homelab/traefik
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Support certificates configuration in TLSStore CRD

Browse source 
Co-authored-by: Romain <rtribotte@users.noreply.github.com>
This commit is contained in:
Kevin Pollet 2022-05-19 16:42:09 +02:00 committed by GitHub
parent ae6e844143
commit d5ff301d90
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 252 additions and 75 deletions
Download patch file Download diff file Expand all files Collapse all files

5
docs/content/https/tls.md
View file

@ -364,8 +364,9 @@ spec:
### Strict SNI Checking
With strict SNI checking enabled, Traefik won't allow connections from clients
that do not specify a server_name extension or don't match any certificate configured on the tlsOption.
With strict SNI checking enabled, Traefik won't allow connections from clients that do not specify a server_name extension
or don't match any of the configured certificates.
The default certificate is irrelevant on that matter.
```yaml tab="File (YAML)"
# Dynamic configuration

20
docs/content/reference/dynamic-configuration/traefik.containo.us_tlsstores.yaml
View file

@ -36,9 +36,23 @@ spec:
spec:
description: TLSStoreSpec configures a TLSStore resource.
properties:
certificates:
description: Certificates is a list of secret names, each secret holding
a key/certificate pair to add to the store.
items:
description: Certificate holds a secret name for the TLSStore resource.
properties:
secretName:
description: SecretName is the name of the referenced Kubernetes
Secret to specify the certificate details.
type: string
required:
- secretName
type: object
type: array
defaultCertificate:
description: DefaultCertificate holds a secret name for the TLSOption
resource.
description: DefaultCertificate is the name of the secret holding
the default key/certificate pair for the store.
properties:
secretName:
description: SecretName is the name of the referenced Kubernetes
@ -47,8 +61,6 @@ spec:
required:
- secretName
type: object
required:
- defaultCertificate
type: object
required:
- metadata

18
docs/content/routing/providers/kubernetes-crd.md
View file

@ -1618,25 +1618,27 @@ or referencing TLS stores in the [`IngressRoute`](#kind-ingressroute) / [`Ingres
Traefik currently only uses the [TLS Store named "default"](../../https/tls.md#certificates-stores).
This means that if you have two stores that are named default in different kubernetes namespaces,
they may be randomly chosen.
For the time being, please only configure one TLSSTore named default.
For the time being, please only configure one TLSStore named default.
!!! info "TLSStore Attributes"
```yaml tab="TLSStore"
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: default
spec:
defaultCertificate:
secretName: my-secret # [1]
certificates: # [1]
- secretName: foo
- secretName: bar
defaultCertificate: # [2]
secretName: secret
```
| Ref | Attribute | Purpose |
|-----|--------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------|
| [1] | `secretName` | The name of the referenced Kubernetes [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) that holds the default certificate for the store. |
| Ref | Attribute | Purpose |
|-----|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------|
| [1] | `certificates` | List of Kubernetes [Secrets](https://kubernetes.io/docs/concepts/configuration/secret/), each of them holding a key/certificate pair to add to the store. |
| [2] | `defaultCertificate` | Name of a Kubernetes [Secret](https://kubernetes.io/docs/concepts/configuration/secret/) that holds the default key/certificate pair for the store. |
??? example "Declaring and referencing a TLSStore"