Add TCP Middlewares support

integration/fixtures/k8s/01-traefik-crd.yml

@@ -245,6 +245,21 @@ spec:
                   properties:
                     match:
                       type: string
+                    middlewares:
+                      description: Middlewares contains references to MiddlewareTCP
+                        resources.
+                      items:
+                        description: ObjectReference is a generic reference to a Traefik
+                          resource.
+                        properties:
+                          name:
+                            type: string
+                          namespace:
+                            type: string
+                        required:
+                        - name
+                        type: object
+                      type: array
                     services:
                       items:
                         description: ServiceTCP defines an upstream to proxy traffic.
@@ -989,6 +1004,65 @@ status:
   conditions: []
   storedVersions: []
 
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.4.1
+  creationTimestamp: null
+  name: middlewaretcps.traefik.containo.us
+spec:
+  group: traefik.containo.us
+  names:
+    kind: MiddlewareTCP
+    listKind: MiddlewareTCPList
+    plural: middlewaretcps
+    singular: middlewaretcp
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: MiddlewareTCP is a specification for a MiddlewareTCP resource.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: MiddlewareTCPSpec holds the MiddlewareTCP configuration.
+            properties:
+              ipWhiteList:
+                description: TCPIPWhiteList holds the TCP ip white list configuration.
+                properties:
+                  sourceRange:
+                    items:
+                      type: string
+                    type: array
+                type: object
+            type: object
+        required:
+        - metadata
+        - spec
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+
 ---
 apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition

integration/fixtures/tcp/ip-whitelist.toml

@@ -0,0 +1,55 @@
+[global]
+  checkNewVersion = false
+  sendAnonymousUsage = false
+
+[log]
+  level = "DEBUG"
+
+[entryPoints]
+  [entryPoints.tcp]
+    address = ":8093"
+
+[api]
+  insecure = true
+
+[providers.file]
+  filename = "{{ .SelfFilename }}"
+
+## dynamic configuration ##
+
+[tcp]
+  [tcp.routers]
+    [tcp.routers.to-whoami-a]
+      entryPoints = ["tcp"]
+      rule = "HostSNI(`whoami-a.test`)"
+      service = "whoami-a"
+      middlewares = ["blocking-ipwhitelist"]
+      [tcp.routers.to-whoami-a.tls]
+        passthrough = true
+
+    [tcp.routers.to-whoami-b]
+      entryPoints = ["tcp"]
+      rule = "HostSNI(`whoami-b.test`)"
+      service = "whoami-b"
+      middlewares = ["allowing-ipwhitelist"]
+      [tcp.routers.to-whoami-b.tls]
+        passthrough = true
+
+  [tcp.services]
+    [tcp.services.whoami-a.loadBalancer]
+      [[tcp.services.whoami-a.loadBalancer.servers]]
+        address = "localhost:8081"
+
+    [tcp.services.whoami-b.loadBalancer]
+      [[tcp.services.whoami-b.loadBalancer.servers]]
+        address = "localhost:8082"
+
+  [tcp.middlewares]
+    [tcp.middlewares.allowing-ipwhitelist.ipWhiteList]
+      sourceRange = ["127.0.0.1/32"]
+    [tcp.middlewares.blocking-ipwhitelist.ipWhiteList]
+      sourceRange = ["127.127.127.127/32"]
+
+[[tls.certificates]]
+  certFile = "fixtures/tcp/whoami-c.crt"
+  keyFile = "fixtures/tcp/whoami-c.key"

integration/tcp_test.go

@@ -200,6 +200,30 @@ func (s *TCPSuite) TestCatchAllNoTLSWithHTTPS(c *check.C) {
 	c.Assert(err, checker.IsNil)
 }
 
+func (s *TCPSuite) TestMiddlewareWhiteList(c *check.C) {
+	file := s.adaptFile(c, "fixtures/tcp/ip-whitelist.toml", struct{}{})
+	defer os.Remove(file)
+
+	cmd, display := s.traefikCmd(withConfigFile(file))
+	defer display(c)
+
+	err := cmd.Start()
+	c.Assert(err, checker.IsNil)
+	defer s.killCmd(cmd)
+
+	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 50*time.Second, try.StatusCodeIs(http.StatusOK), try.BodyContains("HostSNI(`whoami-a.test`)"))
+	c.Assert(err, checker.IsNil)
+
+	// Traefik not passes through, ipWhitelist closes connection
+	_, err = guessWho("127.0.0.1:8093", "whoami-a.test", true)
+	c.Assert(err, checker.NotNil)
+
+	// Traefik passes through, termination handled by whoami-b
+	out, err := guessWho("127.0.0.1:8093", "whoami-b.test", true)
+	c.Assert(err, checker.IsNil)
+	c.Assert(out, checker.Contains, "whoami-b")
+}
+
 func welcome(addr string) (string, error) {
 	tcpAddr, err := net.ResolveTCPAddr("tcp", addr)
 	if err != nil {