homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch v2.5 into master

Browse source
This commit is contained in:
kevinpollet 2021-11-08 22:41:43 +01:00
commit ce47f200d5
No known key found for this signature in database
GPG key ID: 0C9A5DDD1B292453
70 changed files with 834 additions and 500 deletions
Download patch file Download diff file Expand all files Collapse all files

6
docs/content/getting-started/install-traefik.md
View file

@ -24,7 +24,7 @@ For more details, go to the [Docker provider documentation](../providers/docker.
!!! tip
* Prefer a fixed version than the latest that could be an unexpected version.
ex: `traefik:v2.1.4`
ex: `traefik:v2.5`
* Docker images are based from the [Alpine Linux Official image](https://hub.docker.com/_/alpine).
* Any orchestrator using docker images can fetch the official Traefik docker image.
@ -101,13 +101,13 @@ helm install traefik traefik/traefik
This HelmChart does not expose the Traefik dashboard by default, for security concerns.
Thus, there are multiple ways to expose the dashboard.
For instance, the dashboard access could be achieved through a port-forward :
For instance, the dashboard access could be achieved through a port-forward:
```shell
kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
```
Accessible with the url: http://127.0.0.1:9000/dashboard/
It can then be reached at: `http://127.0.0.1:9000/dashboard/`
Another way would be to apply your own configuration, for instance,
by defining and applying an IngressRoute CRD (`kubectl apply -f dashboard.yaml`):

6
docs/content/getting-started/quick-start.md
View file

@ -36,7 +36,7 @@ Start your `reverse-proxy` with the following command:
docker-compose up -d reverse-proxy
```
You can open a browser and go to <http://localhost:8080/api/rawdata> to see Traefik's API rawdata (we'll go back there once we have launched a service in step 2).
You can open a browser and go to `http://localhost:8080/api/rawdata` to see Traefik's API rawdata (we'll go back there once we have launched a service in step 2).
## Traefik Detects New Services and Creates the Route for You
@ -61,7 +61,7 @@ Start the `whoami` service with the following command:
docker-compose up -d whoami
```
Go back to your browser (<http://localhost:8080/api/rawdata>) and see that Traefik has automatically detected the new container and updated its own configuration.
Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new container and updated its own configuration.
When Traefik detects new services, it creates the corresponding routes so you can call them ... _let's see!_ (Here, we're using curl)
@ -85,7 +85,7 @@ Run more instances of your `whoami` service with the following command:
docker-compose up -d --scale whoami=2
```
Go back to your browser (<http://localhost:8080/api/rawdata>) and see that Traefik has automatically detected the new instance of the container.
Go back to your browser (`http://localhost:8080/api/rawdata`) and see that Traefik has automatically detected the new instance of the container.
Finally, see that Traefik load-balances between the two instances of your service by running the following command twice:

4
docs/content/https/acme.md
View file

@ -560,7 +560,7 @@ certificatesResolvers:
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.preferredChain="ISRG Root X1"
--certificatesresolvers.myresolver.acme.preferredChain=ISRG Root X1
# ...
```
@ -588,7 +588,7 @@ certificatesResolvers:
```bash tab="CLI"
# ...
--certificatesresolvers.myresolver.acme.keyType="RSA4096"
--certificatesresolvers.myresolver.acme.keyType=RSA4096
# ...
```

3
docs/content/middlewares/http/forwardauth.md
View file

@ -353,7 +353,8 @@ The `tls` option is the TLS configuration from Traefik to the authentication ser
#### `tls.ca`
Certificate Authority used for the secured connection to the authentication server.
Certificate Authority used for the secured connection to the authentication server,
defaults to the system bundle.
```yaml tab="Docker"
labels:

2
docs/content/middlewares/http/inflightreq.md
View file

@ -115,7 +115,7 @@ http:
### `sourceCriterion`
The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
If several strategies are defined at the same time, an error will be raised.
If none are set, the default is to use the `requestHost`.
#### `sourceCriterion.ipStrategy`

2
docs/content/middlewares/http/ratelimit.md
View file

@ -250,7 +250,7 @@ http:
### `sourceCriterion`
The `sourceCriterion` option defines what criterion is used to group requests as originating from a common source.
The precedence order is `ipStrategy`, then `requestHeaderName`, then `requestHost`.
If several strategies are defined at the same time, an error will be raised.
If none are set, the default is to use the request's remote address field (as an `ipStrategy`).
#### `sourceCriterion.ipStrategy`

12
docs/content/migration/v2.md
View file

@ -179,7 +179,7 @@ To enable HTTPS, it is not sufficient anymore to only rely on a TLS section in t
#### Expose an Ingress on 80 and 443
Define the default TLS configuration on the HTTPS entry point.
Define the default TLS configuration on the HTTPS entry point.
```yaml tab="Ingress"
kind: Ingress
@ -335,7 +335,7 @@ The file parser has been changed, since v2.3 the unknown options/fields in a dyn
### IngressClass
In `v2.3`, the support of `IngressClass`, which is available since Kubernetes version `1.18`, has been introduced.
In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated.
In order to be able to use this new resource the [Kubernetes RBAC](../reference/dynamic-configuration/kubernetes-crd.md#rbac) must be updated.
## v2.3 to v2.4
@ -350,7 +350,7 @@ It is therefore necessary to update [RBAC](../reference/dynamic-configuration/ku
In `v2.4.8`, we introduced a new check on domain names used in HTTP router rule `Host` and `HostRegexp` expressions,
and in TCP router rule `HostSNI` expression.
This check ensures that provided domain names don't contain non-ASCII characters.
This check ensures that provided domain names don't contain non-ASCII characters.
If not, an error is raised, and the associated router will be shown as invalid in the dashboard.
This new behavior is intended to show what was failing silently previously and to help troubleshooting configuration issues.
@ -380,8 +380,8 @@ To allow it, the `allowExternalNameServices` option should be set to `true`.
### Kubernetes CRD
In `v2.5`, the [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions) have been updated to support the new API version `apiextensions.k8s.io/v1`.
As required by `apiextensions.k8s.io/v1`, we have included the OpenAPI validation schema.
In `v2.5`, the [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions) have been updated to support the new API version `apiextensions.k8s.io/v1`.
As required by `apiextensions.k8s.io/v1`, we have included the OpenAPI validation schema.
After deploying the new [Traefik CRDs](../reference/dynamic-configuration/kubernetes-crd.md#definitions), the resources will be validated only on creation or update.
@ -420,7 +420,7 @@ the legacy behavior related to the CommonName field can not be enabled at all an
### Errors middleware
In `v2.5.4`, when the errors service is configured with the [`PassHostHeader`](../routing/services/index.md#pass-host-header) option to `true` (default),
In `v2.5.4`, when the errors service is configured with the [`PassHostHeader`](../routing/services/index.md#pass-host-header) option to `true` (default),
the forwarded Host header value is now set to the client request Host value and not `0.0.0.0`.
Check out the [Errors middleware](../middlewares/http/errorpages.md#service) documentation for more details.

2
docs/content/observability/access-logs.md
View file

@ -247,7 +247,7 @@ version: "3.7"
services:
traefik:
image: traefik:v2.2
image: traefik:v2.5
environment:
- TZ=US/Alaska
command:

2
docs/content/observability/metrics/datadog.md
View file

@ -59,7 +59,7 @@ metrics:
```bash tab="CLI"
--metrics.datadog.addEntryPointsLabels=true
```
#### `AddRoutersLabels`
#### `addRoutersLabels`
_Optional, Default=false_

2
docs/content/observability/metrics/influxdb.md
View file

@ -170,7 +170,7 @@ metrics:
--metrics.influxdb.addEntryPointsLabels=true
```
#### `AddRoutersLabels`
#### `addRoutersLabels`
_Optional, Default=false_

2
docs/content/observability/metrics/prometheus.md
View file

@ -64,7 +64,7 @@ metrics:
--metrics.prometheus.addEntryPointsLabels=true
```
#### `AddRoutersLabels`
#### `addRoutersLabels`
_Optional, Default=false_

2
docs/content/observability/metrics/statsd.md
View file

@ -60,7 +60,7 @@ metrics:
--metrics.statsd.addEntryPointsLabels=true
```
#### `AddRoutersLabels`
#### `addRoutersLabels`
_Optional, Default=false_

3
docs/content/providers/consul-catalog.md
View file

@ -368,7 +368,8 @@ Defines TLS options for Consul server endpoint.
_Optional_
`ca` is the path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
Certificate Authority used for the secure connection to Consul,
defaults to the system bundle.
```yaml tab="File (YAML)"
providers:

3
docs/content/providers/consul.md
View file

@ -106,7 +106,8 @@ _Optional_
#### `tls.ca`
Certificate Authority used for the secure connection to Consul.
Certificate Authority used for the secure connection to Consul,
defaults to the system bundle.
```yaml tab="File (YAML)"
providers:

3
docs/content/providers/docker.md
View file

@ -615,7 +615,8 @@ _Optional_
#### `tls.ca`
Certificate Authority used for the secure connection to Docker.
Certificate Authority used for the secure connection to Docker,
defaults to the system bundle.
```yaml tab="File (YAML)"
providers:

3
docs/content/providers/etcd.md
View file

@ -106,7 +106,8 @@ _Optional_
#### `tls.ca`
Certificate Authority used for the secure connection to etcd.
Certificate Authority used for the secure connection to etcd,
defaults to the system bundle.
```yaml tab="File (YAML)"
providers:

3
docs/content/providers/http.md
View file

@ -78,7 +78,8 @@ _Optional_
#### `tls.ca`
Certificate Authority used for the secure connection to the configured endpoint.
Certificate Authority used for the secure connection to the configured endpoint,
defaults to the system bundle.
```yaml tab="File (YAML)"
providers:

2
docs/content/providers/kubernetes-crd.md
View file

@ -62,7 +62,7 @@ Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1
If you need Let's Encrypt with HA in a Kubernetes environment, we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/), which includes distributed Let's Encrypt as a supported feature.
If you want to keep using Traefik Proxy, high availability for Let's Encrypt can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
If you want to keep using Traefik Proxy, high availability for Let's Encrypt can be achieved by using a Certificate Controller such as [Cert-Manager](https://cert-manager.io/docs/).
When using Cert-Manager to manage certificates, it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot yet interface directly with the CRDs.
A workaround is to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.

64
docs/content/providers/kubernetes-ingress.md
View file

@ -36,10 +36,10 @@ and derives the corresponding dynamic configuration from it,
which in turn creates the resulting routers, services, handlers, etc.
```yaml tab="Ingress"
apiVersion: networking.k8s.io/v1
kind: Ingress
apiVersion: networking.k8s.io/v1beta1
metadata:
name: "foo"
name: foo
namespace: production
spec:
@ -48,20 +48,26 @@ spec:
http:
paths:
- path: /bar
pathType: Exact
backend:
serviceName: service1
servicePort: 80
service:
name: service1
port:
number: 80
- path: /foo
pathType: Exact
backend:
serviceName: service1
servicePort: 80
service:
name: service1
port:
number: 80
```
```yaml tab="Ingress Kubernetes v1.19+"
```yaml tab="Ingress v1beta1 (deprecated)"
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: "foo"
name: foo
namespace: production
spec:
@ -70,19 +76,13 @@ spec:
http:
paths:
- path: /bar
pathType: Exact
backend:
service:
name: service1
port:
number: 80
serviceName: service1
servicePort: 80
- path: /foo
pathType: Exact
backend:
service:
name: service1
port:
number: 80
serviceName: service1
servicePort: 80
```
## LetsEncrypt Support with the Ingress Provider
@ -104,7 +104,7 @@ If you need Let's Encrypt with high availability in a Kubernetes environment,
we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) which includes distributed Let's Encrypt as a supported feature.
If you want to keep using Traefik Proxy,
LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://cert-manager.io/docs/).
When using Cert-Manager to manage certificates,
it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
@ -272,19 +272,19 @@ Otherwise, Ingresses missing the annotation, having an empty value, or the value
```
```yaml tab="Ingress"
apiVersion: "networking.k8s.io/v1beta1"
kind: "Ingress"
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: "example-ingress"
name: example-ingress
spec:
ingressClassName: "traefik-lb"
ingressClassName: traefik-lb
rules:
- host: "*.example.com"
http:
paths:
- path: "/example"
- path: /example
backend:
serviceName: "example-service"
serviceName: example-service
servicePort: 80
```
@ -303,21 +303,21 @@ Otherwise, Ingresses missing the annotation, having an empty value, or the value
```
```yaml tab="Ingress"
apiVersion: "networking.k8s.io/v1"
kind: "Ingress"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: "example-ingress"
name: example-ingress
spec:
ingressClassName: "traefik-lb"
ingressClassName: traefik-lb
rules:
- host: "*.example.com"
http:
paths:
- path: "/example"
- path: /example
pathType: Exact
backend:
service:
name: "example-service"
name: example-service
port:
number: 80
```

3
docs/content/providers/marathon.md
View file

@ -406,7 +406,8 @@ _Optional_
#### `tls.ca`
Certificate Authority used for the secure connection to Marathon.
Certificate Authority used for the secure connection to Marathon,
defaults to the system bundle.
```yaml tab="File (YAML)"
providers:

3
docs/content/providers/redis.md
View file

@ -106,7 +106,8 @@ _Optional_
#### `tls.ca`
Certificate Authority used for the secure connection to Redis.
Certificate Authority used for the secure connection to Redis,
defaults to the system bundle.
```yaml tab="File (YAML)"
providers:

3
docs/content/providers/zookeeper.md
View file

@ -106,7 +106,8 @@ _Optional_
#### `tls.ca`
Certificate Authority used for the secure connection to ZooKeeper.
Certificate Authority used for the secure connection to ZooKeeper,
defaults to the system bundle.
```yaml tab="File (YAML)"
providers:

4
docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
View file

@ -1,5 +1,5 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
@ -48,8 +48,8 @@ rules:
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller

2
docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml
View file

@ -45,8 +45,8 @@ rules:
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: gateway-controller

4
docs/content/reference/dynamic-configuration/traefik.containo.us_middlewares.yaml
View file

@ -400,7 +400,7 @@ spec:
info configuration.
properties:
issuer:
description: TLSCLientCertificateIssuerDNInfo holds the client
description: TLSClientCertificateIssuerDNInfo holds the client
TLS certificate distinguished name info configuration. cf
https://tools.ietf.org/html/rfc3739
properties:
@ -428,7 +428,7 @@ spec:
serialNumber:
type: boolean
subject:
description: TLSCLientCertificateSubjectDNInfo holds the client
description: TLSClientCertificateSubjectDNInfo holds the client
TLS certificate distinguished name info configuration. cf
https://tools.ietf.org/html/rfc3739
properties:

6
docs/content/routing/providers/kubernetes-crd.md
View file

@ -131,7 +131,6 @@ The Kubernetes Ingress Controller, The Custom Resource Way.
- tcpep
routes:
- match: HostSNI(`bar`)
kind: Rule
services:
- name: whoamitcp
port: 8080
@ -147,8 +146,7 @@ The Kubernetes Ingress Controller, The Custom Resource Way.
entryPoints:
- udpep
routes:
- kind: Rule
services:
- services:
- name: whoamiudp
port: 8080
```
@ -1224,7 +1222,6 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube
routes:
- match: HostSNI(`*`)
kind: Rule
services:
- name: external-svc
port: 80
@ -1254,7 +1251,6 @@ Register the `IngressRouteTCP` [kind](../../reference/dynamic-configuration/kube
routes:
- match: HostSNI(`*`)
kind: Rule
services:
- name: external-svc
port: 80

293
docs/content/routing/providers/kubernetes-ingress.md
View file

@ -15,8 +15,8 @@ which in turn will create the resulting routers, services, handlers, etc.
```yaml tab="RBAC"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
@ -48,8 +48,8 @@ which in turn will create the resulting routers, services, handlers, etc.
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
@ -63,8 +63,37 @@ which in turn will create the resulting routers, services, handlers, etc.
```
```yaml tab="Ingress"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: example.com
http:
paths:
- path: /bar
pathType: Exact
backend:
service:
name: whoami
port:
number: 80
- path: /foo
pathType: Exact
backend:
service:
name: whoami
port:
number: 80
```
```yaml tab="Ingress v1beta1 (deprecated)"
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: myingress
annotations:
@ -84,36 +113,7 @@ which in turn will create the resulting routers, services, handlers, etc.
serviceName: whoami
servicePort: 80
```
```yaml tab="Ingress Kubernetes v1.19+"
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: myingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: example.com
http:
paths:
- path: /bar
pathType: Exact
backend:
service:
name: whoami
port:
number: 80
- path: /foo
pathType: Exact
backend:
service:
name: whoami
port:
number: 80
```
```yaml tab="Traefik"
apiVersion: v1
kind: ServiceAccount
@ -121,8 +121,8 @@ which in turn will create the resulting routers, services, handlers, etc.
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik
labels:
@ -166,8 +166,8 @@ which in turn will create the resulting routers, services, handlers, etc.
```
```yaml tab="Whoami"
kind: Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
labels:
@ -209,6 +209,11 @@ which in turn will create the resulting routers, services, handlers, etc.
## Annotations
!!! warning "Referencing resources in annotations"
In an annotation, when referencing a resource defined by another provider,
the [provider namespace syntax](../../providers/overview.md#provider-namespace) must be used.
#### On Ingress
??? info "`traefik.ingress.kubernetes.io/router.entrypoints`"
@ -224,7 +229,7 @@ which in turn will create the resulting routers, services, handlers, etc.
See [middlewares](../routers/index.md#middlewares) and [middlewares overview](../../middlewares/overview.md) for more information.
```yaml
traefik.ingress.kubernetes.io/router.middlewares: auth@file,prefix@kubernetescrd,cb@file
traefik.ingress.kubernetes.io/router.middlewares: auth@file,default-prefix@kubernetescrd
```
??? info "`traefik.ingress.kubernetes.io/router.priority`"
@ -237,7 +242,7 @@ which in turn will create the resulting routers, services, handlers, etc.
??? info "`traefik.ingress.kubernetes.io/router.pathmatcher`"
Overrides the default router rule type used for a path.
Overrides the default router rule type used for a path.
Only path-related matcher name can be specified: `Path`, `PathPrefix`.
Default `PathPrefix`
@ -283,7 +288,7 @@ which in turn will create the resulting routers, services, handlers, etc.
See [options](../routers/index.md#options) for more information.
```yaml
traefik.ingress.kubernetes.io/router.tls.options: foobar
traefik.ingress.kubernetes.io/router.tls.options: foobar@file
```
#### On Service
@ -401,8 +406,8 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
```yaml tab="RBAC"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
@ -434,8 +439,8 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
@ -449,8 +454,37 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
```
```yaml tab="Ingress"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
rules:
- host: example.com
http:
paths:
- path: /bar
pathType: Exact
backend:
service:
name: whoami
port:
number: 80
- path: /foo
pathType: Exact
backend:
service:
name: whoami
port:
number: 80
```
```yaml tab="Ingress v1beta1 (deprecated)"
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: myingress
annotations:
@ -470,36 +504,7 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
serviceName: whoami
servicePort: 80
```
```yaml tab="Ingress Kubernetes v1.19+"
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: myingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
rules:
- host: example.com
http:
paths:
- path: /bar
pathType: Exact
backend:
service:
name: whoami
port:
number: 80
- path: /foo
pathType: Exact
backend:
service:
name: whoami
port:
number: 80
```
```yaml tab="Traefik"
apiVersion: v1
kind: ServiceAccount
@ -507,8 +512,8 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik
labels:
@ -553,8 +558,8 @@ This way, any Ingress attached to this Entrypoint will have TLS termination by d
```
```yaml tab="Whoami"
kind: Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
labels:
@ -608,8 +613,8 @@ For more options, please refer to the available [annotations](#on-ingress).
```yaml tab="RBAC"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
@ -641,8 +646,8 @@ For more options, please refer to the available [annotations](#on-ingress).
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
@ -656,8 +661,38 @@ For more options, please refer to the available [annotations](#on-ingress).
```
```yaml tab="Ingress"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: true
spec:
rules:
- host: example.com
http:
paths:
- path: /bar
pathType: Exact
backend:
service:
name: whoami
port:
number: 80
- path: /foo
pathType: Exact
backend:
service:
name: whoami
port:
number: 80
```
```yaml tab="Ingress v1beta1 (deprecated)"
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: myingress
annotations:
@ -678,37 +713,7 @@ For more options, please refer to the available [annotations](#on-ingress).
serviceName: whoami
servicePort: 80
```
```yaml tab="Ingress Kubernetes v1.19+"
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: myingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: true
spec:
rules:
- host: example.com
http:
paths:
- path: /bar
pathType: Exact
backend:
service:
name: whoami
port:
number: 80
- path: /foo
pathType: Exact
backend:
service:
name: whoami
port:
number: 80
```
```yaml tab="Traefik"
apiVersion: v1
kind: ServiceAccount
@ -716,8 +721,8 @@ For more options, please refer to the available [annotations](#on-ingress).
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: traefik
labels:
@ -761,8 +766,8 @@ For more options, please refer to the available [annotations](#on-ingress).
```
```yaml tab="Whoami"
kind: Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: whoami
labels:
@ -807,8 +812,34 @@ For more options, please refer to the available [annotations](#on-ingress).
??? example "Using a secret"
```yaml tab="Ingress"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: foo
namespace: production
spec:
rules:
- host: example.net
http:
paths:
- path: /bar
pathType: Exact
backend:
service:
name: service1
port:
number: 80
# Only selects which certificate(s) should be loaded from the secret, in order to terminate TLS.
# Doesn't enable TLS for that ingress (hence for the underlying router).
# Please see the TLS annotations on ingress made for that purpose.
tls:
- secretName: supersecret
```
```yaml tab="Ingress v1beta1 (deprecated)"
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: foo
namespace: production
@ -829,32 +860,6 @@ For more options, please refer to the available [annotations](#on-ingress).
- secretName: supersecret
```
```yaml tab="Ingress Kubernetes v1.19+"
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: foo
namespace: production
spec:
rules:
- host: example.net
http:
paths:
- path: /bar
pathType: Exact
backend:
service:
name: service1
port:
number: 80
# Only selects which certificate(s) should be loaded from the secret, in order to terminate TLS.
# Doesn't enable TLS for that ingress (hence for the underlying router).
# Please see the TLS annotations on ingress made for that purpose.
tls:
- secretName: supersecret
```
```yaml tab="Secret"
apiVersion: v1
kind: Secret
@ -900,18 +905,6 @@ and will connect via TLS automatically.
Ingresses can be created that look like the following:
```yaml tab="Ingress"
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: cheese
spec:
defaultBackend:
serviceName: stilton
serverPort: 80
```
```yaml tab="Ingress Kubernetes v1.19+"
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
@ -925,6 +918,18 @@ spec:
number: 80
```
```yaml tab="Ingress v1beta1 (deprecated)"
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: cheese
spec:
defaultBackend:
serviceName: stilton
serverPort: 80
```
This ingress follows the Global Default Backend property of ingresses.
This will allow users to create a "default router" that will match all unmatched requests.

1
docs/content/routing/routers/index.md
View file

@ -251,6 +251,7 @@ The table below lists all the available matchers:
`HostRegexp` and `Path` accept an expression with zero or more groups enclosed by curly braces.
Named groups can be like `{name:pattern}` that matches the given regexp pattern or like `{name}` that matches anything until the next dot.
The group name (`name` is the above examples) is an arbitrary value.
Any pattern supported by [Go's regexp package](https://golang.org/pkg/regexp/) may be used (example: `{subdomain:[a-z]+}.{domain}.com`).
!!! info "Combining Matchers Using Operators and Parenthesis"