Skip to content
GitHub

IngressRouteTCP

IngressRouteTCP is the CRD implementation of a Traefik TCP router.

Before creating IngressRouteTCP objects, you need to apply the Traefik Kubernetes CRDs to your Kubernetes cluster.

This registers the IngressRouteTCP kind and other Traefik-specific resources.

General

If both HTTP routers and TCP routers are connected to the same EntryPoint, the TCP routers will apply before the HTTP routers. If no matching route is found for the TCP routers, then the HTTP routers will take over.

Configuration Example

You can declare an IngressRouteTCP as detailed below:

apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: ingressroutetcpfoo
  namespace: apps

spec:
  entryPoints:
    - footcp
  routes:
  - match: HostSNI(`*`)
    priority: 10
    middlewares:
    - name: middleware1
      namespace: default
    services:
    - name: foo
      port: 8080
      weight: 10
      serversTransport: transport
      nativeLB: true
      nodePortLB: true
      tls: false

  tls:
    secretName: supersecret
    options:
      name: opt
      namespace: default
    certResolver: foo
    domains:
    - main: example.net
      sans:                       
      - a.example.net
      - b.example.net
    passthrough: false

Configuration Options

<<<<<<< HEAD | Field | Description | Default | Required | |-----------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|----------| | entryPoints | List of entrypoints names. | | No | | routes | List of routes. | | Yes | | routes[n].match | Defines the rule of the underlying router. | | Yes | | routes[n].priority | Defines the priority to disambiguate rules of the same length, for route matching. | | No | | routes[n].middlewares[n].name | Defines the MiddlewareTCP name. | | Yes | | routes[n].middlewares[n].namespace | Defines the MiddlewareTCP namespace. | "" | No | | routes[n].services | List of Kubernetes service definitions. | | No | | routes[n].services[n].name | Defines the name of a Kubernetes service. | | Yes | | routes[n].services[n].port | Defines the port of a Kubernetes service. This can be a reference to a named port. | | Yes | | routes[n].services[n].weight | Defines the weight to apply to the server load balancing. | 1 | No | | routes[n].services[n].serversTransport | Defines the ServersTransportTCP.
The ServersTransport namespace is assumed to be the Kubernetes service namespace. | | No | | routes[n].services[n].nativeLB | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. See here for more information. | false | No | | routes[n].services[n].nodePortLB | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. | false | No | | tls | Defines TLS certificate configuration. | | No | | tls.secretName | Defines the secret name used to store the certificate (in the IngressRoute namespace). | "" | No | | tls.options | Defines the reference to a TLSOption. | "" | No | | tls.options.name | Defines the TLSOption name. | "" | No | | tls.options.namespace | Defines the TLSOption namespace. | "" | No | | tls.certResolver | Defines the reference to a CertResolver. | "" | No | | tls.domains | List of domains. | "" | No | | tls.domains[n].main | Defines the main domain name. | "" | No | | tls.domains[n].sans | List of SANs (alternative domains). | "" | No | | tls.passthrough | If true, delegates the TLS termination to the backend. | false | No | ======= | Field | Description | Default | Required | |-------------------------------------|-----------------------------|-------------------------------------------|-----------------------| | entryPoints | List of entrypoints names. | | No | | routes | List of routes. | | Yes | | routes[n].match | Defines the rule of the underlying router. | | Yes | | routes[n].priority | Defines the priority to disambiguate rules of the same length, for route matching. | | No | | routes[n].middlewares[n].name | Defines the MiddlewareTCP name. | | Yes | | routes[n].middlewares[n].namespace | Defines the MiddlewareTCP namespace. | ""| No| | routes[n].services | List of Kubernetes service definitions. | | No | | routes[n].services[n].name | Defines the name of a Kubernetes service. | | Yes | | routes[n].services[n].port | Defines the port of a Kubernetes service. This can be a reference to a named port.| | Yes | | routes[n].services[n].weight | Defines the weight to apply to the server load balancing. | 1 | No | | routes[n].services[n].proxyProtocol | Defines the PROXY protocol configuration. | | No | | routes[n].services[n].proxyProtocol.version | Defines the PROXY protocol version. | | No | | routes[n].services[n].serversTransport | Defines the ServersTransportTCP.
The ServersTransport namespace is assumed to be the Kubernetes service namespace. | | No | | routes[n].services[n].nativeLB | Controls, when creating the load-balancer, whether the LB's children are directly the pods IPs or if the only child is the Kubernetes Service clusterIP. See here for more information. | false | No | | routes[n].services[n].nodePortLB | Controls, when creating the load-balancer, whether the LB's children are directly the nodes internal IPs using the nodePort when the service type is NodePort. It allows services to be reachable when Traefik runs externally from the Kubernetes cluster but within the same network of the nodes. | false | No | | tls | Defines TLS certificate configuration. | | No | | tls.secretName | Defines the secret name used to store the certificate (in the IngressRoute namespace). | "" | No | | tls.options | Defines the reference to a TLSOption. | "" | No | | tls.options.name | Defines the TLSOption name. | "" | No | | tls.options.namespace | Defines the TLSOption namespace. | "" | No | | tls.certResolver | Defines the reference to a CertResolver. | "" | No | | tls.domains | List of domains. | "" | No | | tls.domains[n].main | Defines the main domain name. | "" | No | | tls.domains[n].sans | List of SANs (alternative domains). | "" | No | | tls.passthrough | If true, delegates the TLS termination to the backend. | false | No |

9c932124f (Add anchors in reference tables)

ExternalName Service

Traefik connect to a backend with a domain and a port. However, Kubernetes ExternalName Service can be defined without any port. Accordingly, Traefik supports defining a port in two ways:

  • only on IngressRouteTCP service
  • on both sides, you'll be warned if the ports don't match, and the IngressRouteTCP service port is used

Thus, in case of two sides port definition, Traefik expects a match between ports.

apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test.route
  namespace: apps

spec:
  entryPoints:
    - foo
  routes:
  - match: Host(`example.net`)
    kind: Rule
    services:
    - name: external-svc
      port: 80
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: apps

spec:
  externalName: external.domain
  type: ExternalName
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test.route
  namespace: apps

spec:
  entryPoints:
    - foo
  routes:
  - match: Host(`example.net`)
    kind: Rule
    services:
    - name: external-svc
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: apps

spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test.route
  namespace: apps

spec:
  entryPoints:
    - foo
  routes:
  - match: Host(`example.net`)
    kind: Rule
    services:
    - name: external-svc
      port: 80
apiVersion: v1
kind: Service
metadata:
  name: external-svc
  namespace: apps

spec:
  externalName: external.domain
  type: ExternalName
  ports:
    - port: 80

NativeLB

To avoid creating the server load-balancer with the pods IPs and use Kubernetes Service clusterIP directly, one should set the NativeLB option to true. By default, NativeLB is false.

apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: test.route
  namespace: default
spec:
  entryPoints:
    - foo
  routes:
  - match: HostSNI(`*`)
    services:
    - name: svc
      port: 80
      # Here, nativeLB instructs to build the servers load balancer with the Kubernetes Service clusterIP only.
      nativeLB: true
apiVersion: v1
kind: Service
metadata:
  name: svc
  namespace: default
spec:
  type: ClusterIP
  ...