Static Configuration in Traefik Enterprise¶
Traefik Enterprise uses the same static configuration system as Traefik Proxy with a few additions. Unlike Traefik Proxy however, Traefik Enterprise does not require a restart to update the configuration.
To get an overview of the static configuration capabilities, please refer to the static configuration reference.
Applying a Static Configuration¶
Static Configuration can be applied to a cluster using the apply
command in teectl
:
teectl apply --file=config.toml
The apply
command supports both TOML and YAML static configuration formats.
More information about the apply
command can be found in the teectl
reference.
Getting the Cluster Static Configuration¶
It is possible to get the currently applied cluster static configuration using teectl
:
teectl get static-config
The format of the output can be customized with the --format
option.
More information about the get static-config
command can be found in the teectl
reference
Configuring Authentication Sources¶
Static Configuration can include Authentication Sources which are required for middleware such as the LDAP authentication to work. An example configuration of an LDAP authentication source can be seen below:
#...
authSources:
ldapSource:
ldap:
url: ldap://ldap.test.svc.cluster.local:389
#...
[authSources]
[authSources.ldapSource]
[authSources.ldapSource.ldap]
url = "ldap://ldap.test.svc.cluster.local:389"
For more information on configuring the LDAP authentication sources, please refer to the LDAP documentation
Sensitive Values from Kubernetes Secrets¶
When configuring authentication sources, it is possible to reference Kubernetes Secrets to provide sensitive options values. The reference to a Kubernetes Secret takes the form of a URN:
urn:k8s:secret:[namespace]:[name]:[valueKey]
#...
authSources:
jwtSource:
jwt:
signingSecret: urn:k8s:secret:traefikee:jwt-secret:secretValue
#...
[authSources]
[authSources.jwtSource]
[authSources.jwtSource.jwt]
signingSecret = "urn:k8s:secret:traefikee:jwt-secret:secretValue"
---
apiVersion: v1
kind: Secret
metadata:
name: jwt-secret
namespace: traefikee
data:
# base64 of "super-secret"
secretValue: c3VwZXItc2VjcmV0
List of eligible sensitive options
- LDAP:
- BindPassword
- JWT:
- SigningSecret
- OAuthClientCredential:
- ClientID
- ClientSecret
- OAuthIntrospection:
- AuthorizationHeader
- CustomHeaders
- OIDC:
- ClientID
- ClientSecret
- HMAC:
- Inline
Restrictions
This feature only works when the Traefikee Controllers are running within a Kubernetes cluster. Nevertheless, this feature can be used without requiring any Kubernetes provider to be enabled.
The Kubernetes secrets can only be loaded within the Traefikee deployment namespace.
Cluster Configuration¶
Initial Configuration Propagation Delay¶
This option delays the first dynamic configuration propagation when a controller starts. The default value is set to 2s, which is the minimum value accepted.
#...
cluster:
initialConfigPropagationDelay: 10s
#...
[cluster]
initialConfigPropagationDelay = "10s"
Cleanup Grace Period¶
When a proxy fails, it is not immediately removed from the cluster. A grace period (by default 1 Hour) is given to allow the proxy to recover. After this grace period the proxy will be removed from the cluster. The grace period can be configured as follows:
#...
cluster:
cleanup:
gracePeriod: 20m
#...
[cluster]
[cluster.cleanup]
gracePeriod = "20m"
Docker Swarm Network Discovery¶
Docker Swarm has to ability to discover new and existing networks on which to find applications to route. The network discovery is disabled by default, and can be enabled with the following cofiguration:
#...
cluster:
swarm:
networkdiscovery: true
#...
[cluster]
[cluster.swarm]
networkdiscovery = true
More information about network discovery can be found in the documentation.
Examples¶
Basic Static Configuration¶
The most basic static configuration must include entry-points and at least one provider:
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
kubernetesCRD: {}
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[providers.kubernetesCRD]
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
docker:
swarmMode: true
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[providers.docker]
swarmMode: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
providers:
file:
filename: dynamic_config.yml
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[providers]
[providers.file]
filename = "dynamic_config.toml"
Customized Configuration for Kubernetes¶
The following static configuration will configure the Kubernetes CRD provider to watch only the namespaces
traefikee
and production
for routing configuration:
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
providers:
kubernetesCRD:
namespaces:
- traefikee
- production
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[kubernetescrd]
namespaces = ["traefikee", "production"]
More information can be found on Traefik Proxy's Kubernetes Ingress Provider page.
Custom Entrypoint¶
The following static configuration will configure Traefik Enterprise to listen to a custom entrypoint for incoming requests.
entryPoints:
internal:
address: ":8888"
providers:
kubernetesCRD: {}
[entryPoints]
[entryPoints.internal]
address = ":8888"
[providers.kubernetesCRD]
Important
When using an orchestrator, Traefik Enterprise creates two network services for:
- HTTP on port 80
- HTTPS on port 443
In order to add a custom entrypoint on a different port, it is necessary to configure the network service. This "service" allows incoming requests to reach proxies on the custom entrypoint's port.