers]]
url = "http://private/whoami-service"
[tcp]
[tcp.routers]
[tcp.routers.to-whoami-tcp]
rule = "HostSNI(`whoami-tcp.example.com`)"
service = "whoami-tcp"
[tcp.routers.to-whoami-tcp.tls]
[tcp.services]
[tcp.services.whoami-tcp.loadBalancer]
[[tcp.services.whoami-tcp.loadBalancer.servers]]
address = "xx.xx.xx.xx:xx"
```
## Transport configuration
Most of what happens to the connection between the clients and Traefik,
@ -254,18 +254,18 @@ _Optional, Default=false_
`insecureSkipVerify` disables SSL certificate verification.
```toml tab="File (TOML)"
## Static configuration
[serversTransport]
insecureSkipVerify = true
```
```yaml tab="File (YAML)"
## Static configuration
serversTransport:
insecureSkipVerify: true
```
```toml tab="File (TOML)"
## Static configuration
[serversTransport]
insecureSkipVerify = true
```
```bash tab="CLI"
## Static configuration
--serversTransport.insecureSkipVerify=true
@ -278,12 +278,6 @@ _Optional_
`rootCAs` is the list of certificates (as file paths, or data bytes)
that will be set as Root Certificate Authorities when using a self-signed TLS certificate.
```toml tab="File (TOML)"
## Static configuration
[serversTransport]
rootCAs = ["foo.crt", "bar.crt"]
```
```yaml tab="File (YAML)"
## Static configuration
serversTransport:
@ -292,6 +286,12 @@ serversTransport:
- bar.crt
```
```toml tab="File (TOML)"
## Static configuration
[serversTransport]
rootCAs = ["foo.crt", "bar.crt"]
```
```bash tab="CLI"
## Static configuration
--serversTransport.rootCAs=foo.crt,bar.crt
@ -303,18 +303,18 @@ _Optional, Default=2_
If non-zero, `maxIdleConnsPerHost` controls the maximum idle (keep-alive) connections to keep per-host.
```toml tab="File (TOML)"
## Static configuration
[serversTransport]
maxIdleConnsPerHost = 7
```
```yaml tab="File (YAML)"
## Static configuration
serversTransport:
maxIdleConnsPerHost: 7
```
```toml tab="File (TOML)"
## Static configuration
[serversTransport]
maxIdleConnsPerHost = 7
```
```bash tab="CLI"
## Static configuration
--serversTransport.maxIdleConnsPerHost=7
@ -331,12 +331,6 @@ _Optional, Default=30s_
`dialTimeout` is the maximum duration allowed for a connection to a backend server to be established.
Zero means no timeout.
```toml tab="File (TOML)"
## Static configuration
[serversTransport.forwardingTimeouts]
dialTimeout = "1s"
```
```yaml tab="File (YAML)"
## Static configuration
serversTransport:
@ -344,6 +338,12 @@ serversTransport:
dialTimeout: 1s
```
```toml tab="File (TOML)"
## Static configuration
[serversTransport.forwardingTimeouts]
dialTimeout = "1s"
```
```bash tab="CLI"
## Static configuration
--serversTransport.forwardingTimeouts.dialTimeout=1s
@ -358,12 +358,6 @@ after fully writing the request (including its body, if any).
This time does not include the time to read the response body.
Zero means no timeout.
```toml tab="File (TOML)"
## Static configuration
[serversTransport.forwardingTimeouts]
responseHeaderTimeout = "1s"
```
```yaml tab="File (YAML)"
## Static configuration
serversTransport:
@ -371,6 +365,12 @@ serversTransport:
responseHeaderTimeout: 1s
```
```toml tab="File (TOML)"
## Static configuration
[serversTransport.forwardingTimeouts]
responseHeaderTimeout = "1s"
```
```bash tab="CLI"
## Static configuration
--serversTransport.forwardingTimeouts.responseHeaderTimeout=1s
@ -384,12 +384,6 @@ _Optional, Default=90s_
will remain idle before closing itself.
Zero means no limit.
```toml tab="File (TOML)"
## Static configuration
[serversTransport.forwardingTimeouts]
idleConnTimeout = "1s"
```
```yaml tab="File (YAML)"
## Static configuration
serversTransport:
@ -397,6 +391,12 @@ serversTransport:
idleConnTimeout: 1s
```
```toml tab="File (TOML)"
## Static configuration
[serversTransport.forwardingTimeouts]
idleConnTimeout = "1s"
```
```bash tab="CLI"
## Static configuration
--serversTransport.forwardingTimeouts.idleConnTimeout=1s

34
docs/content/routing/providers/docker.md
View file

@ -13,15 +13,15 @@ Attach labels to your containers and let Traefik do the rest!
Enabling the docker provider
```toml tab="File (TOML)"
[providers.docker]
```
```yaml tab="File (YAML)"
providers:
docker: {}
```
```toml tab="File (TOML)"
[providers.docker]
```
```bash tab="CLI"
--providers.docker=true
```
@ -82,15 +82,6 @@ Attach labels to your containers and let Traefik do the rest!
Enabling the docker provider (Swarm Mode)
```toml tab="File (TOML)"
[providers.docker]
# swarm classic (1.12-)
# endpoint = "tcp://127.0.0.1:2375"
# docker swarm mode (1.12+)
endpoint = "tcp://127.0.0.1:2377"
swarmMode = true
```
```yaml tab="File (YAML)"
providers:
docker:
@ -101,6 +92,15 @@ Attach labels to your containers and let Traefik do the rest!
swarmMode: true
```
```toml tab="File (TOML)"
[providers.docker]
# swarm classic (1.12-)
# endpoint = "tcp://127.0.0.1:2375"
# docker swarm mode (1.12+)
endpoint = "tcp://127.0.0.1:2377"
swarmMode = true
```
```bash tab="CLI"
# swarm classic (1.12-)
# --providers.docker.endpoint=tcp://127.0.0.1:2375
@ -266,7 +266,7 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
!!! warning "The character `@` is not authorized in the service name `<service_name>`."
??? info "`traefik.http.services.<service_name>.loadbalancer.server.port`"
Registers a port.
Useful when the container exposes multiples ports.
@ -289,7 +289,7 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one.
See [serverstransport](../services/index.md#serverstransport) for more information.
```yaml
- "traefik.http.services.<service_name>.loadbalancer.serverstransport=foobar@file"
```
@ -399,9 +399,9 @@ you'd add the label `traefik.http.services.<name-of-your-choice>.loadbalancer.pa
```
??? info "`traefik.http.services.<service_name>.loadbalancer.sticky.cookie.samesite`"
See [sticky sessions](../services/index.md#sticky-sessions) for more information.
```yaml
- "traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none"
```

35
docs/content/routing/providers/kubernetes-crd.md
View file

@ -1203,7 +1203,7 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube
??? example "Examples"
```yaml tab="IngressRouteTCP"
```yaml tab="Only on IngressRouteTCP"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
@ -1233,38 +1233,7 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube
type: ExternalName
```
```yaml tab="ExternalName Service"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: test.route
namespace: default
spec:
entryPoints:
- foo
routes:
- match: HostSNI(`*`)
kind: Rule
services:
- name: external-svc
---
apiVersion: v1
kind: Service
metadata:
name: external-svc
namespace: default
spec:
externalName: external.domain
type: ExternalName
ports:
- port: 80
```
```yaml tab="Both sides"
```yaml tab="On both sides"
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP

2
docs/content/routing/providers/kubernetes-gateway.md
View file

@ -209,7 +209,7 @@ Kubernetes cluster before creating `HTTPRoute` objects.
- headers: # [8]
type: Exact # [9]
values: # [10]
- foo: bar
foo: bar
forwardTo: # [11]
- serviceName: whoami # [12]
weight: 1 # [13]

102
docs/content/routing/providers/kubernetes-ingress.md
View file

@ -12,7 +12,7 @@ which in turn will create the resulting routers, services, handlers, etc.
## Configuration Example
??? example "Configuring Kubernetes Ingress Controller"
```yaml tab="RBAC"
---
kind: ClusterRole
@ -46,7 +46,7 @@ which in turn will create the resulting routers, services, handlers, etc.
- ingresses/status
verbs:
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
@ -61,7 +61,7 @@ which in turn will create the resulting routers, services, handlers, etc.
name: traefik-ingress-controller
namespace: default
```
```yaml tab="Ingress"
kind: Ingress
apiVersion: networking.k8s.io/v1beta1
@ -69,7 +69,7 @@ which in turn will create the resulting routers, services, handlers, etc.
name: myingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: example.com
@ -117,7 +117,7 @@ which in turn will create the resulting routers, services, handlers, etc.
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
@ -125,7 +125,7 @@ which in turn will create the resulting routers, services, handlers, etc.
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
@ -146,7 +146,7 @@ which in turn will create the resulting routers, services, handlers, etc.
ports:
- name: web
containerPort: 80
---
apiVersion: v1
kind: Service
@ -162,7 +162,7 @@ which in turn will create the resulting routers, services, handlers, etc.
name: web
targetPort: 80
```
```yaml tab="Whoami"
kind: Deployment
apiVersion: apps/v1
@ -171,7 +171,7 @@ which in turn will create the resulting routers, services, handlers, etc.
labels:
app: traefiklabs
name: whoami
spec:
replicas: 2
selector:
@ -189,13 +189,13 @@ which in turn will create the resulting routers, services, handlers, etc.
image: traefik/whoami
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
ports:
- name: http
@ -237,7 +237,7 @@ which in turn will create the resulting routers, services, handlers, etc.
Overrides the default router rule type used for a path.
Only path-related matcher name can be specified: `Path`, `PathPrefix`.
Default `PathPrefix`
```yaml
@ -351,7 +351,7 @@ which in turn will create the resulting routers, services, handlers, etc.
```
## Path Types on Kubernetes 1.18+
If the Kubernetes cluster version is 1.18+,
the new `pathType` property can be leveraged to define the rules matchers:
@ -376,14 +376,6 @@ TLS can be enabled through the [HTTP options](../entrypoints.md#tls) of an Entry
--entrypoints.websecure.http.tls
```
```toml tab="File (TOML)"
# Static configuration
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
```
```yaml tab="File (YAML)"
# Static configuration
entryPoints:
@ -393,10 +385,18 @@ entryPoints:
tls: {}
```
```toml tab="File (TOML)"
# Static configuration
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
```
This way, any Ingress attached to this Entrypoint will have TLS termination by default.
??? example "Configuring Kubernetes Ingress Controller with TLS on Entrypoint"
```yaml tab="RBAC"
---
kind: ClusterRole
@ -430,7 +430,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
- ingresses/status
verbs:
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
@ -445,7 +445,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
name: traefik-ingress-controller
namespace: default
```
```yaml tab="Ingress"
kind: Ingress
apiVersion: networking.k8s.io/v1beta1
@ -453,7 +453,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
name: myingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
rules:
- host: example.com
@ -501,7 +501,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
@ -509,7 +509,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
@ -531,7 +531,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
ports:
- name: websecure
containerPort: 443
---
apiVersion: v1
kind: Service
@ -547,7 +547,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
name: websecure
targetPort: 443
```
```yaml tab="Whoami"
kind: Deployment
apiVersion: apps/v1
@ -556,7 +556,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
labels:
app: traefiklabs
name: whoami
spec:
replicas: 2
selector:
@ -574,13 +574,13 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
image: traefik/whoami
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
ports:
- name: http
@ -597,11 +597,11 @@ To enable TLS on the underlying router created from an Ingress, one should confi
```yaml
traefik.ingress.kubernetes.io/router.tls: "true"
```
For more options, please refer to the available [annotations](#on-ingress).
??? example "Configuring Kubernetes Ingress Controller with TLS"
```yaml tab="RBAC"
---
kind: ClusterRole
@ -635,7 +635,7 @@ For more options, please refer to the available [annotations](#on-ingress).
- ingresses/status
verbs:
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
@ -650,7 +650,7 @@ For more options, please refer to the available [annotations](#on-ingress).
name: traefik-ingress-controller
namespace: default
```
```yaml tab="Ingress"
kind: Ingress
apiVersion: networking.k8s.io/v1beta1
@ -659,7 +659,7 @@ For more options, please refer to the available [annotations](#on-ingress).
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: true
spec:
rules:
- host: example.com
@ -708,7 +708,7 @@ For more options, please refer to the available [annotations](#on-ingress).
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
@ -716,7 +716,7 @@ For more options, please refer to the available [annotations](#on-ingress).
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
@ -737,7 +737,7 @@ For more options, please refer to the available [annotations](#on-ingress).
ports:
- name: websecure
containerPort: 443
---
apiVersion: v1
kind: Service
@ -753,7 +753,7 @@ For more options, please refer to the available [annotations](#on-ingress).
name: websecure
targetPort: 443
```
```yaml tab="Whoami"
kind: Deployment
apiVersion: apps/v1
@ -762,7 +762,7 @@ For more options, please refer to the available [annotations](#on-ingress).
labels:
app: traefiklabs
name: whoami
spec:
replicas: 2
selector:
@ -780,13 +780,13 @@ For more options, please refer to the available [annotations](#on-ingress).
image: traefik/whoami
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
ports:
- name: http
@ -799,14 +799,14 @@ For more options, please refer to the available [annotations](#on-ingress).
### Certificates Management
??? example "Using a secret"
```yaml tab="Ingress"
kind: Ingress
apiVersion: networking.k8s.io/v1beta1
metadata:
name: foo
namespace: production
spec:
rules:
- host: example.net
@ -853,7 +853,7 @@ For more options, please refer to the available [annotations](#on-ingress).
kind: Secret
metadata:
name: supersecret
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
@ -862,7 +862,7 @@ For more options, please refer to the available [annotations](#on-ingress).
TLS certificates can be managed in Secrets objects.
!!! info
Only TLS certificates provided by users can be stored in Kubernetes Secrets.
[Let's Encrypt](../../https/acme.md) certificates cannot be managed in Kubernetes Secrets yet.
@ -882,7 +882,7 @@ If either of those configuration options exist, then the backend communication p
and will connect via TLS automatically.
!!! info
Please note that by enabling TLS communication between traefik and your pods,
you will have to have trusted certificates that have the proper trust chain and IP subject name.
If this is not an option, you may need to skip TLS certificate verification.
@ -922,8 +922,8 @@ This ingress follows the Global Default Backend property of ingresses.
This will allow users to create a "default router" that will match all unmatched requests.
!!! info
Due to Traefik's use of priorities, you may have to set this ingress priority lower than other ingresses in your environment,
to avoid this global ingress from satisfying requests that could match other ingresses.
To do this, use the `traefik.ingress.kubernetes.io/router.priority` annotation (as seen in [Annotations on Ingress](#on-ingress)) on your ingresses accordingly.

732
docs/content/routing/routers/index.md
View file

File diff suppressed because it is too large Load diff

666
docs/content/routing/services/index.md
View file

File diff suppressed because it is too large Load diff