Define TLS options on the Router configuration for Kubernetes

Co-authored-by: juliens <julien@containo.us>

Author: 2 people

docs/content/middlewares/overview.md

@@ -71,6 +71,38 @@ labels:
   - "traefik.http.middlewares.foo-add-prefix.addprefix.prefix=/foo"
 ```
 
+```toml tab="File"
+[tlsOptions]
+    [tlsOptions.default]
+        minVersion = "VersionTLS12"
+```
+
+```yaml tab="Kubernetes"
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsoptions.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSOption
+    plural: tlsoptions
+    singular: tlsoption
+  scope: Namespaced
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: mytlsoption
+  namespace: default
+
+spec:
+  minversion: VersionTLS12
+```
+
 ```toml tab="File"
 # As Toml Configuration File
 [providers]

docs/content/providers/crd_tls_option.yml

@@ -0,0 +1,13 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsoptions.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSOption
+    plural: tlsoptions
+    singular: tlsoption
+  scope: Namespaced

docs/content/providers/kubernetes-crd.md

@@ -230,6 +230,51 @@ spec:
 
 More information about available middlewares in the dedicated [middlewares section](../middlewares/overview.md).
 
+### Traefik TLS Option Definition
+
+Additionally, to allow for the use of tls options in an IngressRoute, we defined the CRD below for the TLSOption kind.
+More information about TLS Options is available in the dedicated [TLS Configuration Options](../../https/tls/#tls-options).
+
+```yaml
+--8<-- "content/providers/crd_tls_option.yml"
+```
+
+Once the TLSOption kind has been registered with the Kubernetes cluster or defined in the File Provider, it can then be used in IngressRoute definitions, such as:
+
+```yaml
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: mytlsoption
+  namespace: default
+
+spec:
+  minversion: VersionTLS12
+
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ingressroutebar
+
+spec:
+  entryPoints:
+    - web
+  routes:
+  - match: Host(`bar.com`) && PathPrefix(`/stripit`)
+    kind: Rule
+    services:
+    - name: whoami
+      port: 80
+  tls:
+    options: 
+      name: mytlsoption
+      namespace: default
+```
+
+!!! note "TLS Option reference and namespace"
+    If the optional `namespace` attribute is not set, the configuration will be applied with the namespace of the IngressRoute.
+
 ### TLS
 
 To allow for TLS, we made use of the `Secret` kind, as it was already defined, and it can be directly used in an `IngressRoute`:

docs/content/reference/dynamic-configuration/kubernetes-crd.yml

@@ -26,6 +26,21 @@ spec:
     singular: middleware
   scope: Namespaced
 
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsoptions.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSOption
+    plural: tlsoptions
+    singular: tlsoption
+  scope: Namespaced
+
 ---
 apiVersion: apiextensions.k8s.io/v1beta1
 kind: CustomResourceDefinition
@@ -85,6 +100,9 @@ spec:
   # use an empty tls object for TLS with Let's Encrypt
   tls:
     secretName: supersecret
+    options:
+      name: myTLSOption
+      namespace: default
 
 ---
 apiVersion: traefik.containo.us/v1alpha1
@@ -104,3 +122,6 @@ spec:
   tls:
     secretName: foosecret
     passthrough: false
+    options:
+      name: myTLSOption
+      namespace: default

integration/fixtures/https/https_tls_options.toml

@@ -44,7 +44,6 @@ level = "DEBUG"
       [[http.services.service2.LoadBalancer.Servers]]
         URL = "http://127.0.0.1:9020"
 
-
 [[tls]]
   [tls.certificate]
      certFile = "fixtures/https/snitest.com.cert"

integration/fixtures/k8s/01-crd.yml

@@ -41,3 +41,18 @@ spec:
     plural: ingressroutetcps
     singular: ingressroutetcp
   scope: Namespaced
+
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: tlsoptions.traefik.containo.us
+
+spec:
+  group: traefik.containo.us
+  version: v1alpha1
+  names:
+    kind: TLSOption
+    plural: tlsoptions
+    singular: tlsoption
+  scope: Namespaced

integration/fixtures/k8s/03-ingressroute.yml

@@ -15,3 +15,7 @@ spec:
     services:
     - name: whoami
       port: 80
+
+  tls:
+    options:
+      name: mytlsoption

integration/fixtures/k8s/03-tlsoption.yml

@@ -0,0 +1,12 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: TLSOption
+metadata:
+  name: mytlsoption
+  namespace: default
+
+spec:
+  minversion: VersionTLS12
+  snistrict: true
+  ciphersuites:
+    - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+    - TLS_RSA_WITH_AES_256_GCM_SHA384

integration/fixtures/k8s/05-ingressroutetcp.yml

@@ -12,3 +12,6 @@ spec:
     services:
     - name: whoamitcp
       port: 8080
+  tls:
+    options:
+      name: mytlsoption

integration/https_test.go

@@ -191,7 +191,7 @@ func (s *HTTPSSuite) TestWithTLSOptions(c *check.C) {
 	c.Assert(err.Error(), checker.Contains, "protocol version not supported")
 
 	//	with unknown tls option
-	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("unknown TLS options: unknown"))
+	err = try.GetRequest("http://127.0.0.1:8080/api/rawdata", 1*time.Second, try.BodyContains("unknown TLS options: unknown@file"))
 	c.Assert(err, checker.IsNil)
 }