Add TCP Middlewares support

2021-06-11 15:30:05 +02:00 · 2021-06-11 15:30:05 +02:00 · fc9f41b955
commit fc9f41b955
parent 679def0151
134 changed files with 5865 additions and 1852 deletions
--- a/pkg/provider/kubernetes/crd/client.go
+++ b/pkg/provider/kubernetes/crd/client.go
@ -36,6 +36,7 @@ type Client interface {
 	GetIngressRouteTCPs() []*v1alpha1.IngressRouteTCP
 	GetIngressRouteUDPs() []*v1alpha1.IngressRouteUDP
 	GetMiddlewares() []*v1alpha1.Middleware
+	GetMiddlewareTCPs() []*v1alpha1.MiddlewareTCP
 	GetTraefikService(namespace, name string) (*v1alpha1.TraefikService, bool, error)
 	GetTraefikServices() []*v1alpha1.TraefikService
 	GetTLSOptions() []*v1alpha1.TLSOption
@ -166,6 +167,7 @@ func (c *clientWrapper) WatchAll(namespaces []string, stopCh <-chan struct{}) (<
 		factoryCrd := externalversions.NewSharedInformerFactoryWithOptions(c.csCrd, resyncPeriod, externalversions.WithNamespace(ns), externalversions.WithTweakListOptions(matchesLabelSelector))
 		factoryCrd.Traefik().V1alpha1().IngressRoutes().Informer().AddEventHandler(eventHandler)
 		factoryCrd.Traefik().V1alpha1().Middlewares().Informer().AddEventHandler(eventHandler)
+		factoryCrd.Traefik().V1alpha1().MiddlewareTCPs().Informer().AddEventHandler(eventHandler)
 		factoryCrd.Traefik().V1alpha1().IngressRouteTCPs().Informer().AddEventHandler(eventHandler)
 		factoryCrd.Traefik().V1alpha1().IngressRouteUDPs().Informer().AddEventHandler(eventHandler)
 		factoryCrd.Traefik().V1alpha1().TLSOptions().Informer().AddEventHandler(eventHandler)
@ -270,6 +272,20 @@ func (c *clientWrapper) GetMiddlewares() []*v1alpha1.Middleware {
 	return result
 }

+func (c *clientWrapper) GetMiddlewareTCPs() []*v1alpha1.MiddlewareTCP {
+	var result []*v1alpha1.MiddlewareTCP
+
+	for ns, factory := range c.factoriesCrd {
+		middlewares, err := factory.Traefik().V1alpha1().MiddlewareTCPs().Lister().List(labels.Everything())
+		if err != nil {
+			log.Errorf("Failed to list TCP middlewares in namespace %s: %v", ns, err)
+		}
+		result = append(result, middlewares...)
+	}
+
+	return result
+}
+
 // GetTraefikService returns the named service from the given namespace.
 func (c *clientWrapper) GetTraefikService(namespace, name string) (*v1alpha1.TraefikService, bool, error) {
 	if !c.isWatchedNamespace(namespace) {
--- a/pkg/provider/kubernetes/crd/client_mock_test.go
+++ b/pkg/provider/kubernetes/crd/client_mock_test.go
@ -34,6 +34,7 @@ type clientMock struct {
 	ingressRouteTCPs []*v1alpha1.IngressRouteTCP
 	ingressRouteUDPs []*v1alpha1.IngressRouteUDP
 	middlewares      []*v1alpha1.Middleware
+	middlewareTCPs   []*v1alpha1.MiddlewareTCP
 	tlsOptions       []*v1alpha1.TLSOption
 	tlsStores        []*v1alpha1.TLSStore
 	traefikServices  []*v1alpha1.TraefikService
@ -66,6 +67,8 @@ func newClientMock(paths ...string) clientMock {
 				c.ingressRouteUDPs = append(c.ingressRouteUDPs, o)
 			case *v1alpha1.Middleware:
 				c.middlewares = append(c.middlewares, o)
+			case *v1alpha1.MiddlewareTCP:
+				c.middlewareTCPs = append(c.middlewareTCPs, o)
 			case *v1alpha1.TraefikService:
 				c.traefikServices = append(c.traefikServices, o)
 			case *v1alpha1.TLSOption:
@ -101,6 +104,10 @@ func (c clientMock) GetMiddlewares() []*v1alpha1.Middleware {
 	return c.middlewares
 }

+func (c clientMock) GetMiddlewareTCPs() []*v1alpha1.MiddlewareTCP {
+	return c.middlewareTCPs
+}
+
 func (c clientMock) GetTraefikService(namespace, name string) (*v1alpha1.TraefikService, bool, error) {
 	for _, svc := range c.traefikServices {
 		if svc.Namespace == namespace && svc.Name == name {
--- a/pkg/provider/kubernetes/crd/fixtures/tcp/with_middleware.yml
+++ b/pkg/provider/kubernetes/crd/fixtures/tcp/with_middleware.yml
@ -0,0 +1,41 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: MiddlewareTCP
+metadata:
+  name: ipwhitelist
+  namespace: default
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 127.0.0.1/32
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: MiddlewareTCP
+metadata:
+  name: ipwhitelist
+  namespace: foo
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 127.0.0.1/32
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: test.route
+  namespace: default
+
+spec:
+  entryPoints:
+    - foo
+
+  routes:
+    - match: HostSNI(`foo.com`)
+      services:
+        - name: whoamitcp
+          port: 8000
+
+      middlewares:
+        - name: ipwhitelist
+        - name: ipwhitelist
+          namespace: foo
--- a/pkg/provider/kubernetes/crd/fixtures/tcp/with_middleware_crossprovider.yml
+++ b/pkg/provider/kubernetes/crd/fixtures/tcp/with_middleware_crossprovider.yml
@ -0,0 +1,44 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: MiddlewareTCP
+metadata:
+  name: ipwhitelist
+  namespace: default
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 127.0.0.1/32
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: MiddlewareTCP
+metadata:
+  name: ipwhitelist
+  namespace: foo
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 127.0.0.1/32
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: test.route
+  namespace: default
+
+spec:
+  entryPoints:
+    - foo
+
+  routes:
+    - match: HostSNI(`foo.com`)
+      services:
+        - name: whoamitcp
+          port: 8000
+
+      middlewares:
+        - name: ipwhitelist
+        - name: ipwhitelist
+          namespace: foo
+        - name: ipwhitelist@file
+        - name: ipwhitelist-foo@file
+          namespace: foo
--- a/pkg/provider/kubernetes/crd/fixtures/tcp/with_middleware_with_cross_namespace.yml
+++ b/pkg/provider/kubernetes/crd/fixtures/tcp/with_middleware_with_cross_namespace.yml
@ -0,0 +1,48 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: MiddlewareTCP
+metadata:
+  name: ipwhitelist
+  namespace: default
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 127.0.0.1/32
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: MiddlewareTCP
+metadata:
+  name: ipwhitelist
+  namespace: cross-ns
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 127.0.0.1/32
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRouteTCP
+metadata:
+  name: test.route
+  namespace: default
+
+spec:
+  entryPoints:
+    - foo
+
+  routes:
+    - match: HostSNI(`foo.com`)
+      services:
+        - name: whoamitcp
+          port: 8000
+
+      middlewares:
+        - name: ipwhitelist
+
+    - match: HostSNI(`bar.com`)
+      services:
+        - name: whoamitcp
+          port: 8000
+
+      middlewares:
+        - name: ipwhitelist
+          namespace: cross-ns
--- a/pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/fake/fake_middlewaretcp.go
+++ b/pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/fake/fake_middlewaretcp.go
@ -0,0 +1,138 @@
+/*
+The MIT License (MIT)
+
+Copyright (c) 2016-2020 Containous SAS; 2020-2021 Traefik Labs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package fake
+
+import (
+	"context"
+
+	v1alpha1 "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	labels "k8s.io/apimachinery/pkg/labels"
+	schema "k8s.io/apimachinery/pkg/runtime/schema"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	testing "k8s.io/client-go/testing"
+)
+
+// FakeMiddlewareTCPs implements MiddlewareTCPInterface
+type FakeMiddlewareTCPs struct {
+	Fake *FakeTraefikV1alpha1
+	ns   string
+}
+
+var middlewaretcpsResource = schema.GroupVersionResource{Group: "traefik.containo.us", Version: "v1alpha1", Resource: "middlewaretcps"}
+
+var middlewaretcpsKind = schema.GroupVersionKind{Group: "traefik.containo.us", Version: "v1alpha1", Kind: "MiddlewareTCP"}
+
+// Get takes name of the middlewareTCP, and returns the corresponding middlewareTCP object, and an error if there is any.
+func (c *FakeMiddlewareTCPs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.MiddlewareTCP, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewGetAction(middlewaretcpsResource, c.ns, name), &v1alpha1.MiddlewareTCP{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.MiddlewareTCP), err
+}
+
+// List takes label and field selectors, and returns the list of MiddlewareTCPs that match those selectors.
+func (c *FakeMiddlewareTCPs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.MiddlewareTCPList, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewListAction(middlewaretcpsResource, middlewaretcpsKind, c.ns, opts), &v1alpha1.MiddlewareTCPList{})
+
+	if obj == nil {
+		return nil, err
+	}
+
+	label, _, _ := testing.ExtractFromListOptions(opts)
+	if label == nil {
+		label = labels.Everything()
+	}
+	list := &v1alpha1.MiddlewareTCPList{ListMeta: obj.(*v1alpha1.MiddlewareTCPList).ListMeta}
+	for _, item := range obj.(*v1alpha1.MiddlewareTCPList).Items {
+		if label.Matches(labels.Set(item.Labels)) {
+			list.Items = append(list.Items, item)
+		}
+	}
+	return list, err
+}
+
+// Watch returns a watch.Interface that watches the requested middlewareTCPs.
+func (c *FakeMiddlewareTCPs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	return c.Fake.
+		InvokesWatch(testing.NewWatchAction(middlewaretcpsResource, c.ns, opts))
+
+}
+
+// Create takes the representation of a middlewareTCP and creates it.  Returns the server's representation of the middlewareTCP, and an error, if there is any.
+func (c *FakeMiddlewareTCPs) Create(ctx context.Context, middlewareTCP *v1alpha1.MiddlewareTCP, opts v1.CreateOptions) (result *v1alpha1.MiddlewareTCP, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewCreateAction(middlewaretcpsResource, c.ns, middlewareTCP), &v1alpha1.MiddlewareTCP{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.MiddlewareTCP), err
+}
+
+// Update takes the representation of a middlewareTCP and updates it. Returns the server's representation of the middlewareTCP, and an error, if there is any.
+func (c *FakeMiddlewareTCPs) Update(ctx context.Context, middlewareTCP *v1alpha1.MiddlewareTCP, opts v1.UpdateOptions) (result *v1alpha1.MiddlewareTCP, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewUpdateAction(middlewaretcpsResource, c.ns, middlewareTCP), &v1alpha1.MiddlewareTCP{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.MiddlewareTCP), err
+}
+
+// Delete takes name of the middlewareTCP and deletes it. Returns an error if one occurs.
+func (c *FakeMiddlewareTCPs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	_, err := c.Fake.
+		Invokes(testing.NewDeleteAction(middlewaretcpsResource, c.ns, name), &v1alpha1.MiddlewareTCP{})
+
+	return err
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *FakeMiddlewareTCPs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	action := testing.NewDeleteCollectionAction(middlewaretcpsResource, c.ns, listOpts)
+
+	_, err := c.Fake.Invokes(action, &v1alpha1.MiddlewareTCPList{})
+	return err
+}
+
+// Patch applies the patch and returns the patched middlewareTCP.
+func (c *FakeMiddlewareTCPs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.MiddlewareTCP, err error) {
+	obj, err := c.Fake.
+		Invokes(testing.NewPatchSubresourceAction(middlewaretcpsResource, c.ns, name, pt, data, subresources...), &v1alpha1.MiddlewareTCP{})
+
+	if obj == nil {
+		return nil, err
+	}
+	return obj.(*v1alpha1.MiddlewareTCP), err
+}
--- a/pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/fake/fake_traefik_client.go
+++ b/pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/fake/fake_traefik_client.go
@ -52,6 +52,10 @@ func (c *FakeTraefikV1alpha1) Middlewares(namespace string) v1alpha1.MiddlewareI
 	return &FakeMiddlewares{c, namespace}
 }

+func (c *FakeTraefikV1alpha1) MiddlewareTCPs(namespace string) v1alpha1.MiddlewareTCPInterface {
+	return &FakeMiddlewareTCPs{c, namespace}
+}
+
 func (c *FakeTraefikV1alpha1) ServersTransports(namespace string) v1alpha1.ServersTransportInterface {
 	return &FakeServersTransports{c, namespace}
 }
--- a/pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/generated_expansion.go
+++ b/pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/generated_expansion.go
@ -34,6 +34,8 @@ type IngressRouteUDPExpansion interface{}

 type MiddlewareExpansion interface{}

+type MiddlewareTCPExpansion interface{}
+
 type ServersTransportExpansion interface{}

 type TLSOptionExpansion interface{}
--- a/pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/middlewaretcp.go
+++ b/pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/middlewaretcp.go
@ -0,0 +1,186 @@
+/*
+The MIT License (MIT)
+
+Copyright (c) 2016-2020 Containous SAS; 2020-2021 Traefik Labs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+*/
+
+// Code generated by client-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	"time"
+
+	scheme "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned/scheme"
+	v1alpha1 "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	types "k8s.io/apimachinery/pkg/types"
+	watch "k8s.io/apimachinery/pkg/watch"
+	rest "k8s.io/client-go/rest"
+)
+
+// MiddlewareTCPsGetter has a method to return a MiddlewareTCPInterface.
+// A group's client should implement this interface.
+type MiddlewareTCPsGetter interface {
+	MiddlewareTCPs(namespace string) MiddlewareTCPInterface
+}
+
+// MiddlewareTCPInterface has methods to work with MiddlewareTCP resources.
+type MiddlewareTCPInterface interface {
+	Create(ctx context.Context, middlewareTCP *v1alpha1.MiddlewareTCP, opts v1.CreateOptions) (*v1alpha1.MiddlewareTCP, error)
+	Update(ctx context.Context, middlewareTCP *v1alpha1.MiddlewareTCP, opts v1.UpdateOptions) (*v1alpha1.MiddlewareTCP, error)
+	Delete(ctx context.Context, name string, opts v1.DeleteOptions) error
+	DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error
+	Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.MiddlewareTCP, error)
+	List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.MiddlewareTCPList, error)
+	Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error)
+	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.MiddlewareTCP, err error)
+	MiddlewareTCPExpansion
+}
+
+// middlewareTCPs implements MiddlewareTCPInterface
+type middlewareTCPs struct {
+	client rest.Interface
+	ns     string
+}
+
+// newMiddlewareTCPs returns a MiddlewareTCPs
+func newMiddlewareTCPs(c *TraefikV1alpha1Client, namespace string) *middlewareTCPs {
+	return &middlewareTCPs{
+		client: c.RESTClient(),
+		ns:     namespace,
+	}
+}
+
+// Get takes name of the middlewareTCP, and returns the corresponding middlewareTCP object, and an error if there is any.
+func (c *middlewareTCPs) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.MiddlewareTCP, err error) {
+	result = &v1alpha1.MiddlewareTCP{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("middlewaretcps").
+		Name(name).
+		VersionedParams(&options, scheme.ParameterCodec).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// List takes label and field selectors, and returns the list of MiddlewareTCPs that match those selectors.
+func (c *middlewareTCPs) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.MiddlewareTCPList, err error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	result = &v1alpha1.MiddlewareTCPList{}
+	err = c.client.Get().
+		Namespace(c.ns).
+		Resource("middlewaretcps").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Watch returns a watch.Interface that watches the requested middlewareTCPs.
+func (c *middlewareTCPs) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) {
+	var timeout time.Duration
+	if opts.TimeoutSeconds != nil {
+		timeout = time.Duration(*opts.TimeoutSeconds) * time.Second
+	}
+	opts.Watch = true
+	return c.client.Get().
+		Namespace(c.ns).
+		Resource("middlewaretcps").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Watch(ctx)
+}
+
+// Create takes the representation of a middlewareTCP and creates it.  Returns the server's representation of the middlewareTCP, and an error, if there is any.
+func (c *middlewareTCPs) Create(ctx context.Context, middlewareTCP *v1alpha1.MiddlewareTCP, opts v1.CreateOptions) (result *v1alpha1.MiddlewareTCP, err error) {
+	result = &v1alpha1.MiddlewareTCP{}
+	err = c.client.Post().
+		Namespace(c.ns).
+		Resource("middlewaretcps").
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(middlewareTCP).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Update takes the representation of a middlewareTCP and updates it. Returns the server's representation of the middlewareTCP, and an error, if there is any.
+func (c *middlewareTCPs) Update(ctx context.Context, middlewareTCP *v1alpha1.MiddlewareTCP, opts v1.UpdateOptions) (result *v1alpha1.MiddlewareTCP, err error) {
+	result = &v1alpha1.MiddlewareTCP{}
+	err = c.client.Put().
+		Namespace(c.ns).
+		Resource("middlewaretcps").
+		Name(middlewareTCP.Name).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(middlewareTCP).
+		Do(ctx).
+		Into(result)
+	return
+}
+
+// Delete takes name of the middlewareTCP and deletes it. Returns an error if one occurs.
+func (c *middlewareTCPs) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error {
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("middlewaretcps").
+		Name(name).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// DeleteCollection deletes a collection of objects.
+func (c *middlewareTCPs) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error {
+	var timeout time.Duration
+	if listOpts.TimeoutSeconds != nil {
+		timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second
+	}
+	return c.client.Delete().
+		Namespace(c.ns).
+		Resource("middlewaretcps").
+		VersionedParams(&listOpts, scheme.ParameterCodec).
+		Timeout(timeout).
+		Body(&opts).
+		Do(ctx).
+		Error()
+}
+
+// Patch applies the patch and returns the patched middlewareTCP.
+func (c *middlewareTCPs) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.MiddlewareTCP, err error) {
+	result = &v1alpha1.MiddlewareTCP{}
+	err = c.client.Patch(pt).
+		Namespace(c.ns).
+		Resource("middlewaretcps").
+		Name(name).
+		SubResource(subresources...).
+		VersionedParams(&opts, scheme.ParameterCodec).
+		Body(data).
+		Do(ctx).
+		Into(result)
+	return
+}
--- a/pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/traefik_client.go
+++ b/pkg/provider/kubernetes/crd/generated/clientset/versioned/typed/traefik/v1alpha1/traefik_client.go
@ -38,6 +38,7 @@ type TraefikV1alpha1Interface interface {
 	IngressRouteTCPsGetter
 	IngressRouteUDPsGetter
 	MiddlewaresGetter
+	MiddlewareTCPsGetter
 	ServersTransportsGetter
 	TLSOptionsGetter
 	TLSStoresGetter
@ -65,6 +66,10 @@ func (c *TraefikV1alpha1Client) Middlewares(namespace string) MiddlewareInterfac
 	return newMiddlewares(c, namespace)
 }

+func (c *TraefikV1alpha1Client) MiddlewareTCPs(namespace string) MiddlewareTCPInterface {
+	return newMiddlewareTCPs(c, namespace)
+}
+
 func (c *TraefikV1alpha1Client) ServersTransports(namespace string) ServersTransportInterface {
 	return newServersTransports(c, namespace)
 }
--- a/pkg/provider/kubernetes/crd/generated/informers/externalversions/generic.go
+++ b/pkg/provider/kubernetes/crd/generated/informers/externalversions/generic.go
@ -69,6 +69,8 @@ func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().IngressRouteUDPs().Informer()}, nil
 	case v1alpha1.SchemeGroupVersion.WithResource("middlewares"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().Middlewares().Informer()}, nil
+	case v1alpha1.SchemeGroupVersion.WithResource("middlewaretcps"):
+		return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().MiddlewareTCPs().Informer()}, nil
 	case v1alpha1.SchemeGroupVersion.WithResource("serverstransports"):
 		return &genericInformer{resource: resource.GroupResource(), informer: f.Traefik().V1alpha1().ServersTransports().Informer()}, nil
 	case v1alpha1.SchemeGroupVersion.WithResource("tlsoptions"):
--- a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefik/v1alpha1/interface.go
+++ b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefik/v1alpha1/interface.go
@ -40,6 +40,8 @@ type Interface interface {
 	IngressRouteUDPs() IngressRouteUDPInformer
 	// Middlewares returns a MiddlewareInformer.
 	Middlewares() MiddlewareInformer
+	// MiddlewareTCPs returns a MiddlewareTCPInformer.
+	MiddlewareTCPs() MiddlewareTCPInformer
 	// ServersTransports returns a ServersTransportInformer.
 	ServersTransports() ServersTransportInformer
 	// TLSOptions returns a TLSOptionInformer.
@ -81,6 +83,11 @@ func (v *version) Middlewares() MiddlewareInformer {
 	return &middlewareInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
 }

+// MiddlewareTCPs returns a MiddlewareTCPInformer.
+func (v *version) MiddlewareTCPs() MiddlewareTCPInformer {
+	return &middlewareTCPInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
+}
+
 // ServersTransports returns a ServersTransportInformer.
 func (v *version) ServersTransports() ServersTransportInformer {
 	return &serversTransportInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions}
--- a/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefik/v1alpha1/middlewaretcp.go
+++ b/pkg/provider/kubernetes/crd/generated/informers/externalversions/traefik/v1alpha1/middlewaretcp.go
@ -0,0 +1,98 @@
+/*
+The MIT License (MIT)
+
+Copyright (c) 2016-2020 Containous SAS; 2020-2021 Traefik Labs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+*/
+
+// Code generated by informer-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	"context"
+	time "time"
+
+	versioned "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/clientset/versioned"
+	internalinterfaces "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/informers/externalversions/internalinterfaces"
+	v1alpha1 "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/generated/listers/traefik/v1alpha1"
+	traefikv1alpha1 "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	runtime "k8s.io/apimachinery/pkg/runtime"
+	watch "k8s.io/apimachinery/pkg/watch"
+	cache "k8s.io/client-go/tools/cache"
+)
+
+// MiddlewareTCPInformer provides access to a shared informer and lister for
+// MiddlewareTCPs.
+type MiddlewareTCPInformer interface {
+	Informer() cache.SharedIndexInformer
+	Lister() v1alpha1.MiddlewareTCPLister
+}
+
+type middlewareTCPInformer struct {
+	factory          internalinterfaces.SharedInformerFactory
+	tweakListOptions internalinterfaces.TweakListOptionsFunc
+	namespace        string
+}
+
+// NewMiddlewareTCPInformer constructs a new informer for MiddlewareTCP type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewMiddlewareTCPInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer {
+	return NewFilteredMiddlewareTCPInformer(client, namespace, resyncPeriod, indexers, nil)
+}
+
+// NewFilteredMiddlewareTCPInformer constructs a new informer for MiddlewareTCP type.
+// Always prefer using an informer factory to get a shared informer instead of getting an independent
+// one. This reduces memory footprint and number of connections to the server.
+func NewFilteredMiddlewareTCPInformer(client versioned.Interface, namespace string, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer {
+	return cache.NewSharedIndexInformer(
+		&cache.ListWatch{
+			ListFunc: func(options v1.ListOptions) (runtime.Object, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.TraefikV1alpha1().MiddlewareTCPs(namespace).List(context.TODO(), options)
+			},
+			WatchFunc: func(options v1.ListOptions) (watch.Interface, error) {
+				if tweakListOptions != nil {
+					tweakListOptions(&options)
+				}
+				return client.TraefikV1alpha1().MiddlewareTCPs(namespace).Watch(context.TODO(), options)
+			},
+		},
+		&traefikv1alpha1.MiddlewareTCP{},
+		resyncPeriod,
+		indexers,
+	)
+}
+
+func (f *middlewareTCPInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer {
+	return NewFilteredMiddlewareTCPInformer(client, f.namespace, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions)
+}
+
+func (f *middlewareTCPInformer) Informer() cache.SharedIndexInformer {
+	return f.factory.InformerFor(&traefikv1alpha1.MiddlewareTCP{}, f.defaultInformer)
+}
+
+func (f *middlewareTCPInformer) Lister() v1alpha1.MiddlewareTCPLister {
+	return v1alpha1.NewMiddlewareTCPLister(f.Informer().GetIndexer())
+}
--- a/pkg/provider/kubernetes/crd/generated/listers/traefik/v1alpha1/expansion_generated.go
+++ b/pkg/provider/kubernetes/crd/generated/listers/traefik/v1alpha1/expansion_generated.go
@ -58,6 +58,14 @@ type MiddlewareListerExpansion interface{}
 // MiddlewareNamespaceLister.
 type MiddlewareNamespaceListerExpansion interface{}

+// MiddlewareTCPListerExpansion allows custom methods to be added to
+// MiddlewareTCPLister.
+type MiddlewareTCPListerExpansion interface{}
+
+// MiddlewareTCPNamespaceListerExpansion allows custom methods to be added to
+// MiddlewareTCPNamespaceLister.
+type MiddlewareTCPNamespaceListerExpansion interface{}
+
 // ServersTransportListerExpansion allows custom methods to be added to
 // ServersTransportLister.
 type ServersTransportListerExpansion interface{}
--- a/pkg/provider/kubernetes/crd/generated/listers/traefik/v1alpha1/middlewaretcp.go
+++ b/pkg/provider/kubernetes/crd/generated/listers/traefik/v1alpha1/middlewaretcp.go
@ -0,0 +1,107 @@
+/*
+The MIT License (MIT)
+
+Copyright (c) 2016-2020 Containous SAS; 2020-2021 Traefik Labs
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.
+*/
+
+// Code generated by lister-gen. DO NOT EDIT.
+
+package v1alpha1
+
+import (
+	v1alpha1 "github.com/traefik/traefik/v2/pkg/provider/kubernetes/crd/traefik/v1alpha1"
+	"k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/client-go/tools/cache"
+)
+
+// MiddlewareTCPLister helps list MiddlewareTCPs.
+// All objects returned here must be treated as read-only.
+type MiddlewareTCPLister interface {
+	// List lists all MiddlewareTCPs in the indexer.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.MiddlewareTCP, err error)
+	// MiddlewareTCPs returns an object that can list and get MiddlewareTCPs.
+	MiddlewareTCPs(namespace string) MiddlewareTCPNamespaceLister
+	MiddlewareTCPListerExpansion
+}
+
+// middlewareTCPLister implements the MiddlewareTCPLister interface.
+type middlewareTCPLister struct {
+	indexer cache.Indexer
+}
+
+// NewMiddlewareTCPLister returns a new MiddlewareTCPLister.
+func NewMiddlewareTCPLister(indexer cache.Indexer) MiddlewareTCPLister {
+	return &middlewareTCPLister{indexer: indexer}
+}
+
+// List lists all MiddlewareTCPs in the indexer.
+func (s *middlewareTCPLister) List(selector labels.Selector) (ret []*v1alpha1.MiddlewareTCP, err error) {
+	err = cache.ListAll(s.indexer, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.MiddlewareTCP))
+	})
+	return ret, err
+}
+
+// MiddlewareTCPs returns an object that can list and get MiddlewareTCPs.
+func (s *middlewareTCPLister) MiddlewareTCPs(namespace string) MiddlewareTCPNamespaceLister {
+	return middlewareTCPNamespaceLister{indexer: s.indexer, namespace: namespace}
+}
+
+// MiddlewareTCPNamespaceLister helps list and get MiddlewareTCPs.
+// All objects returned here must be treated as read-only.
+type MiddlewareTCPNamespaceLister interface {
+	// List lists all MiddlewareTCPs in the indexer for a given namespace.
+	// Objects returned here must be treated as read-only.
+	List(selector labels.Selector) (ret []*v1alpha1.MiddlewareTCP, err error)
+	// Get retrieves the MiddlewareTCP from the indexer for a given namespace and name.
+	// Objects returned here must be treated as read-only.
+	Get(name string) (*v1alpha1.MiddlewareTCP, error)
+	MiddlewareTCPNamespaceListerExpansion
+}
+
+// middlewareTCPNamespaceLister implements the MiddlewareTCPNamespaceLister
+// interface.
+type middlewareTCPNamespaceLister struct {
+	indexer   cache.Indexer
+	namespace string
+}
+
+// List lists all MiddlewareTCPs in the indexer for a given namespace.
+func (s middlewareTCPNamespaceLister) List(selector labels.Selector) (ret []*v1alpha1.MiddlewareTCP, err error) {
+	err = cache.ListAllByNamespace(s.indexer, s.namespace, selector, func(m interface{}) {
+		ret = append(ret, m.(*v1alpha1.MiddlewareTCP))
+	})
+	return ret, err
+}
+
+// Get retrieves the MiddlewareTCP from the indexer for a given namespace and name.
+func (s middlewareTCPNamespaceLister) Get(name string) (*v1alpha1.MiddlewareTCP, error) {
+	obj, exists, err := s.indexer.GetByKey(s.namespace + "/" + name)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, errors.NewNotFound(v1alpha1.Resource("middlewaretcp"), name)
+	}
+	return obj.(*v1alpha1.MiddlewareTCP), nil
+}
--- a/pkg/provider/kubernetes/crd/kubernetes.go
+++ b/pkg/provider/kubernetes/crd/kubernetes.go
@ -266,6 +266,14 @@ func (p *Provider) loadConfigurationFromCRD(ctx context.Context, client Client)
 		}
 	}

+	for _, middlewareTCP := range client.GetMiddlewareTCPs() {
+		id := provider.Normalize(makeID(middlewareTCP.Namespace, middlewareTCP.Name))
+
+		conf.TCP.Middlewares[id] = &dynamic.TCPMiddleware{
+			IPWhiteList: middlewareTCP.Spec.IPWhiteList,
+		}
+	}
+
 	cb := configBuilder{client, p.AllowCrossNamespace}

 	for _, service := range client.GetTraefikServices() {
--- a/pkg/provider/kubernetes/crd/kubernetes_tcp.go
+++ b/pkg/provider/kubernetes/crd/kubernetes_tcp.go
@ -17,8 +17,9 @@ import (

 func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client Client, tlsConfigs map[string]*tls.CertAndStores) *dynamic.TCPConfiguration {
 	conf := &dynamic.TCPConfiguration{
-		Routers:  map[string]*dynamic.TCPRouter{},
-		Services: map[string]*dynamic.TCPService{},
+		Routers:     map[string]*dynamic.TCPRouter{},
+		Middlewares: map[string]*dynamic.TCPMiddleware{},
+		Services:    map[string]*dynamic.TCPService{},
 	}

 	for _, ingressRouteTCP := range client.GetIngressRouteTCPs() {
@ -52,6 +53,12 @@ func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client
 				continue
 			}

+			mds, err := p.makeMiddlewareTCPKeys(ctx, ingressRouteTCP.Namespace, route.Middlewares)
+			if err != nil {
+				logger.Errorf("Failed to create middleware keys: %v", err)
+				continue
+			}
+
 			serviceName := makeID(ingressRouteTCP.Namespace, key)

 			for _, service := range route.Services {
@ -88,6 +95,7 @@ func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client

 			conf.Routers[serviceName] = &dynamic.TCPRouter{
 				EntryPoints: ingressRouteTCP.Spec.EntryPoints,
+				Middlewares: mds,
 				Rule:        route.Match,
 				Service:     serviceName,
 			}
@ -125,6 +133,35 @@ func (p *Provider) loadIngressRouteTCPConfiguration(ctx context.Context, client
 	return conf
 }

+func (p *Provider) makeMiddlewareTCPKeys(ctx context.Context, ingRouteTCPNamespace string, middlewares []v1alpha1.ObjectReference) ([]string, error) {
+	var mds []string
+
+	for _, mi := range middlewares {
+		if strings.Contains(mi.Name, providerNamespaceSeparator) {
+			if len(mi.Namespace) > 0 {
+				log.FromContext(ctx).
+					WithField(log.MiddlewareName, mi.Name).
+					Warnf("namespace %q is ignored in cross-provider context", mi.Namespace)
+			}
+			mds = append(mds, mi.Name)
+			continue
+		}
+
+		ns := ingRouteTCPNamespace
+		if len(mi.Namespace) > 0 {
+			if !isNamespaceAllowed(p.AllowCrossNamespace, ingRouteTCPNamespace, mi.Namespace) {
+				return nil, fmt.Errorf("middleware %s/%s is not in the IngressRouteTCP namespace %s", mi.Namespace, mi.Name, ingRouteTCPNamespace)
+			}
+
+			ns = mi.Namespace
+		}
+
+		mds = append(mds, makeID(ns, mi.Name))
+	}
+
+	return mds, nil
+}
+
 func (p *Provider) createLoadBalancerServerTCP(client Client, parentNamespace string, service v1alpha1.ServiceTCP) (*dynamic.TCPService, error) {
 	ns := parentNamespace
 	if len(service.Namespace) > 0 {
--- a/pkg/provider/kubernetes/crd/kubernetes_test.go
+++ b/pkg/provider/kubernetes/crd/kubernetes_test.go
--- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressroutetcp.go
+++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/ingressroutetcp.go
@ -18,6 +18,8 @@ type IngressRouteTCPSpec struct {
 type RouteTCP struct {
 	Match    string       `json:"match"`
 	Services []ServiceTCP `json:"services,omitempty"`
+	// Middlewares contains references to MiddlewareTCP resources.
+	Middlewares []ObjectReference `json:"middlewares,omitempty"`
 }

 // TLSTCP contains the TLS certificates configuration of the routes.
@ -34,23 +36,11 @@ type TLSTCP struct {
 	SecretName  string `json:"secretName,omitempty"`
 	Passthrough bool   `json:"passthrough,omitempty"`
 	// Options is a reference to a TLSOption, that specifies the parameters of the TLS connection.
-	Options *TLSOptionTCPRef `json:"options,omitempty"`
+	Options *ObjectReference `json:"options,omitempty"`
 	// Store is a reference to a TLSStore, that specifies the parameters of the TLS store.
-	Store        *TLSStoreTCPRef `json:"store,omitempty"`
-	CertResolver string          `json:"certResolver,omitempty"`
-	Domains      []types.Domain  `json:"domains,omitempty"`
-}
-
-// TLSOptionTCPRef is a ref to the TLSOption resources.
-type TLSOptionTCPRef struct {
-	Name      string `json:"name"`
-	Namespace string `json:"namespace,omitempty"`
-}
-
-// TLSStoreTCPRef is a ref to the TLSStore resources.
-type TLSStoreTCPRef struct {
-	Name      string `json:"name"`
-	Namespace string `json:"namespace,omitempty"`
+	Store        *ObjectReference `json:"store,omitempty"`
+	CertResolver string           `json:"certResolver,omitempty"`
+	Domains      []types.Domain   `json:"domains,omitempty"`
 }

 // ServiceTCP defines an upstream to proxy traffic.
--- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/middlewaretcp.go
+++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/middlewaretcp.go
@ -0,0 +1,34 @@
+package v1alpha1
+
+import (
+	"github.com/traefik/traefik/v2/pkg/config/dynamic"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// +genclient
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// MiddlewareTCP is a specification for a MiddlewareTCP resource.
+type MiddlewareTCP struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata"`
+
+	Spec MiddlewareTCPSpec `json:"spec"`
+}
+
+// +k8s:deepcopy-gen=true
+
+// MiddlewareTCPSpec holds the MiddlewareTCP configuration.
+type MiddlewareTCPSpec struct {
+	IPWhiteList *dynamic.TCPIPWhiteList `json:"ipWhiteList,omitempty"`
+}
+
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
+
+// MiddlewareTCPList is a list of MiddlewareTCP resources.
+type MiddlewareTCPList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata"`
+
+	Items []MiddlewareTCP `json:"items"`
+}
--- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/objectreference.go
+++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/objectreference.go
@ -0,0 +1,7 @@
+package v1alpha1
+
+// ObjectReference is a generic reference to a Traefik resource.
+type ObjectReference struct {
+	Name      string `json:"name"`
+	Namespace string `json:"namespace,omitempty"`
+}
--- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/register.go
+++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/register.go
@ -41,6 +41,8 @@ func addKnownTypes(scheme *runtime.Scheme) error {
 		&IngressRouteUDPList{},
 		&Middleware{},
 		&MiddlewareList{},
+		&MiddlewareTCP{},
+		&MiddlewareTCPList{},
 		&TLSOption{},
 		&TLSOptionList{},
 		&TLSStore{},
--- a/pkg/provider/kubernetes/crd/traefik/v1alpha1/zz_generated.deepcopy.go
+++ b/pkg/provider/kubernetes/crd/traefik/v1alpha1/zz_generated.deepcopy.go
@ -746,6 +746,87 @@ func (in *MiddlewareSpec) DeepCopy() *MiddlewareSpec {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MiddlewareTCP) DeepCopyInto(out *MiddlewareTCP) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ObjectMeta.DeepCopyInto(&out.ObjectMeta)
+	in.Spec.DeepCopyInto(&out.Spec)
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MiddlewareTCP.
+func (in *MiddlewareTCP) DeepCopy() *MiddlewareTCP {
+	if in == nil {
+		return nil
+	}
+	out := new(MiddlewareTCP)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *MiddlewareTCP) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MiddlewareTCPList) DeepCopyInto(out *MiddlewareTCPList) {
+	*out = *in
+	out.TypeMeta = in.TypeMeta
+	in.ListMeta.DeepCopyInto(&out.ListMeta)
+	if in.Items != nil {
+		in, out := &in.Items, &out.Items
+		*out = make([]MiddlewareTCP, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MiddlewareTCPList.
+func (in *MiddlewareTCPList) DeepCopy() *MiddlewareTCPList {
+	if in == nil {
+		return nil
+	}
+	out := new(MiddlewareTCPList)
+	in.DeepCopyInto(out)
+	return out
+}
+
+// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
+func (in *MiddlewareTCPList) DeepCopyObject() runtime.Object {
+	if c := in.DeepCopy(); c != nil {
+		return c
+	}
+	return nil
+}
+
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *MiddlewareTCPSpec) DeepCopyInto(out *MiddlewareTCPSpec) {
+	*out = *in
+	if in.IPWhiteList != nil {
+		in, out := &in.IPWhiteList, &out.IPWhiteList
+		*out = new(dynamic.TCPIPWhiteList)
+		(*in).DeepCopyInto(*out)
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MiddlewareTCPSpec.
+func (in *MiddlewareTCPSpec) DeepCopy() *MiddlewareTCPSpec {
+	if in == nil {
+		return nil
+	}
+	out := new(MiddlewareTCPSpec)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *MirrorService) DeepCopyInto(out *MirrorService) {
 	*out = *in
@ -792,6 +873,22 @@ func (in *Mirroring) DeepCopy() *Mirroring {
 	return out
 }

+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *ObjectReference) DeepCopyInto(out *ObjectReference) {
+	*out = *in
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ObjectReference.
+func (in *ObjectReference) DeepCopy() *ObjectReference {
+	if in == nil {
+		return nil
+	}
+	out := new(ObjectReference)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *RateLimit) DeepCopyInto(out *RateLimit) {
 	*out = *in
@ -878,6 +975,11 @@ func (in *RouteTCP) DeepCopyInto(out *RouteTCP) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Middlewares != nil {
+		in, out := &in.Middlewares, &out.Middlewares
+		*out = make([]ObjectReference, len(*in))
+		copy(*out, *in)
+	}
 	return
 }

@ -1238,22 +1340,6 @@ func (in *TLSOptionSpec) DeepCopy() *TLSOptionSpec {
 	return out
 }

-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TLSOptionTCPRef) DeepCopyInto(out *TLSOptionTCPRef) {
-	*out = *in
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSOptionTCPRef.
-func (in *TLSOptionTCPRef) DeepCopy() *TLSOptionTCPRef {
-	if in == nil {
-		return nil
-	}
-	out := new(TLSOptionTCPRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSOptionUDPRef) DeepCopyInto(out *TLSOptionUDPRef) {
 	*out = *in
@ -1363,33 +1449,17 @@ func (in *TLSStoreSpec) DeepCopy() *TLSStoreSpec {
 	return out
 }

-// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
-func (in *TLSStoreTCPRef) DeepCopyInto(out *TLSStoreTCPRef) {
-	*out = *in
-	return
-}
-
-// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSStoreTCPRef.
-func (in *TLSStoreTCPRef) DeepCopy() *TLSStoreTCPRef {
-	if in == nil {
-		return nil
-	}
-	out := new(TLSStoreTCPRef)
-	in.DeepCopyInto(out)
-	return out
-}
-
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *TLSTCP) DeepCopyInto(out *TLSTCP) {
 	*out = *in
 	if in.Options != nil {
 		in, out := &in.Options, &out.Options
-		*out = new(TLSOptionTCPRef)
+		*out = new(ObjectReference)
 		**out = **in
 	}
 	if in.Store != nil {
 		in, out := &in.Store, &out.Store
-		*out = new(TLSStoreTCPRef)
+		*out = new(ObjectReference)
 		**out = **in
 	}
 	if in.Domains != nil {