• Migration Guide: From v1 to v2
    • Frontends and Backends Are Dead… … Long Live Routers, Middlewares, and Services
      • v1
      • v2
    • TLS configuration is now dynamic, per router.
      • v1
      • v2
    • HTTP -> HTTPS Redirection
    • ACME (let's encrypt)
    • Traefik Logs
    • Tracing
    • Metrics
    • No more root level key/values
    • Providers

    Migration Guide: From v1 to v2

    How to Migrate from Traefik v1 to Traefik v2.

    The version 2 of Traefik introduces a number of breaking changes,which require one to update their configuration when they migrate from v1 to v2.The goal of this page is to recapitulate all of these changes, and in particular to give examples,feature by feature, of how the configuration looked like in v1, and how it now looks like in v2.

    Migration Helper

    We created a tool to help during the migration: traefik-migration-tool

    This tool allows to:

    • convert Ingress to Traefik IngressRoute resources.
    • convert acme.json file from v1 to v2 format.

    Frontends and Backends Are Dead… … Long Live Routers, Middlewares, and Services

    During the transition from v1 to v2, a number of internal pieces and components of Traefik were rewritten and reorganized.As such, the combination of core notions such as frontends and backends has been replaced with the combination of routers, services, and middlewares.

    Typically, a router replaces a frontend, and a service assumes the role of a backend, with each router referring to a service.However, even though a backend was in charge of applying any desired modification on the fly to the incoming request,the router defers that responsibility to another component.Instead, a dedicated middleware is now defined for each kind of such modification.Then any router can refer to an instance of the wanted middleware.

    One frontend with basic auth and one backend, become one router, one service, and one basic auth middleware.

    v1

    1. labels:
    2. - "traefik.frontend.rule=Host:test.localhost;PathPrefix:/test"
    3. - "traefik.frontend.auth.basic.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
    1. apiVersion: extensions/v1beta1
    2. kind: Ingress
    3. metadata:
    4. name: traefik
    5. namespace: kube-system
    6. annotations:
    7. kubernetes.io/ingress.class: traefik
    8. traefik.ingress.kubernetes.io/rule-type: PathPrefix
    9. spec:
    10. rules:
    11. - host: test.locahost
    12. http:
    13. paths:
    14. - path: /test
    15. backend:
    16. serviceName: server0
    17. servicePort: 80
    18. - path: /test
    19. backend:
    20. serviceName: server1
    21. servicePort: 80
    1. [frontends]
    2. [frontends.frontend1]
    3. entryPoints = ["http"]
    4. backend = "backend1"
    5. [frontends.frontend1.routes]
    6. [frontends.frontend1.routes.route0]
    7. rule = "Host:test.localhost"
    8. [frontends.frontend1.routes.route0]
    9. rule = "PathPrefix:/test"
    10. [frontends.frontend1.auth]
    11. [frontends.frontend1.auth.basic]
    12. users = [
    13. "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
    14. "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
    15. ]
    16. [backends]
    17. [backends.backend1]
    18. [backends.backend1.servers.server0]
    19. url = "http://10.10.10.1:80"
    20. [backends.backend1.servers.server1]
    21. url = "http://10.10.10.2:80"
    22. [backends.backend1.loadBalancer]
    23. method = "wrr"

    v2

    1. labels:
    2. - "traefik.http.routers.router0.rule=Host(`bar.com`) && PathPrefix(`/test`)"
    3. - "traefik.http.routers.router0.middlewares=auth"
    4. - "traefik.http.middlewares.auth.basicauth.users=test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/,test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"
    1. # The definitions below require the definitions for the Middleware and IngressRoute kinds.
    2. # https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
    3. apiVersion: traefik.containo.us/v1alpha1
    4. kind: Middleware
    5. metadata:
    6. name: basicauth
    7. namespace: foo
    8. spec:
    9. basicAuth:
    10. users:
    11. - test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/
    12. - test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0
    13. ---
    14. apiVersion: traefik.containo.us/v1alpha1
    15. kind: IngressRoute
    16. metadata:
    17. name: ingressroutebar
    18. spec:
    19. entryPoints:
    20. - http
    21. routes:
    22. - match: Host(`test.localhost`) && PathPrefix(`/test`)
    23. kind: Rule
    24. services:
    25. - name: server0
    26. port: 80
    27. - name: server1
    28. port: 80
    29. middlewares:
    30. - name: basicauth
    31. namespace: foo
    1. [http.routers]
    2. [http.routers.router0]
    3. rule = "Host(`test.localhost`) && PathPrefix(`/test`)"
    4. middlewares = ["auth"]
    5. service = "my-service"
    6. [http.services]
    7. [[http.services.my-service.loadBalancer.servers]]
    8. url = "http://10.10.10.1:80"
    9. [[http.services.my-service.loadBalancer.servers]]
    10. url = "http://10.10.10.2:80"
    11. [http.middlewares]
    12. [http.middlewares.auth.basicAuth]
    13. users = [
    14. "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
    15. "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0",
    16. ]
    1. http:
    2. routers:
    3. router0:
    4. rule: "Host(`test.localhost`) && PathPrefix(`/test`)"
    5. service: my-service
    6. middlewares:
    7. - auth
    8. services:
    9. my-service:
    10. loadBalancer:
    11. servers:
    12. - url: http://10.10.10.1:80
    13. - url: http://10.10.10.2:80
    14. middlewares:
    15. auth:
    16. basicAuth:
    17. users:
    18. - "test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/"
    19. - "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"

    TLS configuration is now dynamic, per router.

    TLS parameters used to be specified in the static configuration, as an entryPoint field.With Traefik v2, a new dynamic TLS section at the root contains all the desired TLS configurations.Then, a router's TLS field can refer to one of the TLS configurations defined at the root, hence defining the TLS configuration for that router.

    TLS on web-secure entryPoint becomes TLS option on Router-1

    v1

    1. # static configuration
    2. [entryPoints]
    3. [entryPoints.web-secure]
    4. address = ":443"
    5. [entryPoints.web-secure.tls]
    6. minVersion = "VersionTLS12"
    7. cipherSuites = [
    8. "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    9. "TLS_RSA_WITH_AES_256_GCM_SHA384"
    10. ]
    11. [[entryPoints.web-secure.tls.certificates]]
    12. certFile = "path/to/my.cert"
    13. keyFile = "path/to/my.key"
    1. --entryPoints='Name:web-secure Address::443 TLS:path/to/my.cert,path/to/my.key TLS.MinVersion:VersionTLS12 TLS.CipherSuites:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA384'

    v2

    1. # dynamic configuration
    2. [http.routers]
    3. [http.routers.Router-1]
    4. rule = "Host(`bar.com`)"
    5. service = "service-id"
    6. # will terminate the TLS request
    7. [http.routers.Router-1.tls]
    8. options = "myTLSOptions"
    9. [[tls.certificates]]
    10. certFile = "/path/to/domain.cert"
    11. keyFile = "/path/to/domain.key"
    12. [tls.options]
    13. [tls.options.default]
    14. minVersion = "VersionTLS12"
    15. [tls.options.myTLSOptions]
    16. minVersion = "VersionTLS13"
    17. cipherSuites = [
    18. "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
    19. "TLS_RSA_WITH_AES_256_GCM_SHA384"
    20. ]
    1. http:
    2. routers:
    3. Router-1:
    4. rule: "Host(`bar.com`)"
    5. service: service-id
    6. # will terminate the TLS request
    7. tls:
    8. options: myTLSOptions
    9. tls:
    10. certificates:
    11. - certFile: /path/to/domain.cert
    12. keyFile: /path/to/domain.key
    13. options:
    14. myTLSOptions:
    15. minVersion: VersionTLS13
    16. cipherSuites:
    17. - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    18. - TLS_RSA_WITH_AES_256_GCM_SHA384
    1. # The definitions below require the definitions for the TLSOption and IngressRoute kinds.
    2. # https://docs.traefik.io/v2.0/providers/kubernetes-crd/#traefik-ingressroute-definition
    3. apiVersion: traefik.containo.us/v1alpha1
    4. kind: TLSOption
    5. metadata:
    6. name: mytlsoption
    7. namespace: default
    8. spec:
    9. minVersion: VersionTLS13
    10. cipherSuites:
    11. - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    12. - TLS_RSA_WITH_AES_256_GCM_SHA384
    13. ---
    14. apiVersion: traefik.containo.us/v1alpha1
    15. kind: IngressRoute
    16. metadata:
    17. name: ingressroutebar
    18. spec:
    19. entryPoints:
    20. - web
    21. routes:
    22. - match: Host(`bar.com`)
    23. kind: Rule
    24. services:
    25. - name: whoami
    26. port: 80
    27. tls:
    28. options:
    29. name: mytlsoption
    30. namespace: default
    1. labels:
    2. # myTLSOptions must be defined by another provider, in this instance in the File Provider.
    3. # see the cross provider section
    4. - "[email protected]"

    HTTP -> HTTPS Redirection

    1. TODO

    ACME (let's encrypt)

    1. TODO

    Traefik Logs

    1. TODO

    Tracing

    1. TODO

    Metrics

    1. TODO

    No more root level key/values

    1. TODO

    Providers

    Supported providers, for now:

    • Azure Service Fabric
    • BoltDB
    • Consul
    • Consul Catalog
    • Docker
    • DynamoDB
    • ECS
    • Etcd
    • Eureka
    • File
    • Kubernetes Ingress (without annotations)
    • Kubernetes IngressRoute
    • Marathon
    • Mesos
    • Rest
    • Zookeeper