ServerTransportTCP
ServersTransportTCP allows you to configure the transport between Traefik and your TCP servers.
Register the ServersTransportTCP kind in the Kubernetes cluster before creating ServersTransportTCP objects.
Configuration Example
- IngressRouteTCP
- ServersTransportTCP
- Kubernetes Service
- Secret
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: test-tcp
namespace: apps
spec:
entryPoints:
- tcp
routes:
- match: HostSNI(`example.com`)
services:
- name: my-service
port: 3306
# Format: namespace-name@providername
serversTransport: apps-mytransport@kubernetescrd
tls:
passthrough: true
# Add a TLS certificate from a Kubernetes Secret
secretName: supersecret
apiVersion: traefik.io/v1alpha1
kind: ServersTransportTCP
metadata:
name: mytransport
namespace: apps
spec:
dialTimeout: 42s
dialKeepAlive: 42s
tls:
serverName: foobar
insecureSkipVerify: true
peerCertURI: foobar
certificatesSecrets:
- supersecret
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: apps
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: app1
apiVersion: v1
kind: Secret
metadata:
name: supersecret
namespace: apps
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
Configuration Options
| Field | Description | Default | Required |
|---|---|---|---|
dialTimeout | The amount of time to wait until a connection to a server can be established. If zero, no timeout exists. | 30s | No |
dialKeepAlive | The interval between keep-alive probes for an active network connection. If this option is set to zero, keep-alive probes are sent with a default value (currently 15 seconds), if supported by the protocol and operating system. Network protocols or operating systems that do not support keep-alives ignore this field. If negative, keep-alive probes are turned off. | No | |
terminationDelay | Defines the delay to wait before fully terminating the connection, after one connected peer has closed its writing capability. | No | |
tls | The TLS configuration. | No | |
tls.serverName | ServerName used to contact the server. | ||
tls.insecureSkipVerify | Controls whether the server's certificate chain and host name is verified. | ||
tls.peerCertURI | Defines the URI used to match against SAN URIs during the server's certificate verification. | ||
tls.rootCAsSecrets | Defines the set of root certificate authorities to use when verifying server certificates. The CA secret must contain a base64 encoded certificate under either a tls.ca or a ca.crt key. | ||
tls.certificatesSecrets | Certificates to present to the server for mTLS. | ||
spiffe | Configures SPIFFE options. | No | |
spiffe.ids | Defines the allowed SPIFFE IDs. This takes precedence over the SPIFFE trustDomain. | No | |
spiffe.trustDomain | Defines the allowed SPIFFE trust domain. | "" | No |
Related Content
- See the SPIFFE configuration for more details on using SPIFFE with Traefik.