IngressRouteTCP
IngressRouteTCP is the CRD implementation of a Traefik TCP router.
Register the IngressRouteTCP kind in the Kubernetes cluster before creating IngressRouteTCP objects.
General
If both HTTP routers and TCP routers listen to the same EntryPoint, the TCP routers will apply before the HTTP routers. If no matching route is found for the TCP routers, then the HTTP routers will take over.
Configuration Example
- IngressRouteTCP
- TLSOption
- Secret
ingressroute-tcp.yaml
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: test-tcp
namespace: apps
spec:
entryPoints:
- websecure
routes:
- match: HostSNI(`*`)
priority: 10
services:
- name: foo
port: 8080
nativeLB: true
tls:
secretName: supersecret
options:
name: opt
namespace: apps
passthrough: false
tls-option.yaml
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: opt
namespace: app
spec:
minVersion: VersionTLS12
super-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: supersecret
namespace: app
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
Configuration Options
| Field | Description | Default | Required |
|---|---|---|---|
entryPoints | List of entrypoints names | No | |
routes | List of routes | Yes | |
routes[n].match | Defines the rule of the underlying router | "" | No |
routes[n].priority | Defines the priority to disambiguate rules of the same length, for route matching | 0 | No |
routes[n].middlewares[n].name | Defines the MiddlewareTCP name | No | |
routes[n].middlewares[n].namespace | Defines the MiddlewareTCP namespace | "" | No |
routes[n].services | List of Kubernetes service definitions (See below for ExternalName Service setup) | No | |
routes[n].services[n].name | Defines the name of a Kubernetes service | "" | Yes |
routes[n].services[n].port | Defines the port of a Kubernetes service. This can be a reference to a named port. | "" | No |
routes[n].services[n].weight | Defines the weight to apply to the server load balancing | "" | No |
routes[n].services[n].proxyProtocol | Defines the PROXY protocol configuration | ||
routes[n].services[n].proxyProtocol.version | Defines the PROXY protocol version | ||
routes[n].services[n].serversTransport | Defines the ServersTransportTCP. The ServersTransport namespace is assumed to be the Kubernetes service namespace (see ServersTransport reference). | ||
routes[n].services[n].nativeLB | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. | false | No |
routes[n].services[n].nodePortLB | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is | false | no |
tls | Defines TLS certificate configuration | No | |
tls.secretName | Defines the secret name used to store the certificate (in the IngressRoute namespace) | "" | No |
tls.options | Defines the reference to a TLSOption | "" | No |
tls.options.name | Defines the TLSOption name | "" | No |
tls.options.namespace | Defines the TLSOption namespace | "" | No |
tls.certResolver | Defines the reference to a CertResolver | "" | No |
tls.domains | List of domains | "" | No |
tls.domains[n].main | Defines the main domain name | "" | Yes |
tls.domains[n].sans | List of SANs (alternative domains) | "" | No |
tls.passthrough | If true, delegates the TLS termination to the backend | false | No |
routes.services
ExternalName Service
ExternalName Services are used to reference services that exist off platform, on other clusters, or locally.
Healthcheck
As the healthchech cannot be done using the usual Kubernetes livenessprobe and readinessprobe, the IngressRouteTCP brings an option to check the ExternalName Service health.
Port Definition
Traefik Hub connect to a backend with a domain and a port. However, Kubernetes ExternalName Service can be defined without any port. Accordingly, Traefik supports defining a port in two ways:
- only on IngressRouteTCP service
- on both sides, you'll be warned if the ports don't match, and the IngressRouteTCP service port is used
Thus, in case of two sides port definition, Traefik expects a match between ports.
- Port defined on the Resource
- Port defined on the Service
- Port defined on both sides
- IngressRouteTCP
- Service ExternalName
yaml showLineNumbers
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: test.route
namespace: apps
spec:
entryPoints:
- foo
routes:
- match: HostSNI(`*`)
kind: Rule
services:
- name: external-svc
port: 80
apiVersion: v1
kind: Service
metadata:
name: external-svc
namespace: apps
spec:
externalName: external.domain
type: ExternalName
- IngressRouteTCP
- Service ExternalName
yaml showLineNumbers
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: test.route
namespace: apps
spec:
entryPoints:
- foo
routes:
- match: - match: HostSNI(`*`)
kind: Rule
services:
- name: external-svc
apiVersion: v1
kind: Service
metadata:
name: external-svc
namespace: apps
spec:
externalName: external.domain
type: ExternalName
ports:
- port: 80
- IngressRouteTCP
- Service ExternalName
yaml showLineNumbers
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: test.route
namespace: apps
spec:
entryPoints:
- foo
routes:
- match: HostSNI(`*`)
kind: Rule
services:
- name: external-svc
port: 80
apiVersion: v1
kind: Service
metadata:
name: external-svc
namespace: apps
spec:
externalName: external.domain
type: ExternalName
ports:
- port: 80
Related Content
- Learn about
IngresRoutein its dedication section