Skip to content

Traefik & Kubernetes

The Kubernetes Ingress Controller, The Custom Resource Way.

Configuration Examples

Configuring KubernetesCRD and Deploying/Exposing Services
# All resources definition must be declared

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.6.2
  creationTimestamp: null
  name: ingressroutes.traefik.containo.us
spec:
  group: traefik.containo.us
  names:
    kind: IngressRoute
    listKind: IngressRouteList
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: IngressRoute is the CRD implementation of a Traefik HTTP Router.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: IngressRouteSpec defines the desired state of IngressRoute.
            properties:
              entryPoints:
                description: 'EntryPoints defines the list of entry point names to
                  bind to. Entry points have to be configured in the static configuration.
                  More info: https://doc.traefik.io/traefik/v2.9/routing/entrypoints/
                  Default: all.'
                items:
                  type: string
                type: array
              routes:
                description: Routes defines the list of routes.
                items:
                  description: Route holds the HTTP route configuration.
                  properties:
                    kind:
                      description: Kind defines the kind of the route. Rule is the
                        only supported kind.
                      enum:
                      - Rule
                      type: string
                    match:
                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#rule'
                      type: string
                    middlewares:
                      description: 'Middlewares defines the list of references to
                        Middleware resources. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-middleware'
                      items:
                        description: MiddlewareRef is a reference to a Middleware
                          resource.
                        properties:
                          name:
                            description: Name defines the name of the referenced Middleware
                              resource.
                            type: string
                          namespace:
                            description: Namespace defines the namespace of the referenced
                              Middleware resource.
                            type: string
                        required:
                        - name
                        type: object
                      type: array
                    priority:
                      description: 'Priority defines the router''s priority. More
                        info: https://doc.traefik.io/traefik/v2.9/routing/routers/#priority'
                      type: integer
                    services:
                      description: Services defines the list of Service. It can contain
                        any combination of TraefikService and/or reference to a Kubernetes
                        Service.
                      items:
                        description: Service defines an upstream HTTP service to proxy
                          traffic to.
                        properties:
                          kind:
                            description: Kind defines the kind of the Service.
                            enum:
                            - Service
                            - TraefikService
                            type: string
                          name:
                            description: Name defines the name of the referenced Kubernetes
                              Service or TraefikService. The differentiation between
                              the two is specified in the Kind field.
                            type: string
                          namespace:
                            description: Namespace defines the namespace of the referenced
                              Kubernetes Service or TraefikService.
                            type: string
                          passHostHeader:
                            description: PassHostHeader defines whether the client
                              Host header is forwarded to the upstream Kubernetes
                              Service. By default, passHostHeader is true.
                            type: boolean
                          port:
                            anyOf:
                            - type: integer
                            - type: string
                            description: Port defines the port of a Kubernetes Service.
                              This can be a reference to a named port.
                            x-kubernetes-int-or-string: true
                          responseForwarding:
                            description: ResponseForwarding defines how Traefik forwards
                              the response from the upstream Kubernetes Service to
                              the client.
                            properties:
                              flushInterval:
                                description: 'FlushInterval defines the interval,
                                  in milliseconds, in between flushes to the client
                                  while copying the response body. A negative value
                                  means to flush immediately after each write to the
                                  client. This configuration is ignored when ReverseProxy
                                  recognizes a response as a streaming response; for
                                  such responses, writes are flushed to the client
                                  immediately. Default: 100ms'
                                type: string
                            type: object
                          scheme:
                            description: Scheme defines the scheme to use for the
                              request to the upstream Kubernetes Service. It defaults
                              to https when Kubernetes Service port is 443, http otherwise.
                            type: string
                          serversTransport:
                            description: ServersTransport defines the name of ServersTransport
                              resource to use. It allows to configure the transport
                              between Traefik and your servers. Can only be used on
                              a Kubernetes Service.
                            type: string
                          sticky:
                            description: 'Sticky defines the sticky sessions configuration.
                              More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
                            properties:
                              cookie:
                                description: Cookie defines the sticky cookie configuration.
                                properties:
                                  httpOnly:
                                    description: HTTPOnly defines whether the cookie
                                      can be accessed by client-side APIs, such as
                                      JavaScript.
                                    type: boolean
                                  name:
                                    description: Name defines the Cookie name.
                                    type: string
                                  sameSite:
                                    description: 'SameSite defines the same site policy.
                                      More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
                                    type: string
                                  secure:
                                    description: Secure defines whether the cookie
                                      can only be transmitted over an encrypted connection
                                      (i.e. HTTPS).
                                    type: boolean
                                type: object
                            type: object
                          strategy:
                            description: Strategy defines the load balancing strategy
                              between the servers. RoundRobin is the only supported
                              value at the moment.
                            type: string
                          weight:
                            description: Weight defines the weight and should only
                              be specified when Name references a TraefikService object
                              (and to be precise, one that embeds a Weighted Round
                              Robin).
                            type: integer
                        required:
                        - name
                        type: object
                      type: array
                  required:
                  - kind
                  - match
                  type: object
                type: array
              tls:
                description: 'TLS defines the TLS configuration. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#tls'
                properties:
                  certResolver:
                    description: 'CertResolver defines the name of the certificate
                      resolver to use. Cert resolvers have to be configured in the
                      static configuration. More info: https://doc.traefik.io/traefik/v2.9/https/acme/#certificate-resolvers'
                    type: string
                  domains:
                    description: 'Domains defines the list of domains that will be
                      used to issue certificates. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#domains'
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
                        main:
                          description: Main defines the main domain name.
                          type: string
                        sans:
                          description: SANs defines the subject alternative domain
                            names.
                          items:
                            type: string
                          type: array
                      type: object
                    type: array
                  options:
                    description: 'Options defines the reference to a TLSOption, that
                      specifies the parameters of the TLS connection. If not defined,
                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options'
                    properties:
                      name:
                        description: 'Name defines the name of the referenced TLSOption.
                          More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsoption'
                        type: string
                      namespace:
                        description: 'Namespace defines the namespace of the referenced
                          TLSOption. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsoption'
                        type: string
                    required:
                    - name
                    type: object
                  secretName:
                    description: SecretName is the name of the referenced Kubernetes
                      Secret to specify the certificate details.
                    type: string
                  store:
                    description: Store defines the reference to the TLSStore, that
                      will be used to store certificates. Please note that only `default`
                      TLSStore can be used.
                    properties:
                      name:
                        description: 'Name defines the name of the referenced TLSStore.
                          More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsstore'
                        type: string
                      namespace:
                        description: 'Namespace defines the namespace of the referenced
                          TLSStore. More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-tlsstore'
                        type: string
                    required:
                    - name
                    type: object
                type: object
            required:
            - routes
            type: object
        required:
        - metadata
        - spec
        type: object
    served: true
    storage: true
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.6.2
  creationTimestamp: null
  name: ingressroutetcps.traefik.containo.us
spec:
  group: traefik.containo.us
  names:
    kind: IngressRouteTCP
    listKind: IngressRouteTCPList
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: IngressRouteTCP is the CRD implementation of a Traefik TCP Router.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: IngressRouteTCPSpec defines the desired state of IngressRouteTCP.
            properties:
              entryPoints:
                description: 'EntryPoints defines the list of entry point names to
                  bind to. Entry points have to be configured in the static configuration.
                  More info: https://doc.traefik.io/traefik/v2.9/routing/entrypoints/
                  Default: all.'
                items:
                  type: string
                type: array
              routes:
                description: Routes defines the list of routes.
                items:
                  description: RouteTCP holds the TCP route configuration.
                  properties:
                    match:
                      description: 'Match defines the router''s rule. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#rule_1'
                      type: string
                    middlewares:
                      description: Middlewares defines the list of references to MiddlewareTCP
                        resources.
                      items:
                        description: ObjectReference is a generic reference to a Traefik
                          resource.
                        properties:
                          name:
                            description: Name defines the name of the referenced Traefik
                              resource.
                            type: string
                          namespace:
                            description: Namespace defines the namespace of the referenced
                              Traefik resource.
                            type: string
                        required:
                        - name
                        type: object
                      type: array
                    priority:
                      description: 'Priority defines the router''s priority. More
                        info: https://doc.traefik.io/traefik/v2.9/routing/routers/#priority_1'
                      type: integer
                    services:
                      description: Services defines the list of TCP services.
                      items:
                        description: ServiceTCP defines an upstream TCP service to
                          proxy traffic to.
                        properties:
                          name:
                            description: Name defines the name of the referenced Kubernetes
                              Service.
                            type: string
                          namespace:
                            description: Namespace defines the namespace of the referenced
                              Kubernetes Service.
                            type: string
                          port:
                            anyOf:
                            - type: integer
                            - type: string
                            description: Port defines the port of a Kubernetes Service.
                              This can be a reference to a named port.
                            x-kubernetes-int-or-string: true
                          proxyProtocol:
                            description: 'ProxyProtocol defines the PROXY protocol
                              configuration. More info: https://doc.traefik.io/traefik/v2.9/routing/services/#proxy-protocol'
                            properties:
                              version:
                                description: Version defines the PROXY Protocol version
                                  to use.
                                type: integer
                            type: object
                          terminationDelay:
                            description: TerminationDelay defines the deadline that
                              the proxy sets, after one of its connected peers indicates
                              it has closed the writing capability of its connection,
                              to close the reading capability as well, hence fully
                              terminating the connection. It is a duration in milliseconds,
                              defaulting to 100. A negative value means an infinite
                              deadline (i.e. the reading capability is never closed).
                            type: integer
                          weight:
                            description: Weight defines the weight used when balancing
                              requests between multiple Kubernetes Service.
                            type: integer
                        required:
                        - name
                        - port
                        type: object
                      type: array
                  required:
                  - match
                  type: object
                type: array
              tls:
                description: 'TLS defines the TLS configuration on a layer 4 / TCP
                  Route. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#tls_1'
                properties:
                  certResolver:
                    description: 'CertResolver defines the name of the certificate
                      resolver to use. Cert resolvers have to be configured in the
                      static configuration. More info: https://doc.traefik.io/traefik/v2.9/https/acme/#certificate-resolvers'
                    type: string
                  domains:
                    description: 'Domains defines the list of domains that will be
                      used to issue certificates. More info: https://doc.traefik.io/traefik/v2.9/routing/routers/#domains'
                    items:
                      description: Domain holds a domain name with SANs.
                      properties:
                        main:
                          description: Main defines the main domain name.
                          type: string
                        sans:
                          description: SANs defines the subject alternative domain
                            names.
                          items:
                            type: string
                          type: array
                      type: object
                    type: array
                  options:
                    description: 'Options defines the reference to a TLSOption, that
                      specifies the parameters of the TLS connection. If not defined,
                      the `default` TLSOption is used. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options'
                    properties:
                      name:
                        description: Name defines the name of the referenced Traefik
                          resource.
                        type: string
                      namespace:
                        description: Namespace defines the namespace of the referenced
                          Traefik resource.
                        type: string
                    required:
                    - name
                    type: object
                  passthrough:
                    description: Passthrough defines whether a TLS router will terminate
                      the TLS connection.
                    type: boolean
                  secretName:
                    description: SecretName is the name of the referenced Kubernetes
                      Secret to specify the certificate details.
                    type: string
                  store:
                    description: Store defines the reference to the TLSStore, that
                      will be used to store certificates. Please note that only `default`
                      TLSStore can be used.
                    properties:
                      name:
                        description: Name defines the name of the referenced Traefik
                          resource.
                        type: string
                      namespace:
                        description: Namespace defines the namespace of the referenced
                          Traefik resource.
                        type: string
                    required:
                    - name
                    type: object
                type: object
            required:
            - routes
            type: object
        required:
        - metadata
        - spec
        type: object
    served: true
    storage: true
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.6.2
  creationTimestamp: null
  name: ingressrouteudps.traefik.containo.us
spec:
  group: traefik.containo.us
  names:
    kind: IngressRouteUDP
    listKind: IngressRouteUDPList
    plural: ingressrouteudps
    singular: ingressrouteudp
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: IngressRouteUDP is a CRD implementation of a Traefik UDP Router.
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: IngressRouteUDPSpec defines the desired state of a IngressRouteUDP.
            properties:
              entryPoints:
                description: 'EntryPoints defines the list of entry point names to
                  bind to. Entry points have to be configured in the static configuration.
                  More info: https://doc.traefik.io/traefik/v2.9/routing/entrypoints/
                  Default: all.'
                items:
                  type: string
                type: array
              routes:
                description: Routes defines the list of routes.
                items:
                  description: RouteUDP holds the UDP route configuration.
                  properties:
                    services:
                      description: Services defines the list of UDP services.
                      items:
                        description: ServiceUDP defines an upstream UDP service to
                          proxy traffic to.
                        properties:
                          name:
                            description: Name defines the name of the referenced Kubernetes
                              Service.
                            type: string
                          namespace:
                            description: Namespace defines the namespace of the referenced
                              Kubernetes Service.
                            type: string
                          port:
                            anyOf:
                            - type: integer
                            - type: string
                            description: Port defines the port of a Kubernetes Service.
                              This can be a reference to a named port.
                            x-kubernetes-int-or-string: true
                          weight:
                            description: Weight defines the weight used when balancing
                              requests between multiple Kubernetes Service.
                            type: integer
                        required:
                        - name
                        - port
                        type: object
                      type: array
                  type: object
                type: array
            required:
            - routes
            type: object
        required:
        - metadata
        - spec
        type: object
    served: true
    storage: true
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.6.2
  creationTimestamp: null
  name: middlewares.traefik.containo.us
spec:
  group: traefik.containo.us
  names:
    kind: Middleware
    listKind: MiddlewareList
    plural: middlewares
    singular: middleware
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: 'Middleware is the CRD implementation of a Traefik Middleware.
          More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/overview/'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: MiddlewareSpec defines the desired state of a Middleware.
            properties:
              addPrefix:
                description: 'AddPrefix holds the add prefix middleware configuration.
                  This middleware updates the path of a request before forwarding
                  it. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/addprefix/'
                properties:
                  prefix:
                    description: Prefix is the string to add before the current path
                      in the requested URL. It should include a leading slash (/).
                    type: string
                type: object
              basicAuth:
                description: 'BasicAuth holds the basic auth middleware configuration.
                  This middleware restricts access to your services to known users.
                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/basicauth/'
                properties:
                  headerField:
                    description: 'HeaderField defines a header field to store the
                      authenticated user. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/basicauth/#headerfield'
                    type: string
                  realm:
                    description: 'Realm allows the protected resources on a server
                      to be partitioned into a set of protection spaces, each with
                      its own authentication scheme. Default: traefik.'
                    type: string
                  removeHeader:
                    description: 'RemoveHeader sets the removeHeader option to true
                      to remove the authorization header before forwarding the request
                      to your service. Default: false.'
                    type: boolean
                  secret:
                    description: Secret is the name of the referenced Kubernetes Secret
                      containing user credentials.
                    type: string
                type: object
              buffering:
                description: 'Buffering holds the buffering middleware configuration.
                  This middleware retries or limits the size of requests that can
                  be forwarded to backends. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/buffering/#maxrequestbodybytes'
                properties:
                  maxRequestBodyBytes:
                    description: 'MaxRequestBodyBytes defines the maximum allowed
                      body size for the request (in bytes). If the request exceeds
                      the allowed size, it is not forwarded to the service, and the
                      client gets a 413 (Request Entity Too Large) response. Default:
                      0 (no maximum).'
                    format: int64
                    type: integer
                  maxResponseBodyBytes:
                    description: 'MaxResponseBodyBytes defines the maximum allowed
                      response size from the service (in bytes). If the response exceeds
                      the allowed size, it is not forwarded to the client. The client
                      gets a 500 (Internal Server Error) response instead. Default:
                      0 (no maximum).'
                    format: int64
                    type: integer
                  memRequestBodyBytes:
                    description: 'MemRequestBodyBytes defines the threshold (in bytes)
                      from which the request will be buffered on disk instead of in
                      memory. Default: 1048576 (1Mi).'
                    format: int64
                    type: integer
                  memResponseBodyBytes:
                    description: 'MemResponseBodyBytes defines the threshold (in bytes)
                      from which the response will be buffered on disk instead of
                      in memory. Default: 1048576 (1Mi).'
                    format: int64
                    type: integer
                  retryExpression:
                    description: 'RetryExpression defines the retry conditions. It
                      is a logical combination of functions with operators AND (&&)
                      and OR (||). More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/buffering/#retryexpression'
                    type: string
                type: object
              chain:
                description: 'Chain holds the configuration of the chain middleware.
                  This middleware enables to define reusable combinations of other
                  pieces of middleware. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/chain/'
                properties:
                  middlewares:
                    description: Middlewares is the list of MiddlewareRef which composes
                      the chain.
                    items:
                      description: MiddlewareRef is a reference to a Middleware resource.
                      properties:
                        name:
                          description: Name defines the name of the referenced Middleware
                            resource.
                          type: string
                        namespace:
                          description: Namespace defines the namespace of the referenced
                            Middleware resource.
                          type: string
                      required:
                      - name
                      type: object
                    type: array
                type: object
              circuitBreaker:
                description: CircuitBreaker holds the circuit breaker configuration.
                properties:
                  checkPeriod:
                    anyOf:
                    - type: integer
                    - type: string
                    description: CheckPeriod is the interval between successive checks
                      of the circuit breaker condition (when in standby state).
                    x-kubernetes-int-or-string: true
                  expression:
                    description: Expression is the condition that triggers the tripped
                      state.
                    type: string
                  fallbackDuration:
                    anyOf:
                    - type: integer
                    - type: string
                    description: FallbackDuration is the duration for which the circuit
                      breaker will wait before trying to recover (from a tripped state).
                    x-kubernetes-int-or-string: true
                  recoveryDuration:
                    anyOf:
                    - type: integer
                    - type: string
                    description: RecoveryDuration is the duration for which the circuit
                      breaker will try to recover (as soon as it is in recovering
                      state).
                    x-kubernetes-int-or-string: true
                type: object
              compress:
                description: 'Compress holds the compress middleware configuration.
                  This middleware compresses responses before sending them to the
                  client, using gzip compression. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/compress/'
                properties:
                  excludedContentTypes:
                    description: ExcludedContentTypes defines the list of content
                      types to compare the Content-Type header of the incoming requests
                      and responses before compressing.
                    items:
                      type: string
                    type: array
                  minResponseBodyBytes:
                    description: 'MinResponseBodyBytes defines the minimum amount
                      of bytes a response body must have to be compressed. Default:
                      1024.'
                    type: integer
                type: object
              contentType:
                description: ContentType holds the content-type middleware configuration.
                  This middleware exists to enable the correct behavior until at least
                  the default one can be changed in a future version.
                properties:
                  autoDetect:
                    description: AutoDetect specifies whether to let the `Content-Type`
                      header, if it has not been set by the backend, be automatically
                      set to a value derived from the contents of the response. As
                      a proxy, the default behavior should be to leave the header
                      alone, regardless of what the backend did with it. However,
                      the historic default was to always auto-detect and set the header
                      if it was nil, and it is going to be kept that way in order
                      to support users currently relying on it.
                    type: boolean
                type: object
              digestAuth:
                description: 'DigestAuth holds the digest auth middleware configuration.
                  This middleware restricts access to your services to known users.
                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/digestauth/'
                properties:
                  headerField:
                    description: 'HeaderField defines a header field to store the
                      authenticated user. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/basicauth/#headerfield'
                    type: string
                  realm:
                    description: 'Realm allows the protected resources on a server
                      to be partitioned into a set of protection spaces, each with
                      its own authentication scheme. Default: traefik.'
                    type: string
                  removeHeader:
                    description: RemoveHeader defines whether to remove the authorization
                      header before forwarding the request to the backend.
                    type: boolean
                  secret:
                    description: Secret is the name of the referenced Kubernetes Secret
                      containing user credentials.
                    type: string
                type: object
              errors:
                description: 'ErrorPage holds the custom error middleware configuration.
                  This middleware returns a custom page in lieu of the default, according
                  to configured ranges of HTTP Status codes. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/errorpages/'
                properties:
                  query:
                    description: Query defines the URL for the error page (hosted
                      by service). The {status} variable can be used in order to insert
                      the status code in the URL.
                    type: string
                  service:
                    description: 'Service defines the reference to a Kubernetes Service
                      that will serve the error page. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/errorpages/#service'
                    properties:
                      kind:
                        description: Kind defines the kind of the Service.
                        enum:
                        - Service
                        - TraefikService
                        type: string
                      name:
                        description: Name defines the name of the referenced Kubernetes
                          Service or TraefikService. The differentiation between the
                          two is specified in the Kind field.
                        type: string
                      namespace:
                        description: Namespace defines the namespace of the referenced
                          Kubernetes Service or TraefikService.
                        type: string
                      passHostHeader:
                        description: PassHostHeader defines whether the client Host
                          header is forwarded to the upstream Kubernetes Service.
                          By default, passHostHeader is true.
                        type: boolean
                      port:
                        anyOf:
                        - type: integer
                        - type: string
                        description: Port defines the port of a Kubernetes Service.
                          This can be a reference to a named port.
                        x-kubernetes-int-or-string: true
                      responseForwarding:
                        description: ResponseForwarding defines how Traefik forwards
                          the response from the upstream Kubernetes Service to the
                          client.
                        properties:
                          flushInterval:
                            description: 'FlushInterval defines the interval, in milliseconds,
                              in between flushes to the client while copying the response
                              body. A negative value means to flush immediately after
                              each write to the client. This configuration is ignored
                              when ReverseProxy recognizes a response as a streaming
                              response; for such responses, writes are flushed to
                              the client immediately. Default: 100ms'
                            type: string
                        type: object
                      scheme:
                        description: Scheme defines the scheme to use for the request
                          to the upstream Kubernetes Service. It defaults to https
                          when Kubernetes Service port is 443, http otherwise.
                        type: string
                      serversTransport:
                        description: ServersTransport defines the name of ServersTransport
                          resource to use. It allows to configure the transport between
                          Traefik and your servers. Can only be used on a Kubernetes
                          Service.
                        type: string
                      sticky:
                        description: 'Sticky defines the sticky sessions configuration.
                          More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
                        properties:
                          cookie:
                            description: Cookie defines the sticky cookie configuration.
                            properties:
                              httpOnly:
                                description: HTTPOnly defines whether the cookie can
                                  be accessed by client-side APIs, such as JavaScript.
                                type: boolean
                              name:
                                description: Name defines the Cookie name.
                                type: string
                              sameSite:
                                description: 'SameSite defines the same site policy.
                                  More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
                                type: string
                              secure:
                                description: Secure defines whether the cookie can
                                  only be transmitted over an encrypted connection
                                  (i.e. HTTPS).
                                type: boolean
                            type: object
                        type: object
                      strategy:
                        description: Strategy defines the load balancing strategy
                          between the servers. RoundRobin is the only supported value
                          at the moment.
                        type: string
                      weight:
                        description: Weight defines the weight and should only be
                          specified when Name references a TraefikService object (and
                          to be precise, one that embeds a Weighted Round Robin).
                        type: integer
                    required:
                    - name
                    type: object
                  status:
                    description: Status defines which status or range of statuses
                      should result in an error page. It can be either a status code
                      as a number (500), as multiple comma-separated numbers (500,502),
                      as ranges by separating two codes with a dash (500-599), or
                      a combination of the two (404,418,500-599).
                    items:
                      type: string
                    type: array
                type: object
              forwardAuth:
                description: 'ForwardAuth holds the forward auth middleware configuration.
                  This middleware delegates the request authentication to a Service.
                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/forwardauth/'
                properties:
                  address:
                    description: Address defines the authentication server address.
                    type: string
                  authRequestHeaders:
                    description: AuthRequestHeaders defines the list of the headers
                      to copy from the request to the authentication server. If not
                      set or empty then all request headers are passed.
                    items:
                      type: string
                    type: array
                  authResponseHeaders:
                    description: AuthResponseHeaders defines the list of headers to
                      copy from the authentication server response and set on forwarded
                      request, replacing any existing conflicting headers.
                    items:
                      type: string
                    type: array
                  authResponseHeadersRegex:
                    description: 'AuthResponseHeadersRegex defines the regex to match
                      headers to copy from the authentication server response and
                      set on forwarded request, after stripping all headers that match
                      the regex. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/forwardauth/#authresponseheadersregex'
                    type: string
                  tls:
                    description: TLS defines the configuration used to secure the
                      connection to the authentication server.
                    properties:
                      caOptional:
                        type: boolean
                      caSecret:
                        description: CASecret is the name of the referenced Kubernetes
                          Secret containing the CA to validate the server certificate.
                          The CA certificate is extracted from key `tls.ca` or `ca.crt`.
                        type: string
                      certSecret:
                        description: CertSecret is the name of the referenced Kubernetes
                          Secret containing the client certificate. The client certificate
                          is extracted from the keys `tls.crt` and `tls.key`.
                        type: string
                      insecureSkipVerify:
                        description: InsecureSkipVerify defines whether the server
                          certificates should be validated.
                        type: boolean
                    type: object
                  trustForwardHeader:
                    description: 'TrustForwardHeader defines whether to trust (ie:
                      forward) all X-Forwarded-* headers.'
                    type: boolean
                type: object
              headers:
                description: 'Headers holds the headers middleware configuration.
                  This middleware manages the requests and responses headers. More
                  info: https://doc.traefik.io/traefik/v2.9/middlewares/http/headers/#customrequestheaders'
                properties:
                  accessControlAllowCredentials:
                    description: AccessControlAllowCredentials defines whether the
                      request can include user credentials.
                    type: boolean
                  accessControlAllowHeaders:
                    description: AccessControlAllowHeaders defines the Access-Control-Request-Headers
                      values sent in preflight response.
                    items:
                      type: string
                    type: array
                  accessControlAllowMethods:
                    description: AccessControlAllowMethods defines the Access-Control-Request-Method
                      values sent in preflight response.
                    items:
                      type: string
                    type: array
                  accessControlAllowOriginList:
                    description: AccessControlAllowOriginList is a list of allowable
                      origins. Can also be a wildcard origin "*".
                    items:
                      type: string
                    type: array
                  accessControlAllowOriginListRegex:
                    description: AccessControlAllowOriginListRegex is a list of allowable
                      origins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).
                    items:
                      type: string
                    type: array
                  accessControlExposeHeaders:
                    description: AccessControlExposeHeaders defines the Access-Control-Expose-Headers
                      values sent in preflight response.
                    items:
                      type: string
                    type: array
                  accessControlMaxAge:
                    description: AccessControlMaxAge defines the time that a preflight
                      request may be cached.
                    format: int64
                    type: integer
                  addVaryHeader:
                    description: AddVaryHeader defines whether the Vary header is
                      automatically added/updated when the AccessControlAllowOriginList
                      is set.
                    type: boolean
                  allowedHosts:
                    description: AllowedHosts defines the fully qualified list of
                      allowed domain names.
                    items:
                      type: string
                    type: array
                  browserXssFilter:
                    description: BrowserXSSFilter defines whether to add the X-XSS-Protection
                      header with the value 1; mode=block.
                    type: boolean
                  contentSecurityPolicy:
                    description: ContentSecurityPolicy defines the Content-Security-Policy
                      header value.
                    type: string
                  contentTypeNosniff:
                    description: ContentTypeNosniff defines whether to add the X-Content-Type-Options
                      header with the nosniff value.
                    type: boolean
                  customBrowserXSSValue:
                    description: CustomBrowserXSSValue defines the X-XSS-Protection
                      header value. This overrides the BrowserXssFilter option.
                    type: string
                  customFrameOptionsValue:
                    description: CustomFrameOptionsValue defines the X-Frame-Options
                      header value. This overrides the FrameDeny option.
                    type: string
                  customRequestHeaders:
                    additionalProperties:
                      type: string
                    description: CustomRequestHeaders defines the header names and
                      values to apply to the request.
                    type: object
                  customResponseHeaders:
                    additionalProperties:
                      type: string
                    description: CustomResponseHeaders defines the header names and
                      values to apply to the response.
                    type: object
                  featurePolicy:
                    description: 'Deprecated: use PermissionsPolicy instead.'
                    type: string
                  forceSTSHeader:
                    description: ForceSTSHeader defines whether to add the STS header
                      even when the connection is HTTP.
                    type: boolean
                  frameDeny:
                    description: FrameDeny defines whether to add the X-Frame-Options
                      header with the DENY value.
                    type: boolean
                  hostsProxyHeaders:
                    description: HostsProxyHeaders defines the header keys that may
                      hold a proxied hostname value for the request.
                    items:
                      type: string
                    type: array
                  isDevelopment:
                    description: IsDevelopment defines whether to mitigate the unwanted
                      effects of the AllowedHosts, SSL, and STS options when developing.
                      Usually testing takes place using HTTP, not HTTPS, and on localhost,
                      not your production domain. If you would like your development
                      environment to mimic production with complete Host blocking,
                      SSL redirects, and STS headers, leave this as false.
                    type: boolean
                  permissionsPolicy:
                    description: PermissionsPolicy defines the Permissions-Policy
                      header value. This allows sites to control browser features.
                    type: string
                  publicKey:
                    description: PublicKey is the public key that implements HPKP
                      to prevent MITM attacks with forged certificates.
                    type: string
                  referrerPolicy:
                    description: ReferrerPolicy defines the Referrer-Policy header
                      value. This allows sites to control whether browsers forward
                      the Referer header to other sites.
                    type: string
                  sslForceHost:
                    description: 'Deprecated: use RedirectRegex instead.'
                    type: boolean
                  sslHost:
                    description: 'Deprecated: use RedirectRegex instead.'
                    type: string
                  sslProxyHeaders:
                    additionalProperties:
                      type: string
                    description: 'SSLProxyHeaders defines the header keys with associated
                      values that would indicate a valid HTTPS request. It can be
                      useful when using other proxies (example: "X-Forwarded-Proto":
                      "https").'
                    type: object
                  sslRedirect:
                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
                      instead.'
                    type: boolean
                  sslTemporaryRedirect:
                    description: 'Deprecated: use EntryPoint redirection or RedirectScheme
                      instead.'
                    type: boolean
                  stsIncludeSubdomains:
                    description: STSIncludeSubdomains defines whether the includeSubDomains
                      directive is appended to the Strict-Transport-Security header.
                    type: boolean
                  stsPreload:
                    description: STSPreload defines whether the preload flag is appended
                      to the Strict-Transport-Security header.
                    type: boolean
                  stsSeconds:
                    description: STSSeconds defines the max-age of the Strict-Transport-Security
                      header. If set to 0, the header is not set.
                    format: int64
                    type: integer
                type: object
              inFlightReq:
                description: 'InFlightReq holds the in-flight request middleware configuration.
                  This middleware limits the number of requests being processed and
                  served concurrently. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/inflightreq/'
                properties:
                  amount:
                    description: Amount defines the maximum amount of allowed simultaneous
                      in-flight request. The middleware responds with HTTP 429 Too
                      Many Requests if there are already amount requests in progress
                      (based on the same sourceCriterion strategy).
                    format: int64
                    type: integer
                  sourceCriterion:
                    description: 'SourceCriterion defines what criterion is used to
                      group requests as originating from a common source. If several
                      strategies are defined at the same time, an error will be raised.
                      If none are set, the default is to use the requestHost. More
                      info: https://doc.traefik.io/traefik/v2.9/middlewares/http/inflightreq/#sourcecriterion'
                    properties:
                      ipStrategy:
                        description: 'IPStrategy holds the IP strategy configuration
                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
                              header and take the IP located at the depth position
                              (starting from the right).
                            type: integer
                          excludedIPs:
                            description: ExcludedIPs configures Traefik to scan the
                              X-Forwarded-For header and select the first IP not in
                              the list.
                            items:
                              type: string
                            type: array
                        type: object
                      requestHeaderName:
                        description: RequestHeaderName defines the name of the header
                          used to group incoming requests.
                        type: string
                      requestHost:
                        description: RequestHost defines whether to consider the request
                          Host as the source.
                        type: boolean
                    type: object
                type: object
              ipWhiteList:
                description: 'IPWhiteList holds the IP whitelist middleware configuration.
                  This middleware accepts / refuses requests based on the client IP.
                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/'
                properties:
                  ipStrategy:
                    description: 'IPStrategy holds the IP strategy configuration used
                      by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
                    properties:
                      depth:
                        description: Depth tells Traefik to use the X-Forwarded-For
                          header and take the IP located at the depth position (starting
                          from the right).
                        type: integer
                      excludedIPs:
                        description: ExcludedIPs configures Traefik to scan the X-Forwarded-For
                          header and select the first IP not in the list.
                        items:
                          type: string
                        type: array
                    type: object
                  sourceRange:
                    description: SourceRange defines the set of allowed IPs (or ranges
                      of allowed IPs by using CIDR notation).
                    items:
                      type: string
                    type: array
                type: object
              passTLSClientCert:
                description: 'PassTLSClientCert holds the pass TLS client cert middleware
                  configuration. This middleware adds the selected data from the passed
                  client TLS certificate to a header. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/passtlsclientcert/'
                properties:
                  info:
                    description: Info selects the specific client certificate details
                      you want to add to the X-Forwarded-Tls-Client-Cert-Info header.
                    properties:
                      issuer:
                        description: Issuer defines the client certificate issuer
                          details to add to the X-Forwarded-Tls-Client-Cert-Info header.
                        properties:
                          commonName:
                            description: CommonName defines whether to add the organizationalUnit
                              information into the issuer.
                            type: boolean
                          country:
                            description: Country defines whether to add the country
                              information into the issuer.
                            type: boolean
                          domainComponent:
                            description: DomainComponent defines whether to add the
                              domainComponent information into the issuer.
                            type: boolean
                          locality:
                            description: Locality defines whether to add the locality
                              information into the issuer.
                            type: boolean
                          organization:
                            description: Organization defines whether to add the organization
                              information into the issuer.
                            type: boolean
                          province:
                            description: Province defines whether to add the province
                              information into the issuer.
                            type: boolean
                          serialNumber:
                            description: SerialNumber defines whether to add the serialNumber
                              information into the issuer.
                            type: boolean
                        type: object
                      notAfter:
                        description: NotAfter defines whether to add the Not After
                          information from the Validity part.
                        type: boolean
                      notBefore:
                        description: NotBefore defines whether to add the Not Before
                          information from the Validity part.
                        type: boolean
                      sans:
                        description: Sans defines whether to add the Subject Alternative
                          Name information from the Subject Alternative Name part.
                        type: boolean
                      serialNumber:
                        description: SerialNumber defines whether to add the client
                          serialNumber information.
                        type: boolean
                      subject:
                        description: Subject defines the client certificate subject
                          details to add to the X-Forwarded-Tls-Client-Cert-Info header.
                        properties:
                          commonName:
                            description: CommonName defines whether to add the organizationalUnit
                              information into the subject.
                            type: boolean
                          country:
                            description: Country defines whether to add the country
                              information into the subject.
                            type: boolean
                          domainComponent:
                            description: DomainComponent defines whether to add the
                              domainComponent information into the subject.
                            type: boolean
                          locality:
                            description: Locality defines whether to add the locality
                              information into the subject.
                            type: boolean
                          organization:
                            description: Organization defines whether to add the organization
                              information into the subject.
                            type: boolean
                          organizationalUnit:
                            description: OrganizationalUnit defines whether to add
                              the organizationalUnit information into the subject.
                            type: boolean
                          province:
                            description: Province defines whether to add the province
                              information into the subject.
                            type: boolean
                          serialNumber:
                            description: SerialNumber defines whether to add the serialNumber
                              information into the subject.
                            type: boolean
                        type: object
                    type: object
                  pem:
                    description: PEM sets the X-Forwarded-Tls-Client-Cert header with
                      the certificate.
                    type: boolean
                type: object
              plugin:
                additionalProperties:
                  x-kubernetes-preserve-unknown-fields: true
                description: 'Plugin defines the middleware plugin configuration.
                  More info: https://doc.traefik.io/traefik/plugins/'
                type: object
              rateLimit:
                description: 'RateLimit holds the rate limit configuration. This middleware
                  ensures that services will receive a fair amount of requests, and
                  allows one to define what fair is. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ratelimit/'
                properties:
                  average:
                    description: Average is the maximum rate, by default in requests/s,
                      allowed for the given source. It defaults to 0, which means
                      no rate limiting. The rate is actually defined by dividing Average
                      by Period. So for a rate below 1req/s, one needs to define a
                      Period larger than a second.
                    format: int64
                    type: integer
                  burst:
                    description: Burst is the maximum number of requests allowed to
                      arrive in the same arbitrarily small period of time. It defaults
                      to 1.
                    format: int64
                    type: integer
                  period:
                    anyOf:
                    - type: integer
                    - type: string
                    description: 'Period, in combination with Average, defines the
                      actual maximum rate, such as: r = Average / Period. It defaults
                      to a second.'
                    x-kubernetes-int-or-string: true
                  sourceCriterion:
                    description: SourceCriterion defines what criterion is used to
                      group requests as originating from a common source. If several
                      strategies are defined at the same time, an error will be raised.
                      If none are set, the default is to use the request's remote
                      address field (as an ipStrategy).
                    properties:
                      ipStrategy:
                        description: 'IPStrategy holds the IP strategy configuration
                          used by Traefik to determine the client IP. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/ipwhitelist/#ipstrategy'
                        properties:
                          depth:
                            description: Depth tells Traefik to use the X-Forwarded-For
                              header and take the IP located at the depth position
                              (starting from the right).
                            type: integer
                          excludedIPs:
                            description: ExcludedIPs configures Traefik to scan the
                              X-Forwarded-For header and select the first IP not in
                              the list.
                            items:
                              type: string
                            type: array
                        type: object
                      requestHeaderName:
                        description: RequestHeaderName defines the name of the header
                          used to group incoming requests.
                        type: string
                      requestHost:
                        description: RequestHost defines whether to consider the request
                          Host as the source.
                        type: boolean
                    type: object
                type: object
              redirectRegex:
                description: 'RedirectRegex holds the redirect regex middleware configuration.
                  This middleware redirects a request using regex matching and replacement.
                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/redirectregex/#regex'
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
                      (301).
                    type: boolean
                  regex:
                    description: Regex defines the regex used to match and capture
                      elements from the request URL.
                    type: string
                  replacement:
                    description: Replacement defines how to modify the URL to have
                      the new target URL.
                    type: string
                type: object
              redirectScheme:
                description: 'RedirectScheme holds the redirect scheme middleware
                  configuration. This middleware redirects requests from a scheme/port
                  to another. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/redirectscheme/'
                properties:
                  permanent:
                    description: Permanent defines whether the redirection is permanent
                      (301).
                    type: boolean
                  port:
                    description: Port defines the port of the new URL.
                    type: string
                  scheme:
                    description: Scheme defines the scheme of the new URL.
                    type: string
                type: object
              replacePath:
                description: 'ReplacePath holds the replace path middleware configuration.
                  This middleware replaces the path of the request URL and store the
                  original path in an X-Replaced-Path header. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/replacepath/'
                properties:
                  path:
                    description: Path defines the path to use as replacement in the
                      request URL.
                    type: string
                type: object
              replacePathRegex:
                description: 'ReplacePathRegex holds the replace path regex middleware
                  configuration. This middleware replaces the path of a URL using
                  regex matching and replacement. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/replacepathregex/'
                properties:
                  regex:
                    description: Regex defines the regular expression used to match
                      and capture the path from the request URL.
                    type: string
                  replacement:
                    description: Replacement defines the replacement path format,
                      which can include captured variables.
                    type: string
                type: object
              retry:
                description: 'Retry holds the retry middleware configuration. This
                  middleware reissues requests a given number of times to a backend
                  server if that server does not reply. As soon as the server answers,
                  the middleware stops retrying, regardless of the response status.
                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/retry/'
                properties:
                  attempts:
                    description: Attempts defines how many times the request should
                      be retried.
                    type: integer
                  initialInterval:
                    anyOf:
                    - type: integer
                    - type: string
                    description: InitialInterval defines the first wait time in the
                      exponential backoff series. The maximum interval is calculated
                      as twice the initialInterval. If unspecified, requests will
                      be retried immediately. The value of initialInterval should
                      be provided in seconds or as a valid duration format, see https://pkg.go.dev/time#ParseDuration.
                    x-kubernetes-int-or-string: true
                type: object
              stripPrefix:
                description: 'StripPrefix holds the strip prefix middleware configuration.
                  This middleware removes the specified prefixes from the URL path.
                  More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefix/'
                properties:
                  forceSlash:
                    description: 'ForceSlash ensures that the resulting stripped path
                      is not the empty string, by replacing it with / when necessary.
                      Default: true.'
                    type: boolean
                  prefixes:
                    description: Prefixes defines the prefixes to strip from the request
                      URL.
                    items:
                      type: string
                    type: array
                type: object
              stripPrefixRegex:
                description: 'StripPrefixRegex holds the strip prefix regex middleware
                  configuration. This middleware removes the matching prefixes from
                  the URL path. More info: https://doc.traefik.io/traefik/v2.9/middlewares/http/stripprefixregex/'
                properties:
                  regex:
                    description: Regex defines the regular expression to match the
                      path prefix from the request URL.
                    items:
                      type: string
                    type: array
                type: object
            type: object
        required:
        - metadata
        - spec
        type: object
    served: true
    storage: true
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.6.2
  creationTimestamp: null
  name: middlewaretcps.traefik.containo.us
spec:
  group: traefik.containo.us
  names:
    kind: MiddlewareTCP
    listKind: MiddlewareTCPList
    plural: middlewaretcps
    singular: middlewaretcp
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: 'MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.
          More info: https://doc.traefik.io/traefik/v2.9/middlewares/overview/'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: MiddlewareTCPSpec defines the desired state of a MiddlewareTCP.
            properties:
              inFlightConn:
                description: InFlightConn defines the InFlightConn middleware configuration.
                properties:
                  amount:
                    description: Amount defines the maximum amount of allowed simultaneous
                      connections. The middleware closes the connection if there are
                      already amount connections opened.
                    format: int64
                    type: integer
                type: object
              ipWhiteList:
                description: IPWhiteList defines the IPWhiteList middleware configuration.
                properties:
                  sourceRange:
                    description: SourceRange defines the allowed IPs (or ranges of
                      allowed IPs by using CIDR notation).
                    items:
                      type: string
                    type: array
                type: object
            type: object
        required:
        - metadata
        - spec
        type: object
    served: true
    storage: true
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.6.2
  creationTimestamp: null
  name: serverstransports.traefik.containo.us
spec:
  group: traefik.containo.us
  names:
    kind: ServersTransport
    listKind: ServersTransportList
    plural: serverstransports
    singular: serverstransport
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: 'ServersTransport is the CRD implementation of a ServersTransport.
          If no serversTransport is specified, the default@internal will be used.
          The default@internal serversTransport is created from the static configuration.
          More info: https://doc.traefik.io/traefik/v2.9/routing/services/#serverstransport_1'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: ServersTransportSpec defines the desired state of a ServersTransport.
            properties:
              certificatesSecrets:
                description: CertificatesSecrets defines a list of secret storing
                  client certificates for mTLS.
                items:
                  type: string
                type: array
              disableHTTP2:
                description: DisableHTTP2 disables HTTP/2 for connections with backend
                  servers.
                type: boolean
              forwardingTimeouts:
                description: ForwardingTimeouts defines the timeouts for requests
                  forwarded to the backend servers.
                properties:
                  dialTimeout:
                    anyOf:
                    - type: integer
                    - type: string
                    description: DialTimeout is the amount of time to wait until a
                      connection to a backend server can be established.
                    x-kubernetes-int-or-string: true
                  idleConnTimeout:
                    anyOf:
                    - type: integer
                    - type: string
                    description: IdleConnTimeout is the maximum period for which an
                      idle HTTP keep-alive connection will remain open before closing
                      itself.
                    x-kubernetes-int-or-string: true
                  pingTimeout:
                    anyOf:
                    - type: integer
                    - type: string
                    description: PingTimeout is the timeout after which the HTTP/2
                      connection will be closed if a response to ping is not received.
                    x-kubernetes-int-or-string: true
                  readIdleTimeout:
                    anyOf:
                    - type: integer
                    - type: string
                    description: ReadIdleTimeout is the timeout after which a health
                      check using ping frame will be carried out if no frame is received
                      on the HTTP/2 connection.
                    x-kubernetes-int-or-string: true
                  responseHeaderTimeout:
                    anyOf:
                    - type: integer
                    - type: string
                    description: ResponseHeaderTimeout is the amount of time to wait
                      for a server's response headers after fully writing the request
                      (including its body, if any).
                    x-kubernetes-int-or-string: true
                type: object
              insecureSkipVerify:
                description: InsecureSkipVerify disables SSL certificate verification.
                type: boolean
              maxIdleConnsPerHost:
                description: MaxIdleConnsPerHost controls the maximum idle (keep-alive)
                  to keep per-host.
                type: integer
              peerCertURI:
                description: PeerCertURI defines the peer cert URI used to match against
                  SAN URI during the peer certificate verification.
                type: string
              rootCAsSecrets:
                description: RootCAsSecrets defines a list of CA secret used to validate
                  self-signed certificate.
                items:
                  type: string
                type: array
              serverName:
                description: ServerName defines the server name used to contact the
                  server.
                type: string
            type: object
        required:
        - metadata
        - spec
        type: object
    served: true
    storage: true
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.6.2
  creationTimestamp: null
  name: tlsoptions.traefik.containo.us
spec:
  group: traefik.containo.us
  names:
    kind: TLSOption
    listKind: TLSOptionList
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: 'TLSOption is the CRD implementation of a Traefik TLS Option,
          allowing to configure some parameters of the TLS connection. More info:
          https://doc.traefik.io/traefik/v2.9/https/tls/#tls-options'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: TLSOptionSpec defines the desired state of a TLSOption.
            properties:
              alpnProtocols:
                description: 'ALPNProtocols defines the list of supported application
                  level protocols for the TLS handshake, in order of preference. More
                  info: https://doc.traefik.io/traefik/v2.9/https/tls/#alpn-protocols'
                items:
                  type: string
                type: array
              cipherSuites:
                description: 'CipherSuites defines the list of supported cipher suites
                  for TLS versions up to TLS 1.2. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#cipher-suites'
                items:
                  type: string
                type: array
              clientAuth:
                description: ClientAuth defines the server's policy for TLS Client
                  Authentication.
                properties:
                  clientAuthType:
                    description: ClientAuthType defines the client authentication
                      type to apply.
                    enum:
                    - NoClientCert
                    - RequestClientCert
                    - RequireAnyClientCert
                    - VerifyClientCertIfGiven
                    - RequireAndVerifyClientCert
                    type: string
                  secretNames:
                    description: SecretNames defines the names of the referenced Kubernetes
                      Secret storing certificate details.
                    items:
                      type: string
                    type: array
                type: object
              curvePreferences:
                description: 'CurvePreferences defines the preferred elliptic curves
                  in a specific order. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#curve-preferences'
                items:
                  type: string
                type: array
              maxVersion:
                description: 'MaxVersion defines the maximum TLS version that Traefik
                  will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
                  VersionTLS13. Default: None.'
                type: string
              minVersion:
                description: 'MinVersion defines the minimum TLS version that Traefik
                  will accept. Possible values: VersionTLS10, VersionTLS11, VersionTLS12,
                  VersionTLS13. Default: VersionTLS10.'
                type: string
              preferServerCipherSuites:
                description: 'PreferServerCipherSuites defines whether the server
                  chooses a cipher suite among his own instead of among the client''s.
                  It is enabled automatically when minVersion or maxVersion is set.
                  Deprecated: https://github.com/golang/go/issues/45430'
                type: boolean
              sniStrict:
                description: SniStrict defines whether Traefik allows connections
                  from clients connections that do not specify a server_name extension.
                type: boolean
            type: object
        required:
        - metadata
        - spec
        type: object
    served: true
    storage: true
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.6.2
  creationTimestamp: null
  name: tlsstores.traefik.containo.us
spec:
  group: traefik.containo.us
  names:
    kind: TLSStore
    listKind: TLSStoreList
    plural: tlsstores
    singular: tlsstore
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: 'TLSStore is the CRD implementation of a Traefik TLS Store. For
          the time being, only the TLSStore named default is supported. This means
          that you cannot have two stores that are named default in different Kubernetes
          namespaces. More info: https://doc.traefik.io/traefik/v2.9/https/tls/#certificates-stores'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: TLSStoreSpec defines the desired state of a TLSStore.
            properties:
              certificates:
                description: Certificates is a list of secret names, each secret holding
                  a key/certificate pair to add to the store.
                items:
                  description: Certificate holds a secret name for the TLSStore resource.
                  properties:
                    secretName:
                      description: SecretName is the name of the referenced Kubernetes
                        Secret to specify the certificate details.
                      type: string
                  required:
                  - secretName
                  type: object
                type: array
              defaultCertificate:
                description: DefaultCertificate defines the default certificate configuration.
                properties:
                  secretName:
                    description: SecretName is the name of the referenced Kubernetes
                      Secret to specify the certificate details.
                    type: string
                required:
                - secretName
                type: object
              defaultGeneratedCert:
                description: DefaultGeneratedCert defines the default generated certificate
                  configuration.
                properties:
                  domain:
                    description: Domain is the domain definition for the DefaultCertificate.
                    properties:
                      main:
                        description: Main defines the main domain name.
                        type: string
                      sans:
                        description: SANs defines the subject alternative domain names.
                        items:
                          type: string
                        type: array
                    type: object
                  resolver:
                    description: Resolver is the name of the resolver that will be
                      used to issue the DefaultCertificate.
                    type: string
                type: object
            type: object
        required:
        - metadata
        - spec
        type: object
    served: true
    storage: true
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []

---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
  annotations:
    controller-gen.kubebuilder.io/version: v0.6.2
  creationTimestamp: null
  name: traefikservices.traefik.containo.us
spec:
  group: traefik.containo.us
  names:
    kind: TraefikService
    listKind: TraefikServiceList
    plural: traefikservices
    singular: traefikservice
  scope: Namespaced
  versions:
  - name: v1alpha1
    schema:
      openAPIV3Schema:
        description: 'TraefikService is the CRD implementation of a Traefik Service.
          TraefikService object allows to: - Apply weight to Services on load-balancing
          - Mirror traffic on services More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#kind-traefikservice'
        properties:
          apiVersion:
            description: 'APIVersion defines the versioned schema of this representation
              of an object. Servers should convert recognized schemas to the latest
              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
            type: string
          kind:
            description: 'Kind is a string value representing the REST resource this
              object represents. Servers may infer this from the endpoint the client
              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
            type: string
          metadata:
            type: object
          spec:
            description: TraefikServiceSpec defines the desired state of a TraefikService.
            properties:
              mirroring:
                description: Mirroring defines the Mirroring service configuration.
                properties:
                  kind:
                    description: Kind defines the kind of the Service.
                    enum:
                    - Service
                    - TraefikService
                    type: string
                  maxBodySize:
                    description: MaxBodySize defines the maximum size allowed for
                      the body of the request. If the body is larger, the request
                      is not mirrored. Default value is -1, which means unlimited
                      size.
                    format: int64
                    type: integer
                  mirrors:
                    description: Mirrors defines the list of mirrors where Traefik
                      will duplicate the traffic.
                    items:
                      description: MirrorService holds the mirror configuration.
                      properties:
                        kind:
                          description: Kind defines the kind of the Service.
                          enum:
                          - Service
                          - TraefikService
                          type: string
                        name:
                          description: Name defines the name of the referenced Kubernetes
                            Service or TraefikService. The differentiation between
                            the two is specified in the Kind field.
                          type: string
                        namespace:
                          description: Namespace defines the namespace of the referenced
                            Kubernetes Service or TraefikService.
                          type: string
                        passHostHeader:
                          description: PassHostHeader defines whether the client Host
                            header is forwarded to the upstream Kubernetes Service.
                            By default, passHostHeader is true.
                          type: boolean
                        percent:
                          description: 'Percent defines the part of the traffic to
                            mirror. Supported values: 0 to 100.'
                          type: integer
                        port:
                          anyOf:
                          - type: integer
                          - type: string
                          description: Port defines the port of a Kubernetes Service.
                            This can be a reference to a named port.
                          x-kubernetes-int-or-string: true
                        responseForwarding:
                          description: ResponseForwarding defines how Traefik forwards
                            the response from the upstream Kubernetes Service to the
                            client.
                          properties:
                            flushInterval:
                              description: 'FlushInterval defines the interval, in
                                milliseconds, in between flushes to the client while
                                copying the response body. A negative value means
                                to flush immediately after each write to the client.
                                This configuration is ignored when ReverseProxy recognizes
                                a response as a streaming response; for such responses,
                                writes are flushed to the client immediately. Default:
                                100ms'
                              type: string
                          type: object
                        scheme:
                          description: Scheme defines the scheme to use for the request
                            to the upstream Kubernetes Service. It defaults to https
                            when Kubernetes Service port is 443, http otherwise.
                          type: string
                        serversTransport:
                          description: ServersTransport defines the name of ServersTransport
                            resource to use. It allows to configure the transport
                            between Traefik and your servers. Can only be used on
                            a Kubernetes Service.
                          type: string
                        sticky:
                          description: 'Sticky defines the sticky sessions configuration.
                            More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
                              properties:
                                httpOnly:
                                  description: HTTPOnly defines whether the cookie
                                    can be accessed by client-side APIs, such as JavaScript.
                                  type: boolean
                                name:
                                  description: Name defines the Cookie name.
                                  type: string
                                sameSite:
                                  description: 'SameSite defines the same site policy.
                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
                                  type: string
                                secure:
                                  description: Secure defines whether the cookie can
                                    only be transmitted over an encrypted connection
                                    (i.e. HTTPS).
                                  type: boolean
                              type: object
                          type: object
                        strategy:
                          description: Strategy defines the load balancing strategy
                            between the servers. RoundRobin is the only supported
                            value at the moment.
                          type: string
                        weight:
                          description: Weight defines the weight and should only be
                            specified when Name references a TraefikService object
                            (and to be precise, one that embeds a Weighted Round Robin).
                          type: integer
                      required:
                      - name
                      type: object
                    type: array
                  name:
                    description: Name defines the name of the referenced Kubernetes
                      Service or TraefikService. The differentiation between the two
                      is specified in the Kind field.
                    type: string
                  namespace:
                    description: Namespace defines the namespace of the referenced
                      Kubernetes Service or TraefikService.
                    type: string
                  passHostHeader:
                    description: PassHostHeader defines whether the client Host header
                      is forwarded to the upstream Kubernetes Service. By default,
                      passHostHeader is true.
                    type: boolean
                  port:
                    anyOf:
                    - type: integer
                    - type: string
                    description: Port defines the port of a Kubernetes Service. This
                      can be a reference to a named port.
                    x-kubernetes-int-or-string: true
                  responseForwarding:
                    description: ResponseForwarding defines how Traefik forwards the
                      response from the upstream Kubernetes Service to the client.
                    properties:
                      flushInterval:
                        description: 'FlushInterval defines the interval, in milliseconds,
                          in between flushes to the client while copying the response
                          body. A negative value means to flush immediately after
                          each write to the client. This configuration is ignored
                          when ReverseProxy recognizes a response as a streaming response;
                          for such responses, writes are flushed to the client immediately.
                          Default: 100ms'
                        type: string
                    type: object
                  scheme:
                    description: Scheme defines the scheme to use for the request
                      to the upstream Kubernetes Service. It defaults to https when
                      Kubernetes Service port is 443, http otherwise.
                    type: string
                  serversTransport:
                    description: ServersTransport defines the name of ServersTransport
                      resource to use. It allows to configure the transport between
                      Traefik and your servers. Can only be used on a Kubernetes Service.
                    type: string
                  sticky:
                    description: 'Sticky defines the sticky sessions configuration.
                      More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
                        properties:
                          httpOnly:
                            description: HTTPOnly defines whether the cookie can be
                              accessed by client-side APIs, such as JavaScript.
                            type: boolean
                          name:
                            description: Name defines the Cookie name.
                            type: string
                          sameSite:
                            description: 'SameSite defines the same site policy. More
                              info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
                            type: string
                          secure:
                            description: Secure defines whether the cookie can only
                              be transmitted over an encrypted connection (i.e. HTTPS).
                            type: boolean
                        type: object
                    type: object
                  strategy:
                    description: Strategy defines the load balancing strategy between
                      the servers. RoundRobin is the only supported value at the moment.
                    type: string
                  weight:
                    description: Weight defines the weight and should only be specified
                      when Name references a TraefikService object (and to be precise,
                      one that embeds a Weighted Round Robin).
                    type: integer
                required:
                - name
                type: object
              weighted:
                description: Weighted defines the Weighted Round Robin configuration.
                properties:
                  services:
                    description: Services defines the list of Kubernetes Service and/or
                      TraefikService to load-balance, with weight.
                    items:
                      description: Service defines an upstream HTTP service to proxy
                        traffic to.
                      properties:
                        kind:
                          description: Kind defines the kind of the Service.
                          enum:
                          - Service
                          - TraefikService
                          type: string
                        name:
                          description: Name defines the name of the referenced Kubernetes
                            Service or TraefikService. The differentiation between
                            the two is specified in the Kind field.
                          type: string
                        namespace:
                          description: Namespace defines the namespace of the referenced
                            Kubernetes Service or TraefikService.
                          type: string
                        passHostHeader:
                          description: PassHostHeader defines whether the client Host
                            header is forwarded to the upstream Kubernetes Service.
                            By default, passHostHeader is true.
                          type: boolean
                        port:
                          anyOf:
                          - type: integer
                          - type: string
                          description: Port defines the port of a Kubernetes Service.
                            This can be a reference to a named port.
                          x-kubernetes-int-or-string: true
                        responseForwarding:
                          description: ResponseForwarding defines how Traefik forwards
                            the response from the upstream Kubernetes Service to the
                            client.
                          properties:
                            flushInterval:
                              description: 'FlushInterval defines the interval, in
                                milliseconds, in between flushes to the client while
                                copying the response body. A negative value means
                                to flush immediately after each write to the client.
                                This configuration is ignored when ReverseProxy recognizes
                                a response as a streaming response; for such responses,
                                writes are flushed to the client immediately. Default:
                                100ms'
                              type: string
                          type: object
                        scheme:
                          description: Scheme defines the scheme to use for the request
                            to the upstream Kubernetes Service. It defaults to https
                            when Kubernetes Service port is 443, http otherwise.
                          type: string
                        serversTransport:
                          description: ServersTransport defines the name of ServersTransport
                            resource to use. It allows to configure the transport
                            between Traefik and your servers. Can only be used on
                            a Kubernetes Service.
                          type: string
                        sticky:
                          description: 'Sticky defines the sticky sessions configuration.
                            More info: https://doc.traefik.io/traefik/v2.9/routing/services/#sticky-sessions'
                          properties:
                            cookie:
                              description: Cookie defines the sticky cookie configuration.
                              properties:
                                httpOnly:
                                  description: HTTPOnly defines whether the cookie
                                    can be accessed by client-side APIs, such as JavaScript.
                                  type: boolean
                                name:
                                  description: Name defines the Cookie name.
                                  type: string
                                sameSite:
                                  description: 'SameSite defines the same site policy.
                                    More info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
                                  type: string
                                secure:
                                  description: Secure defines whether the cookie can
                                    only be transmitted over an encrypted connection
                                    (i.e. HTTPS).
                                  type: boolean
                              type: object
                          type: object
                        strategy:
                          description: Strategy defines the load balancing strategy
                            between the servers. RoundRobin is the only supported
                            value at the moment.
                          type: string
                        weight:
                          description: Weight defines the weight and should only be
                            specified when Name references a TraefikService object
                            (and to be precise, one that embeds a Weighted Round Robin).
                          type: integer
                      required:
                      - name
                      type: object
                    type: array
                  sticky:
                    description: 'Sticky defines whether sticky sessions are enabled.
                      More info: https://doc.traefik.io/traefik/v2.9/routing/providers/kubernetes-crd/#stickiness-and-load-balancing'
                    properties:
                      cookie:
                        description: Cookie defines the sticky cookie configuration.
                        properties:
                          httpOnly:
                            description: HTTPOnly defines whether the cookie can be
                              accessed by client-side APIs, such as JavaScript.
                            type: boolean
                          name:
                            description: Name defines the Cookie name.
                            type: string
                          sameSite:
                            description: 'SameSite defines the same site policy. More
                              info: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite'
                            type: string
                          secure:
                            description: Secure defines whether the cookie can only
                              be transmitted over an encrypted connection (i.e. HTTPS).
                            type: boolean
                        type: object
                    type: object
                type: object
            type: object
        required:
        - metadata
        - spec
        type: object
    served: true
    storage: true
status:
  acceptedNames:
    kind: ""
    plural: ""
  conditions: []
  storedVersions: []
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: traefik-ingress-controller

rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
      - middlewaretcps
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
      - serverstransports
    verbs:
      - get
      - list
      - watch

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: traefik-ingress-controller

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: default
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik
  labels:
    app: traefik

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
          image: traefik:v2.9
          args:
            - --log.level=DEBUG
            - --api
            - --api.insecure
            - --entrypoints.web.address=:80
            - --entrypoints.tcpep.address=:8000
            - --entrypoints.udpep.address=:9000/udp
            - --providers.kubernetescrd
          ports:
            - name: web
              containerPort: 80
            - name: admin
              containerPort: 8080
            - name: tcpep
              containerPort: 8000
            - name: udpep
              containerPort: 9000

---
apiVersion: v1
kind: Service
metadata:
  name: traefik
spec:
  type: LoadBalancer
  selector:
    app: traefik
  ports:
    - protocol: TCP
      port: 80
      name: web
      targetPort: 80
    - protocol: TCP
      port: 8080
      name: admin
      targetPort: 8080
    - protocol: TCP
      port: 8000
      name: tcpep
      targetPort: 8000

---
apiVersion: v1
kind: Service
metadata:
  name: traefikudp
spec:
  type: LoadBalancer
  selector:
    app: traefik
  ports:
    - protocol: UDP
      port: 9000
      name: udpep
      targetPort: 9000
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: myingressroute
  namespace: default

spec:
  entryPoints:
    - web

  routes:
  - match: Host(`foo`) && PathPrefix(`/bar`)
    kind: Rule
    services:
    - name: whoami
      port: 80

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: ingressroute.tcp
  namespace: default

spec:
  entryPoints:
    - tcpep
  routes:
  - match: HostSNI(`bar`)
    services:
      - name: whoamitcp
        port: 8080

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: ingressroute.udp
  namespace: default

spec:
  entryPoints:
    - udpep
  routes:
  - services:
      - name: whoamiudp
        port: 8080
kind: Deployment
apiVersion: apps/v1
metadata:
  name: whoami
  namespace: default
  labels:
    app: traefiklabs
    name: whoami

spec:
  replicas: 2
  selector:
    matchLabels:
      app: traefiklabs
      task: whoami
  template:
    metadata:
      labels:
        app: traefiklabs
        task: whoami
    spec:
      containers:
        - name: whoami
          image: traefik/whoami
          ports:
            - containerPort: 80

---
apiVersion: v1
kind: Service
metadata:
  name: whoami
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: whoami

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: whoamitcp
  namespace: default
  labels:
    app: traefiklabs
    name: whoamitcp

spec:
  replicas: 2
  selector:
    matchLabels:
      app: traefiklabs
      task: whoamitcp
  template:
    metadata:
      labels:
        app: traefiklabs
        task: whoamitcp
    spec:
      containers:
        - name: whoamitcp
          image: traefik/whoamitcp
          ports:
            - containerPort: 8080

---
apiVersion: v1
kind: Service
metadata:
  name: whoamitcp
  namespace: default

spec:
  ports:
    - protocol: TCP
      port: 8080
  selector:
    app: traefiklabs
    task: whoamitcp

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: whoamiudp
  namespace: default
  labels:
    app: traefiklabs
    name: whoamiudp

spec:
  replicas: 2
  selector:
    matchLabels:
      app: traefiklabs
      task: whoamiudp
  template:
    metadata:
      labels:
        app: traefiklabs
        task: whoamiudp
    spec:
      containers:
        - name: whoamiudp
          image: traefik/whoamiudp:latest
          ports:
            - containerPort: 8080

---
apiVersion: v1
kind: Service
metadata:
  name: whoamiudp
  namespace: default

spec:
  ports:
    - port: 8080
  selector:
    app: traefiklabs
    task: whoamiudp

Routing Configuration

Custom Resource Definition (CRD)

  • You can find an exhaustive list, generated from Traefik's source code, of the custom resources and their attributes in the reference page.
  • Validate that the prerequisites are fulfilled before using the Traefik custom resources.
  • Traefik CRDs are building blocks that you can assemble according to your needs.

You can find an excerpt of the available custom resources in the table below:

Kind Purpose Concept Behind
IngressRoute HTTP Routing HTTP router
Middleware Tweaks the HTTP requests before they are sent to your service HTTP Middlewares
TraefikService Abstraction for HTTP loadbalancing/mirroring HTTP service
IngressRouteTCP TCP Routing TCP router
MiddlewareTCP Tweaks the TCP requests before they are sent to your service TCP Middlewares
IngressRouteUDP UDP Routing UDP router
TLSOptions Allows to configure some parameters of the TLS connection TLSOptions
TLSStores Allows to configure the default TLS store TLSStores
ServersTransport Allows to configure the transport between Traefik and the backends ServersTransport

Kind: IngressRoute

IngressRoute is the CRD implementation of a Traefik HTTP router.

Register the IngressRoute kind in the Kubernetes cluster before creating IngressRoute objects.

IngressRoute Attributes

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: foo
  namespace: bar
spec:
  entryPoints:                      # [1]
    - foo
  routes:                           # [2]
  - kind: Rule
    match: Host(`test.example.com`) # [3]
    priority: 10                    # [4]
    middlewares:                    # [5]
    - name: middleware1             # [6]
      namespace: default            # [7]
    services:                       # [8]
    - kind: Service
      name: foo
      namespace: default
      passHostHeader: true
      port: 80                      # [9]
      responseForwarding:
        flushInterval: 1ms
      scheme: https
      serversTransport: transport   # [10]
      sticky:
        cookie:
          httpOnly: true
          name: cookie
          secure: true
          sameSite: none
      strategy: RoundRobin
      weight: 10
  tls:                              # [11]
    secretName: supersecret         # [12]
    options:                        # [13]
      name: opt                     # [14]
      namespace: default            # [15]
    certResolver: foo               # [16]
    domains:                        # [17]
    - main: example.net             # [18]
      sans:                         # [19]
      - a.example.net
      - b.example.net
Ref Attribute Purpose
[1] entryPoints List of entry points names
[2] routes List of routes
[3] routes[n].match Defines the rule corresponding to an underlying router.
[4] routes[n].priority Defines the priority to disambiguate rules of the same length, for route matching
[5] routes[n].middlewares List of reference to Middleware
[6] middlewares[n].name Defines the Middleware name
[7] middlewares[n].namespace Defines the Middleware namespace
[8] routes[n].services List of any combination of TraefikService and reference to a Kubernetes service (See below for ExternalName Service setup)
[9] services[n].port Defines the port of a Kubernetes service. This can be a reference to a named port.
[10] services[n].serversTransport Defines the reference to a ServersTransport. The ServersTransport namespace is assumed to be the Kubernetes service namespace (see ServersTransport reference).
[11] tls Defines TLS certificate configuration
[12] tls.secretName Defines the secret name used to store the certificate (in the IngressRoute namespace)
[13] tls.options Defines the reference to a TLSOption
[14] options.name Defines the TLSOption name
[15] options.namespace Defines the TLSOption namespace
[16] tls.certResolver Defines the reference to a CertResolver
[17] tls.domains List of domains
[18] domains[n].main Defines the main domain name
[19] domains[n].sans List of SANs (alternative domains)
Declaring an IngressRoute
# All resources definition must be declared
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: test-name
  namespace: default
spec:
  entryPoints:
    - web
  routes:
  - kind: Rule
    match: Host(`test.example.com`)
    middlewares:
    - name: middleware1
      namespace: default
    priority: 10
    services:
    - kind: Service
      name: foo
      namespace: default
      passHostHeader: true
      port: 80
      responseForwarding:
        flushInterval: 1ms
      scheme: https
      sticky:
        cookie:
          httpOnly: true
          name: cookie
          secure: true
      strategy: RoundRobin
      weight: 10
  tls:
    certResolver: foo
    domains:
    - main: example.net
      sans:
      - a.example.net
      - b.example.net
    options:
      name: opt
      namespace: default
    secretName: supersecret
# All resources definition must be declared
# Prefixing with /foo
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: middleware1
  namespace: default
spec:
  addPrefix:
    prefix: /foo
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: opt
  namespace: default

spec:
  minVersion: VersionTLS12
apiVersion: v1
kind: Secret
metadata:
  name: supersecret

data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=

Configuring Backend Protocol

There are 3 ways to configure the backend protocol for communication between Traefik and your pods:

  • Setting the scheme explicitly (http/https/h2c)
  • Configuring the name of the kubernetes service port to start with https (https)
  • Setting the kubernetes service port to use port 443 (https)

If you do not configure the above, Traefik will assume an http connection.

Using Kubernetes ExternalName Service

Traefik backends creation needs a port to be set, however Kubernetes ExternalName Service could be defined without any port. Accordingly, Traefik supports defining a port in two ways:

  • only on IngressRoute service
  • on both sides, you'll be warned if the ports don't match, and the IngressRoute service port is used

Thus, in case of two sides port definition, Traefik expects a match between ports.

Examples
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - match: Host(`example.net`)
    kind: Rule
    services:
    - name: external-svc
      port: 80

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - match: Host(`example.net`)
    kind: Rule
    services:
    - name: external-svc

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - match: Host(`example.net`)
    kind: Rule
    services:
    - name: external-svc
      port: 80

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80

Load Balancing

More information in the dedicated server load balancing section.

Declaring and using Kubernetes Service Load Balancing

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    - name: svc1
      namespace: default
    - name: svc2
      namespace: default
apiVersion: v1
kind: Service
metadata:
  name: svc1
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app1
---
apiVersion: v1
kind: Service
metadata:
  name: svc2
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app2

Kind: Middleware

Middleware is the CRD implementation of a Traefik middleware.

Register the Middleware kind in the Kubernetes cluster before creating Middleware objects or referencing middlewares in the IngressRoute objects.

Declaring and Referencing a Middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: stripprefix
  namespace: foo

spec:
  stripPrefix:
    prefixes:
      - /stripit
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/stripit`)
    kind: Rule
    services:
    - name: whoami
      port: 80
    middlewares:
    - name: stripprefix
      namespace: foo

Cross-provider namespace

As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource (in the reference to the middleware) with the provider namespace, when the definition of the middleware comes from another provider. In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored. Additionally, when you want to reference a Middleware from the CRD Provider, you have to append the namespace of the resource in the resource-name as Traefik appends the namespace internally automatically.

More information about available middlewares in the dedicated middlewares section.

Kind: TraefikService

TraefikService is the CRD implementation of a "Traefik Service".

Register the TraefikService kind in the Kubernetes cluster before creating TraefikService objects, referencing services in the IngressRoute objects, or recursively in others TraefikService objects.

Disambiguate Traefik and Kubernetes Services

As the field name can reference different types of objects, use the field kind to avoid any ambiguity.

The field kind allows the following values:

TraefikService object allows to use any (valid) combinations of:

Weighted Round Robin

More information in the dedicated Weighted Round Robin service load balancing section.

Declaring and Using Weighted Round Robin
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    - name: wrr1
      namespace: default
      kind: TraefikService
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: wrr1
  namespace: default

spec:
  weighted:
    services:
      - name: svc1
        port: 80
        weight: 1
      - name: wrr2
        kind: TraefikService
        weight: 1
      - name: mirror1
        kind: TraefikService
        weight: 1

---
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: wrr2
  namespace: default

spec:
  weighted:
    services:
      - name: svc2
        port: 80
        weight: 1
      - name: svc3
        port: 80
        weight: 1
apiVersion: v1
kind: Service
metadata:
  name: svc1
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app1
---
apiVersion: v1
kind: Service
metadata:
  name: svc2
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app2
---
apiVersion: v1
kind: Service
metadata:
  name: svc3
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app3

Mirroring

More information in the dedicated mirroring service section.

Declaring and Using Mirroring
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    - name: mirror1
      namespace: default
      kind: TraefikService
# Mirroring from a k8s Service
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: mirror1
  namespace: default

spec:
  mirroring:
    name: svc1
    port: 80
    mirrors:
      - name: svc2
        port: 80
        percent: 20
      - name: svc3
        kind: TraefikService
        percent: 20
# Mirroring from a Traefik Service
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: mirror1
  namespace: default

spec:
  mirroring:
    name: wrr1
    kind: TraefikService
     mirrors:
       - name: svc2
         port: 80
         percent: 20
       - name: svc3
         kind: TraefikService
         percent: 20
apiVersion: v1
kind: Service
metadata:
  name: svc1
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app1
---
apiVersion: v1
kind: Service
metadata:
  name: svc2
  namespace: default

spec:
  ports:
    - name: http
      port: 80
  selector:
    app: traefiklabs
    task: app2

References and namespaces

If the optional namespace attribute is not set, the configuration will be applied with the namespace of the current resource.

Additionally, when the definition of the TraefikService is from another provider, the cross-provider syntax (service@provider) should be used to refer to the TraefikService, just as in the middleware case.

Specifying a namespace attribute in this case would not make any sense, and will be ignored (except if the provider is kubernetescrd).

Stickiness and load-balancing

As explained in the section about Sticky sessions, for stickiness to work all the way, it must be specified at each load-balancing level.

For instance, in the example below, there is a first level of load-balancing because there is a (Weighted Round Robin) load-balancing of the two whoami services, and there is a second level because each whoami service is a replicaset and is thus handled as a load-balancer of servers.

Stickiness on two load-balancing levels
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/foo`)
    kind: Rule
    services:
    - name: wrr1
      namespace: default
      kind: TraefikService
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: wrr1
  namespace: default

spec:
  weighted:
    services:
      - name: whoami1
        kind: Service
        port: 80
        weight: 1
        sticky:
          cookie:
            name: lvl2
      - name: whoami2
        kind: Service
        weight: 1
        port: 80
        sticky:
          cookie:
            name: lvl2
    sticky:
      cookie:
        name: lvl1
apiVersion: v1
kind: Service
metadata:
  name: whoami1

spec:
  ports:
    - protocol: TCP
      name: web
      port: 80
  selector:
    app: whoami1

---
apiVersion: v1
kind: Service
metadata:
  name: whoami2

spec:
  ports:
    - protocol: TCP
      name: web
      port: 80
  selector:
    app: whoami2
kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: whoami1
  labels:
    app: whoami1

spec:
  replicas: 2
  selector:
    matchLabels:
      app: whoami1
  template:
    metadata:
      labels:
        app: whoami1
    spec:
      containers:
        - name: whoami1
          image: traefik/whoami
          ports:
            - name: web
              containerPort: 80

---
kind: Deployment
apiVersion: apps/v1
metadata:
  namespace: default
  name: whoami2
  labels:
    app: whoami2

spec:
  replicas: 2
  selector:
    matchLabels:
      app: whoami2
  template:
    metadata:
      labels:
        app: whoami2
    spec:
      containers:
        - name: whoami2
          image: traefik/whoami
          ports:
            - name: web
              containerPort: 80

To keep a session open with the same server, the client would then need to specify the two levels within the cookie for each request, e.g. with curl:

curl -H Host:example.com -b "lvl1=default-whoami1-80; lvl2=http://10.42.0.6:80" http://localhost:8000/foo

assuming 10.42.0.6 is the IP address of one of the replicas (a pod then) of the whoami1 service.

Kind: IngressRouteTCP

IngressRouteTCP is the CRD implementation of a Traefik TCP router.

Register the IngressRouteTCP kind in the Kubernetes cluster before creating IngressRouteTCP objects.

IngressRouteTCP Attributes

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: ingressroutetcpfoo

spec:
  entryPoints:                  # [1]
    - footcp
  routes:                       # [2]
  - match: HostSNI(`*`)         # [3]
    priority: 10                # [4]
    middlewares:
    - name: middleware1         # [5]
      namespace: default        # [6]
    services:                   # [7]
    - name: foo                 # [8]
      port: 8080                # [9]
      weight: 10                # [10]
      terminationDelay: 400     # [11]
      proxyProtocol:            # [12]
        version: 1              # [13]
  tls:                          # [14]
    secretName: supersecret     # [15]
    options:                    # [16]
      name: opt                 # [17]
      namespace: default        # [18]
    certResolver: foo           # [19]
    domains:                    # [20]
    - main: example.net         # [21]
      sans:                     # [22]
      - a.example.net
      - b.example.net
    passthrough: false          # [23]
Ref Attribute Purpose
[1] entryPoints List of entrypoints names
[2] routes List of routes
[3] routes[n].match Defines the rule of the underlying router
[4] routes[n].priority Defines the priority to disambiguate rules of the same length, for route matching
[5] middlewares[n].name Defines the MiddlewareTCP name
[6] middlewares[n].namespace Defines the MiddlewareTCP namespace
[7] routes[n].services List of Kubernetes service definitions (See below for ExternalName Service setup)
[8] services[n].name Defines the name of a Kubernetes service
[9] services[n].port Defines the port of a Kubernetes service. This can be a reference to a named port.
[10] services[n].weight Defines the weight to apply to the server load balancing
[11] services[n].terminationDelay corresponds to the deadline that the proxy sets, after one of its connected peers indicates it has closed the writing capability of its connection, to close the reading capability as well, hence fully terminating the connection. It is a duration in milliseconds, defaulting to 100. A negative value means an infinite deadline (i.e. the reading capability is never closed).
[12] proxyProtocol Defines the PROXY protocol configuration
[13] version Defines the PROXY protocol version
[14] tls Defines TLS certificate configuration
[15] tls.secretName Defines the secret name used to store the certificate (in the IngressRoute namespace)
[16] tls.options Defines the reference to a TLSOption
[17] options.name Defines the TLSOption name
[18] options.namespace Defines the TLSOption namespace
[19] tls.certResolver Defines the reference to a CertResolver
[20] tls.domains List of domains
[21] domains[n].main Defines the main domain name
[22] domains[n].sans List of SANs (alternative domains)
[23] tls.passthrough If true, delegates the TLS termination to the backend
Declaring an IngressRouteTCP
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: ingressroutetcpfoo

spec:
  entryPoints:
    - footcp
  routes:
  # Match is the rule corresponding to an underlying router.
  - match: HostSNI(`*`)
    priority: 10
    services:
    - name: foo
      port: 8080
      terminationDelay: 400
      weight: 10
    - name: bar
      port: 8081
      terminationDelay: 500
      weight: 10
  tls:
    certResolver: foo
    domains:
    - main: example.net
      sans:
      - a.example.net
      - b.example.net
    options:
      name: opt
      namespace: default
    secretName: supersecret
    passthrough: false
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: opt
  namespace: default

spec:
  minVersion: VersionTLS12
apiVersion: v1
kind: Secret
metadata:
  name: supersecret

data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=

Using Kubernetes ExternalName Service

Traefik backends creation needs a port to be set, however Kubernetes ExternalName Service could be defined without any port. Accordingly, Traefik supports defining a port in two ways:

  • only on IngressRouteTCP service
  • on both sides, you'll be warned if the ports don't match, and the IngressRouteTCP service port is used

Thus, in case of two sides port definition, Traefik expects a match between ports.

Examples
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - match: HostSNI(`*`)
    services:
    - name: external-svc
      port: 80

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - match: HostSNI(`*`)
    services:
    - name: external-svc
      port: 80

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80

Kind: MiddlewareTCP

MiddlewareTCP is the CRD implementation of a Traefik TCP middleware.

Register the MiddlewareTCP kind in the Kubernetes cluster before creating MiddlewareTCP objects or referencing TCP middlewares in the IngressRouteTCP objects.

Declaring and Referencing a MiddlewareTCP
apiVersion: traefik.containo.us/v1alpha1
kind: MiddlewareTCP
metadata:
  name: ipwhitelist
spec:
  ipWhiteList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.1.7
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/whitelist`)
    kind: Rule
    services:
    - name: whoami
      port: 80
    middlewares:
    - name: ipwhitelist
      namespace: foo

Cross-provider namespace

As Kubernetes also has its own notion of namespace, one should not confuse the kubernetes namespace of a resource (in the reference to the middleware) with the provider namespace, when the definition of the TCP middleware comes from another provider. In this context, specifying a namespace when referring to the resource does not make any sense, and will be ignored. Additionally, when you want to reference a MiddlewareTCP from the CRD Provider, you have to append the namespace of the resource in the resource-name as Traefik appends the namespace internally automatically.

More information about available TCP middlewares in the dedicated middlewares section.

Kind: IngressRouteUDP

IngressRouteUDP is the CRD implementation of a Traefik UDP router.

Register the IngressRouteUDP kind in the Kubernetes cluster before creating IngressRouteUDP objects.

IngressRouteUDP Attributes

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: ingressrouteudpfoo

spec:
  entryPoints:                  # [1]
    - fooudp
  routes:                       # [2]
  - services:                   # [3]
    - name: foo                 # [4]
      port: 8080                # [5]
      weight: 10                # [6]
Ref Attribute Purpose
[1] entryPoints List of entrypoints names
[2] routes List of routes
[3] routes[n].services List of Kubernetes service definitions (See below for ExternalName Service setup)
[4] services[n].name Defines the name of a Kubernetes service
[6] services[n].port Defines the port of a Kubernetes service. This can be a reference to a named port.
[7] services[n].weight Defines the weight to apply to the server load balancing
Declaring an IngressRouteUDP
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: ingressrouteudpfoo

spec:
  entryPoints:
    - fooudp
  routes:
  - services:
    - name: foo
      port: 8080
      weight: 10
    - name: bar
      port: 8081
      weight: 10

Using Kubernetes ExternalName Service

Traefik backends creation needs a port to be set, however Kubernetes ExternalName Service could be defined without any port. Accordingly, Traefik supports defining a port in two ways:

  • only on IngressRouteUDP service
  • on both sides, you'll be warned if the ports don't match, and the IngressRouteUDP service port is used

Thus, in case of two sides port definition, Traefik expects a match between ports.

Examples
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - services:
    - name: external-svc
      port: 80

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - services:
    - name: external-svc

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
  name: test.route
  namespace: default

spec:
  entryPoints:
    - foo

  routes:
  - services:
    - name: external-svc
      port: 80

---
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: default
spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80

Kind: TLSOption

TLSOption is the CRD implementation of a Traefik "TLS Option".

Register the TLSOption kind in the Kubernetes cluster before creating TLSOption objects or referencing TLS options in the IngressRoute / IngressRouteTCP objects.

TLSOption Attributes

apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: mytlsoption                             # [1]
  namespace: default

spec:
  minVersion: VersionTLS12                      # [2]
  maxVersion: VersionTLS13                      # [3]
  curvePreferences:                             # [4]
    - CurveP521
    - CurveP384
  cipherSuites:                                 # [5]
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_RSA_WITH_AES_256_GCM_SHA384
  clientAuth:                                   # [6]
    secretNames:                                # [7]
      - secret-ca1
      - secret-ca2
    clientAuthType: VerifyClientCertIfGiven     # [8]
  sniStrict: true                               # [9]
  alpnProtocols:                                # [10]
    - foobar
Ref Attribute Purpose
[1] name Defines the name of the TLSOption resource. One can use default as name to redefine the default TLSOption.
[2] minVersion Defines the minimum TLS version that is acceptable.
[3] maxVersion Defines the maximum TLS version that is acceptable.
[4] cipherSuites list of supported cipher suites for TLS versions up to TLS 1.2.
[5] curvePreferences List of the elliptic curves references that will be used in an ECDHE handshake, in preference order.
[6] clientAuth determines the server's policy for TLS Client Authentication.
[7] clientAuth.secretNames list of names of the referenced Kubernetes Secrets (in TLSOption namespace). The secret must contain a certificate under either a tls.ca or a ca.crt key.
[8] clientAuth.clientAuthType defines the client authentication type to apply. The available values are: NoClientCert, RequestClientCert, VerifyClientCertIfGiven and RequireAndVerifyClientCert.
[9] sniStrict if true, Traefik won't allow connections from clients connections that do not specify a server_name extension.
[10] alpnProtocols List of supported application level protocols for the TLS handshake, in order of preference.

CA Secret

The CA secret must contain a base64 encoded certificate under either a tls.ca or a ca.crt key.

Declaring and referencing a TLSOption
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: mytlsoption
  namespace: default

spec:
  minVersion: VersionTLS12
  sniStrict: true
  cipherSuites:
    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    - TLS_RSA_WITH_AES_256_GCM_SHA384
  clientAuth:
    secretNames:
      - secret-ca1
      - secret-ca2
    clientAuthType: VerifyClientCertIfGiven
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`) && PathPrefix(`/stripit`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    options: 
      name: mytlsoption
      namespace: default
apiVersion: v1
kind: Secret
metadata:
  name: secret-ca1
  namespace: default

data:
  # Must contain a certificate under either a `tls.ca` or a `ca.crt` key.
  tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=

---
apiVersion: v1
kind: Secret
metadata:
  name: secret-ca2
  namespace: default

data:
  # Must contain a certificate under either a `tls.ca` or a `ca.crt` key. 
  tls.ca: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=

References and namespaces

If the optional namespace attribute is not set, the configuration will be applied with the namespace of the IngressRoute.

Additionally, when the definition of the TLS option is from another provider, the cross-provider syntax (middlewarename@provider) should be used to refer to the TLS option. Specifying a namespace attribute in this case would not make any sense, and will be ignored.

Kind: TLSStore

TLSStore is the CRD implementation of a Traefik "TLS Store".

Register the TLSStore kind in the Kubernetes cluster before creating TLSStore objects.

Default TLS Store

Traefik currently only uses the TLS Store named "default". This default TLSStore should be in a namespace discoverable by Traefik. Since it is used by default on IngressRoute and IngressRouteTCP objects, there never is a need to actually reference it. This means that you cannot have two stores that are named default in different Kubernetes namespaces. As a consequence, with respect to TLS stores, the only change that makes sense (and only if needed) is to configure the default TLSStore.

TLSStore Attributes

apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
  name: default

spec:
  certificates:                            # [1]
    - secretName: foo                      
    - secretName: bar
  defaultCertificate:                      # [2]
    secretName: secret                     
Ref Attribute Purpose
[1] certificates List of Kubernetes Secrets, each of them holding a key/certificate pair to add to the store.
[2] defaultCertificate Name of a Kubernetes Secret that holds the default key/certificate pair for the store.
Declaring and referencing a TLSStore
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
  name: default

spec:
  defaultCertificate:
    secretName:  supersecret
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutebar

spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`example.com`) && PathPrefix(`/stripit`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls: {}
apiVersion: v1
kind: Secret
metadata:
  name: supersecret

data:
  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=

Kind: ServersTransport

ServersTransport is the CRD implementation of a ServersTransport.

Default serversTransport

If no serversTransport is specified, the default@internal will be used. The default@internal serversTransport is created from the static configuration.

ServersTransport Attributes

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: mytransport
  namespace: default

spec:
  serverName: foobar               # [1]
  insecureSkipVerify: true         # [2]
  rootCAsSecrets:                  # [3]
    - foobar
    - foobar
  certificatesSecrets:             # [4]
    - foobar
    - foobar
  maxIdleConnsPerHost: 1           # [5]
  forwardingTimeouts:              # [6]
    dialTimeout: 42s               # [7]
    responseHeaderTimeout: 42s     # [8]
    idleConnTimeout: 42s           # [9]
  peerCertURI: foobar              # [10]
  disableHTTP2: true               # [11]
Ref Attribute Purpose
[1] serverName ServerName used to contact the server.
[2] insecureSkipVerify Controls whether the server's certificate chain and host name is verified.
[3] rootCAsSecrets Defines the set of root certificate authorities to use when verifying server certificates. The secret must contain a certificate under either a tls.ca or a ca.crt key.
[4] certificatesSecrets Certificates to present to the server for mTLS.
[5] maxIdleConnsPerHost Controls the maximum idle (keep-alive) connections to keep per-host. If zero, defaultMaxIdleConnsPerHost is used.
[6] forwardingTimeouts Timeouts for requests forwarded to the servers.
[7] dialTimeout The amount of time to wait until a connection to a server can be established. If zero, no timeout exists.
[8] responseHeaderTimeout The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists.
[9] idleConnTimeout The maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout exists.
[10] peerCertURI URI used to match against SAN URIs during the server's certificate verification.
[11] disableHTTP2 Disables HTTP/2 for connections with servers.

CA Secret

The CA secret must contain a base64 encoded certificate under either a tls.ca or a ca.crt key.

Declaring and referencing a ServersTransport
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: mytransport
  namespace: default

spec:
  serverName: example.org
  insecureSkipVerify: true
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: testroute
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`)
    kind: Rule
    services:
    - name: whoami
      port: 80
      serversTransport: mytransport

ServersTransport reference

By default, the referenced ServersTransport CRD must be defined in the same Kubernetes service namespace.

To reference a ServersTransport CRD from another namespace, the value must be of form namespace-name@kubernetescrd, and the cross-namespace option must be enabled.

If the ServersTransport CRD is defined in another provider the cross-provider format name@provider should be used.

Further

Also see the full example with Let's Encrypt.


Using Traefik for Business Applications?

If you are using Traefik for commercial applications, consider the Enterprise Edition. You can use it as your:

Traefik Enterprise enables centralized access management, distributed Let's Encrypt, and other advanced capabilities. Learn more in this 15-minute technical walkthrough.