Skip to content

Traefik Provider

The Traefik provider allows Traefik Enterprise to route requests to other Traefik Enterprise instances.

Multi Traefik Enterprise Layers architecture

Layer 2 Traefik Enterprise Configuration

The Traefik provider relies on the API exposed by the layer 2 Traefik Enterprise instances. This section will show you how to expose this API.

Secure you API routes

We strongly recommend you secure your API routes. The Traefik provider allows you to set an authorization header with the credentials required by layer 2. In this example, we demonstrate how to do this with the API Key middleware, but any authentication middleware can work.

First, update the static configuration to enable the API:

# Static Configuration
entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
  api:
    address: ":8080"

api: {}
# Static Configuration
[entryPoints]
  [entryPoints.http]
    address = ":80"
  [entryPoints.https]
    address = ":443"
  [entryPoints.api]
    address = ":8080"

[api]

Then, create a route that uses API Key middleware to securely expose it:

http:
  routers:
    api-tls:
      entryPoints:
        - "api"
      middlewares:
        - "api-key-auth"
      service: api@internal
      rule: "Host(`<CLUSTER1_HOST>`)"
      tls: {}
  middlewares:
    api-key-auth:
      plugin:
        apiKey:
          secretParam: Authorization
          secretValue: $2y$05$aWnGD0X128wkQL4Pj7osie1KhyDz5j/JLnP02pLcS0GPcrXL22GCa # "secret-api-key"
          kind: header
# Dynamic Configuration
[http.routers.api-tls]
  entryPoints = ['api']
  rule = "Host(`<CLUSTER1_HOST>`)"
  service = "api@internal"
  # Secured route with API Key middleware
  middleware = ["api-key-auth"]
  [http.routers.api-tls.tls]

[http.middlewares]
  [http.middlewares.api-key-auth.plugin.apiKeyAuth]
    secretParam = Authorization
    secretValue = $2y$05$aWnGD0X128wkQL4Pj7osie1KhyDz5j/JLnP02pLcS0GPcrXL22GCa # "secret-api-key"
    kind = header

Your layer 2 Enterprise cluster is now ready to accept requests from the layer 1 cluster. Let's enable the Traefik provider in the next section.

Layer 1 Traefik Enterprise Configuration

This section describes how to enable the Traefik provider on layer 1 Traefik Enterprise cluster.

Use the same entryPoints

You must use the same entry point names on both layer 1 and layer 2 clusters for requests to be routed correctly.

Note that the API does not need to be exposed on the layer 1 Traefik Enterprise cluster.

# Static Configuration
entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  plugin:
    traefik:
        cluster1:
          apiAddr: "https://<CLUSTER1_HOST>:8080"
          authorizationHeader: "secret-api-key"
# Static Configuration
[entryPoints]
  [entryPoints.http]
    address = ":80"
  [entryPoints.https]
    address = ":443"

[providers.plugin.traefik]
  [providers.plugin.traefik.cluster1]
    apiAddr = "https://<CLUSTER1_HOST>:8080"
    authorizationHeader = "secret-api-key"

When enabled, a new router will be created at the layer 1 cluster for each entrypoint associated to the original layer 2 routers. This is done to ensure correct routing between entrypoints, which might include different ports, transport configuration or middleware.

It's also important to note that at layer 1 any middleware configuration is ignored as this layer acts as a simple hop to the next one where the actual middleware execution happens.

Provider Configuration Reference

The Traefik provider can be enabled and configured from the static configuration:

providers:
  plugin:
    traefik:
        cluster1:
          apiAddr: "https://cluster1:8080"
        cluster2:
          apiAddr: "https://cluster2:8080"
[providers.plugin.traefik]
    [providers.plugin.traefik.cluster1]
      apiAddr = "https://cluster1:8080"
    [providers.plugin.traefik.cluster2]
      apiAddr = "https://cluster2:8080"

apiAddr

Required, Default=""

Defines the API address of the layer 2 Traefik Enterprise cluster to target.

providers:
  plugin:
    traefik:
        cluster1:
          apiAddr: "https://cluster1:8080"
[providers.plugin.traefik]
    [providers.plugin.traefik.cluster1]
      apiAddr = "https://cluster1:8080"

authorizationHeader

Optional, Default=""

Defines an authorization header to add to the requests sent to fetch the configuration from the layer 2 Traefik Enterprise cluster.

providers:
  plugin:
    traefik:
        cluster1:
          authorizationHeader: "secret-api-key"
[providers.plugin.traefik]
    [providers.plugin.traefik.cluster1]
      authorizationHeader = "secret-api-key"