Skip to content

Static Configuration in Traefik Enterprise

Traefik Enterprise uses the same static configuration system as Traefik Proxy with a few additions. Unlike Traefik Proxy however, Traefik Enterprise does not require a restart to update the configuration.

To get an overview of the static configuration capabilities, please refer to the static configuration reference.

Applying a Static Configuration

Static Configuration can be applied to a cluster using the apply command in teectl:

teectl apply --file=config.toml

The apply command supports both TOML and YAML static configuration formats.

More information about the apply command can be found in the teectl reference.

Getting the Cluster Static Configuration

It is possible to get the currently applied cluster static configuration using teectl:

teectl get static-config

The format of the output can be customized with the --format option.

More information about the get static-config command can be found in the teectl reference

Configuring Authentication Sources

Static Configuration can include Authentication Sources which are required for middleware such as the LDAP authentication to work. An example configuration of an LDAP authentication source can be seen below:

#...

authSources:
  ldapSource:
    ldap:
      url: ldap://ldap.test.svc.cluster.local:389
#...

[authSources]
  [authSources.ldapSource]
    [authSources.ldapSource.ldap]
      url = "ldap://ldap.test.svc.cluster.local:389"

For more information on configuring the LDAP authentication sources, please refer to the LDAP documentation

Sensitive Values from Kubernetes Secrets

When configuring authentication sources, it is possible to reference Kubernetes Secrets to provide sensitive options values. The reference to a Kubernetes Secret takes the form of a URN:

urn:k8s:secret:[namespace]:[name]:[valueKey]
#...

authSources:
  jwtSource:
    jwt:
      signingSecret: urn:k8s:secret:traefikee:jwt-secret:secretValue
#...

[authSources]
  [authSources.jwtSource]
    [authSources.jwtSource.jwt]
      signingSecret = "urn:k8s:secret:traefikee:jwt-secret:secretValue"
---
apiVersion: v1
kind: Secret
metadata:
  name: jwt-secret
  namespace: traefikee

data:
  # base64 of "super-secret"
  secretValue: c3VwZXItc2VjcmV0

List of eligible sensitive options

  • LDAP:
    • BindPassword
  • JWT:
    • SigningSecret
  • OAuthIntrospection:
    • AuthorizationHeader
    • CustomHeaders
  • OIDC:
    • ClientSecret
  • HMAC:
    • Inline

Restrictions

This feature only works when the Traefikee Controllers are running within a Kubernetes cluster. Nevertheless, this feature can be used without requiring any Kubernetes provider to be enabled.

The Kubernetes secrets can only be loaded within the Traefikee deployment namespace.

Cluster Configuration

Initial Configuration Propagation Delay

This option delays the first dynamic configuration propagation when a controller starts. The default value is set to 2s, which is the minimum value accepted.

#...

cluster:
  initialConfigPropagationDelay: 10s
#...

[cluster]
    initialConfigPropagationDelay = "10s"

Cleanup Grace Period

When a proxy fails, it is not immediately removed from the cluster. A grace period (by default 1 Hour) is given to allow the proxy to recover. After this grace period the proxy will be removed from the cluster. The grace period can be configured as follows:

#...

cluster:
  cleanup:
    gracePeriod: 20m
#...

[cluster]
  [cluster.cleanup]
    gracePeriod = "20m"

Docker Swarm Network Discovery

Docker Swarm has to ability to discover new and existing networks on which to find applications to route. The network discovery is disabled by default, and can be enabled with the following cofiguration:

#...

cluster:
  swarm:
    networkdiscovery: true
#...

[cluster]
  [cluster.swarm]
    networkdiscovery = true

More information about network discovery can be found in the documentation.

Examples

Basic Static Configuration

The most basic static configuration must include entry-points and at least one provider:

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  kubernetesCRD: {}
[entryPoints]
  [entryPoints.web]
    address = ":80"
  [entryPoints.websecure]
    address = ":443"

[providers.kubernetesCRD]
entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    swarmMode: true
[entryPoints]
  [entryPoints.web]
    address = ":80"
  [entryPoints.websecure]
    address = ":443"

[providers.docker]
  swarmMode: true  
entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  file:
    filename: dynamic_config.yml
[entryPoints]
  [entryPoints.web]
    address = ":80"
  [entryPoints.websecure]
    address = ":443"

[providers]
  [providers.file]
    filename = "dynamic_config.toml"

Customized Configuration for Kubernetes

The following static configuration will configure the Kubernetes CRD provider to watch only the namespaces traefikee and production for routing configuration:

entryPoints:
  web:
    address: ":80"
  websecure:
    address: ":443"

providers:
  kubernetesCRD:
    namespaces:
      - traefikee
      - production
[entryPoints]
  [entryPoints.web]
    address = ":80"
  [entryPoints.websecure]
    address = ":443"

[kubernetescrd]
namespaces = ["traefikee", "production"]

More information can be found on Traefik Proxy's Kubernetes Ingress Provider page.

Custom Entrypoint

The following static configuration will configure Traefik Enterprise to listen to a custom entrypoint for incoming requests.

entryPoints:
  internal:
    address: ":8888"

providers:
  kubernetesCRD: {}
[entryPoints]
  [entryPoints.internal]
    address = ":8888"
[providers.kubernetesCRD]

Important

When using an orchestrator, Traefik Enterprise creates two network services for:

  • HTTP on port 80
  • HTTPS on port 443

In order to add a custom entrypoint on a different port, it is necessary to configure the network service. This "service" allows incoming requests to reach proxies on the custom entrypoint's port.