"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "docs/content/routing/providers/kubernetes-ingress.md" between
traefik-v2.3.2.src.tar.gz and traefik-v2.3.3.src.tar.gz

About: Traefik is a cloud native edge router, a reverse proxy and load balancer for HTTP and TCP-based applications.

kubernetes-ingress.md  (traefik-v2.3.2.src):kubernetes-ingress.md  (traefik-v2.3.3.src)
skipping to change at line 117 skipping to change at line 117
template: template:
metadata: metadata:
labels: labels:
app: traefik app: traefik
spec: spec:
serviceAccountName: traefik-ingress-controller serviceAccountName: traefik-ingress-controller
containers: containers:
- name: traefik - name: traefik
image: traefik:v2.3 image: traefik:v2.3
args: args:
- --log.level=DEBUG
- --api
- --api.insecure
- --entrypoints.web.address=:80 - --entrypoints.web.address=:80
- --providers.kubernetesingress - --providers.kubernetesingress
ports: ports:
- name: web - name: web
containerPort: 80 containerPort: 80
- name: admin
containerPort: 8080
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: traefik name: traefik
spec: spec:
type: LoadBalancer type: LoadBalancer
selector: selector:
app: traefik app: traefik
ports: ports:
- protocol: TCP - protocol: TCP
port: 80 port: 80
name: web name: web
targetPort: 80 targetPort: 80
- protocol: TCP
port: 8080
name: admin
targetPort: 8080
``` ```
```yaml tab="Whoami" ```yaml tab="Whoami"
kind: Deployment kind: Deployment
apiVersion: apps/v1 apiVersion: apps/v1
metadata: metadata:
name: whoami name: whoami
labels: labels:
app: traefiklabs app: traefiklabs
name: whoami name: whoami
skipping to change at line 343 skipping to change at line 334
- `Prefix`: This path type forces the rule matcher to `PathPrefix` - `Prefix`: This path type forces the rule matcher to `PathPrefix`
Please see [this documentation](https://kubernetes.io/docs/concepts/services-net working/ingress/#path-types) for more information. Please see [this documentation](https://kubernetes.io/docs/concepts/services-net working/ingress/#path-types) for more information.
!!! warning "Multiple Matches" !!! warning "Multiple Matches"
In the case of multiple matches, Traefik will not ensure the priority of a P ath matcher over a PathPrefix matcher, In the case of multiple matches, Traefik will not ensure the priority of a P ath matcher over a PathPrefix matcher,
as stated in [this documentation](https://kubernetes.io/docs/concepts/servic es-networking/ingress/#multiple-matches). as stated in [this documentation](https://kubernetes.io/docs/concepts/servic es-networking/ingress/#multiple-matches).
## TLS ## TLS
### Communication Between Traefik and Pods ### Enabling TLS via HTTP Options on Entrypoint
Traefik automatically requests endpoint information based on the service provide TLS can be enabled through the [HTTP options](../entrypoints.md#tls) of an Entry
d in the ingress spec. point:
Although Traefik will connect directly to the endpoints (pods),
it still checks the service port to see if TLS communication is required.
There are 3 ways to configure Traefik to use https to communicate with pods: ```bash tab="CLI"
# Static configuration
--entrypoints.websecure.address=:443
--entrypoints.websecure.http.tls
```
```toml tab="File (TOML)"
# Static configuration
[entryPoints.websecure]
address = ":443"
[entryPoints.websecure.http.tls]
```
```yaml tab="File (YAML)"
# Static configuration
entryPoints:
websecure:
address: ':443'
http:
tls: {}
```
1. If the service port defined in the ingress spec is `443` (note that you can s This way, any Ingress attached to this Entrypoint will have TLS termination by d
till use `targetPort` to use a different port on your pod). efault.
1. If the service port defined in the ingress spec has a name that starts with h
ttps (such as `https-api`, `https-web` or just `https`).
1. If the ingress spec includes the annotation `traefik.ingress.kubernetes.io/se
rvice.serversscheme: https`.
If either of those configuration options exist, then the backend communication p ??? example "Configuring Kubernetes Ingress Controller with TLS on Entrypoint"
rotocol is assumed to be TLS,
and will connect via TLS automatically.
!!! info ```yaml tab="RBAC"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
Please note that by enabling TLS communication between traefik and your pods ---
, kind: ClusterRoleBinding
you will have to have trusted certificates that have the proper trust chain apiVersion: rbac.authorization.k8s.io/v1beta1
and IP subject name. metadata:
If this is not an option, you may need to skip TLS certificate verification. name: traefik-ingress-controller
See the [insecureSkipVerify](../../routing/overview.md#insecureskipverify) s roleRef:
etting for more details. apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: default
```
```yaml tab="Ingress"
kind: Ingress
apiVersion: networking.k8s.io/v1beta1
metadata:
name: myingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
rules:
- host: example.com
http:
paths:
- path: /bar
backend:
serviceName: whoami
servicePort: 80
- path: /foo
backend:
serviceName: whoami
servicePort: 80
```
```yaml tab="Traefik"
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v2.3
args:
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls
- --providers.kubernetesingress
ports:
- name: websecure
containerPort: 443
---
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
type: LoadBalancer
selector:
app: traefik
ports:
- protocol: TCP
port: 443
name: websecure
targetPort: 443
```
```yaml tab="Whoami"
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoami
labels:
app: traefiklabs
name: whoami
spec:
replicas: 2
selector:
matchLabels:
app: traefiklabs
task: whoami
template:
metadata:
labels:
app: traefiklabs
task: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: whoami
```
### Enabling TLS via Annotations
To enable TLS on the underlying router created from an Ingress, one should confi
gure it through annotations:
```yaml
traefik.ingress.kubernetes.io/router.tls: "true"
```
For more options, please refer to the available [annotations](#on-ingress).
??? example "Configuring Kubernetes Ingress Controller with TLS"
```yaml tab="RBAC"
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses/status
verbs:
- update
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: default
```
```yaml tab="Ingress"
kind: Ingress
apiVersion: networking.k8s.io/v1beta1
metadata:
name: myingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: true
spec:
rules:
- host: example.com
http:
paths:
- path: /bar
backend:
serviceName: whoami
servicePort: 80
- path: /foo
backend:
serviceName: whoami
servicePort: 80
```
```yaml tab="Traefik"
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v2.3
args:
- --entrypoints.websecure.address=:443
- --providers.kubernetesingress
ports:
- name: websecure
containerPort: 443
---
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
type: LoadBalancer
selector:
app: traefik
ports:
- protocol: TCP
port: 443
name: websecure
targetPort: 443
```
```yaml tab="Whoami"
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoami
labels:
app: traefiklabs
name: whoami
spec:
replicas: 2
selector:
matchLabels:
app: traefiklabs
task: whoami
template:
metadata:
labels:
app: traefiklabs
task: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
ports:
- containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: whoami
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: whoami
```
### Certificates Management ### Certificates Management
??? example "Using a secret" ??? example "Using a secret"
```yaml tab="Ingress" ```yaml tab="Ingress"
kind: Ingress kind: Ingress
apiVersion: networking.k8s.io/v1beta1 apiVersion: networking.k8s.io/v1beta1
metadata: metadata:
name: foo name: foo
skipping to change at line 385 skipping to change at line 729
spec: spec:
rules: rules:
- host: example.net - host: example.net
http: http:
paths: paths:
- path: /bar - path: /bar
backend: backend:
serviceName: service1 serviceName: service1
servicePort: 80 servicePort: 80
# Only selects which certificate(s) should be loaded from the secret, in o
rder to terminate TLS.
# Doesn't enable TLS for that ingress (hence for the underlying router).
# Please see the TLS annotations on ingress made for that purpose.
tls: tls:
- secretName: supersecret - secretName: supersecret
``` ```
```yaml tab="Secret" ```yaml tab="Secret"
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: supersecret name: supersecret
skipping to change at line 408 skipping to change at line 754
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZL S0tLS0= tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZL S0tLS0=
``` ```
TLS certificates can be managed in Secrets objects. TLS certificates can be managed in Secrets objects.
!!! info !!! info
Only TLS certificates provided by users can be stored in Kubernetes Secrets. Only TLS certificates provided by users can be stored in Kubernetes Secrets.
[Let's Encrypt](../../https/acme.md) certificates cannot be managed in Kuber netes Secrets yet. [Let's Encrypt](../../https/acme.md) certificates cannot be managed in Kuber netes Secrets yet.
### Communication Between Traefik and Pods
Traefik automatically requests endpoint information based on the service provide
d in the ingress spec.
Although Traefik will connect directly to the endpoints (pods),
it still checks the service port to see if TLS communication is required.
There are 3 ways to configure Traefik to use https to communicate with pods:
1. If the service port defined in the ingress spec is `443` (note that you can s
till use `targetPort` to use a different port on your pod).
1. If the service port defined in the ingress spec has a name that starts with h
ttps (such as `https-api`, `https-web` or just `https`).
1. If the ingress spec includes the annotation `traefik.ingress.kubernetes.io/se
rvice.serversscheme: https`.
If either of those configuration options exist, then the backend communication p
rotocol is assumed to be TLS,
and will connect via TLS automatically.
!!! info
Please note that by enabling TLS communication between traefik and your pods
,
you will have to have trusted certificates that have the proper trust chain
and IP subject name.
If this is not an option, you may need to skip TLS certificate verification.
See the [insecureSkipVerify](../../routing/overview.md#insecureskipverify) s
etting for more details.
## Global Default Backend Ingresses ## Global Default Backend Ingresses
Ingresses can be created that look like the following: Ingresses can be created that look like the following:
```yaml ```yaml
apiVersion: networking.k8s.io/v1beta1 apiVersion: networking.k8s.io/v1beta1
kind: Ingress kind: Ingress
metadata: metadata:
name: cheese name: cheese
 End of changes. 12 change blocks. 
33 lines changed or deleted 405 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)