Frequently Asked Questions¶
How many controllers do you need for high availability?
A multi controller cluster is healthy as long as the nodes can reach a quorum to elect a new leader in case of failure.
The quorum is (N/2)+1
where N is the initial number of controllers.
If the number of healthy nodes goes below this number, the cluster must be recovered before it will resume normal operations.
What happens if the cluster is unhealthy?
Proxies will continue to route the requests based on the last known configuration.
Why can't I access ports 80 or 443 after a successful installation?
Even after installation is complete, Traefik Enterprise won't listen to any ports on the proxies until a static configuration specifying entry-points is applied.
How can I recover if my controller(s) died unexpectedly?
When using some kind of persistent volume in the host / pod / container, you can boot it up again and watch the logs to see if the state was automatically recovered. If the cluster data were lost, please refer to the Backup and Restore section for more recovery options.
Can I update the static / dynamic configuration without downtime?
You can update or change the cluster configuration without losing requests as long as the entry-points are not changed.
Can I run multiple providers on the same Traefik Enterprise cluster?
Yes, you can enable more than one provider in your static configuration.
Is the File provider supported on multi controller clusters?
Yes. The only limitation is that the configuration file must be replicated on every host executing a controller.
Introduced in version v2.2 is a new internal provider that keeps the same format and functionality while and storing the configuration in the cluster state and enabling management with teectl
, for that reason it's highly recommended to switch to it.
What installation method is best?
We recommend installing with teectl
, even when customization is needed, as it will generate all the required manifest files for your platform.
Since version v2.3, Kubernetes users can also benefit from a GitOps installation method.
Manual installation is required for on-premise users.
Why is it trying to start / use a
traefik
entrypoint when there is none in my static config?
Traefik Proxy has the concept of a default entrypoint to use for internal services, like the API or Ping, when they are enabled but no entrypoint is specified.
Why my entrypoint is conflicting with
traefik
internal entrypoint?
The traefik
default internal entrypoint will use port ':8080'. When setting up your own custom entrypoint to the same port, make sure you are not using the traefik
internal one by specifying the entrypoint
value on internal services like the API, Metrics, Dashboard and Ping.
Why do my proxies show up as a new nodes in the cluster after every restart?
To ensure cluster consistency, the Traefik Enterprise proxies are configured to always start from a clean state. This means they will get new node IDs inside the cluster and will show up in the Dashboard and in CLI queries as new nodes. Their old entries will be removed from the cluster by the controller(s) after a grace period, by default 1 hour.
Can I run two clusters with the same license key during an upgrade?
Parallel clusters with the same license key are allowed temporarily for the purpose of upgrades, as this is our recommended upgrade path on all platforms.
Why are my ACME certificates not being regenerated after changing the certificate resolver configuration?
Traefik Enterprise does not react to certificate resolver changes. This means it won't revoke / regenerate certificates based on changes in the configuration. Such situations include changing the key type or the root CA.
To achieve this the existing certificates must be removed from the cluster first. Get in touch with support if you need assistance with the process.
Is Traefik Enterprise FIPS 140-2 compliant?
Yes, we provide a FIPS compliant image for each Traefik Enterprise version since the version v2.4.0. More details in the dedicated section.
How to monitor if my Traefik Enterprise cluster license is correctly checked?
The controller generates a log each time it tries to reach the license server (every 24 hours). You can create an alert in your log system to track down any occurrence of this line:
could not connect to license server
This issue can be the result of a network issue (firewalling), an outdated DNS address, or an issue at Traefik Labs's level. Please reach out to Traefik support.
What happens if my Traefik Enterprise cluster license is not checked?
A 72-day grace period is set at the controller level if the controller cannot reach the license server. If the controller is unable to validate the license during this period, it will stop updating the dynamic configuration. This can lead to 502 errors due to outdated data, underscoring the urgency of resolving the issue.
You can track down and get notified by your log system by checking this line:
Your license has expired or is suspended, deployments have been disabled
If you're having this issue please contact directly Traefik's support.