Skip to content
GitHub

IngressRouteTCP

IngressRouteTCP is the CRD implementation of a Traefik TCP router.

Before creating IngressRouteTCP objects, you need to apply the Traefik Kubernetes CRDs to your Kubernetes cluster.

This registers the IngressRouteTCP kind and other Traefik-specific resources.

General

If both HTTP routers and TCP routers are connected to the same EntryPoint, the TCP routers will apply before the HTTP routers. If no matching route is found for the TCP routers, then the HTTP routers will take over.

Configuration Example

You can declare an IngressRouteTCP as detailed below:

apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: ingressroutetcpfoo
  namespace: apps

spec:
  entryPoints:
    - footcp
  routes:
  - match: HostSNI(`*`)
    priority: 10
    middlewares:
    - name: middleware1
      namespace: default
    services:
    - name: foo
      port: 8080
      weight: 10
      proxyProtocol:
        version: 1
      serversTransport: transport
      nativeLB: true
      nodePortLB: true
      tls: false

  tls:
    secretName: supersecret
    options:
      name: opt
      namespace: default
    certResolver: foo
    domains:
    - main: example.net
      sans:                       
      - a.example.net
      - b.example.net
    passthrough: false

Configuration Options

Field Description Default Required
entryPoints List of entrypoints names. No
routes List of routes. Yes
routes[n].match Defines the rule of the underlying router. Yes
routes[n].priority Defines the priority to disambiguate rules of the same length, for route matching. No
routes[n].middlewares[n].name Defines the MiddlewareTCP name. Yes
routes[n].middlewares[n].namespace Defines the MiddlewareTCP namespace. "" No
routes[n].services List of Kubernetes service definitions. No
routes[n].services[n].name Defines the name of a Kubernetes service. Yes
routes[n].services[n].port Defines the port of a Kubernetes service. This can be a reference to a named port. Yes
routes[n].services[n].weight Defines the weight to apply to the server load balancing. 1 No
routes[n].services[n].proxyProtocol Defines the PROXY protocol configuration. No
routes[n].services[n].proxyProtocol.version Defines the PROXY protocol version. No
routes[n].services[n].serversTransport Defines the ServersTransportTCP.
The ServersTransport namespace is assumed to be the Kubernetes service namespace.		 No
routes[n].services[n].nativeLB Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. See here for more information. false No
routes[n].services[n].nodePortLB Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. false No
tls Defines TLS certificate configuration. No
tls.secretName Defines the secret name used to store the certificate (in the IngressRoute namespace). "" No
tls.options Defines the reference to a TLSOption. "" No
tls.options.name Defines the TLSOption name. "" No
tls.options.namespace Defines the TLSOption namespace. "" No
tls.certResolver Defines the reference to a CertResolver. "" No
tls.domains List of domains. "" No
tls.domains[n].main Defines the main domain name. "" No
tls.domains[n].sans List of SANs (alternative domains). "" No
tls.passthrough If true, delegates the TLS termination to the backend. false No

ExternalName Service

Traefik connect to a backend with a domain and a port. However, Kubernetes ExternalName Service can be defined without any port. Accordingly, Traefik supports defining a port in two ways:

  • only on IngressRouteTCP service
  • on both sides, you'll be warned if the ports don't match, and the IngressRouteTCP service port is used

Thus, in case of two sides port definition, Traefik expects a match between ports.

apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test.route
  namespace: apps

spec:
  entryPoints:
    - foo
  routes:
  - match: Host(`example.net`)
    kind: Rule
    services:
    - name: external-svc
      port: 80
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: apps

spec:
  externalName: external.domain
  type: ExternalName
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test.route
  namespace: apps

spec:
  entryPoints:
    - foo
  routes:
  - match: Host(`example.net`)
    kind: Rule
    services:
    - name: external-svc
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: apps

spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test.route
  namespace: apps

spec:
  entryPoints:
    - foo
  routes:
  - match: Host(`example.net`)
    kind: Rule
    services:
    - name: external-svc
      port: 80
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: apps

spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80

NativeLB

To avoid creating the server load-balancer with the pods IPs and use Kubernetes Service clusterIP directly, one should set the NativeLB option to true. By default, NativeLB is false.

apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test.route
  namespace: default
spec:
  entryPoints:
    - foo
  routes:
  - match: HostSNI(`*`)
    services:
    - name: svc
      port: 80
      # Here, nativeLB instructs to build the servers load balancer with the Kubernetes Service clusterIP only.
      nativeLB: true
apiVersion: v1
kind: Service
metadata:
  name: svc
  namespace: default
spec:
  type: ClusterIP
  ...