Skip to main content

Data Sharing

This document provides an overview about data sharing between the Traefik Hub’s SaaS control plane and a Kubernetes cluster hosting the Traefik Hub agent.


Introduction

The Traefik Hub's SaaS (Software as a Service) control plane is hosted by Traefik Labs in the cloud. The Traefik Hub agent (acting as the data plane) is hosted in a Kubernetes cluster. They communicate with each other to manage and control Traefik Hub's API Gateway and API Portal instances running in the cluster.

The Traefik Hub agent collects data related to API management (Traefik Hub CRDs), Ingress management (for example Traefik Proxy CRDs) and general Kubernetes components (Namespaces, Nodes, Services, etc.).

Depending on the configuration, the data shared between the control plane and the Kubernetes cluster could be less than all the possible items listed in this document.

Besides the data collected by the Traefik Hub agent, the Traefik Platform stores data related to the platform authorization, identity providers and such.

Shared Data

Custom Resource Definitions (CRDs)

Traefik Hub CRDs are sent to the Traefik Hub Platform for synchronization purposes and validation:

Besides the CRDs, the Traefik Hub agent also sent its own configuration. As of now, it only consists of one field: DistributedRateLimitAvailable.

Custom Resource Definitions (CRDs)

If Traefik Proxy is used as Ingress Controller (default setting if the Traefik Hub agent is installed in Ingress Controller mode), the Traefik Hub agent has access to the following Traefik Proxy CRDs.

NamePermissionDescription
MiddlewaresRead/WriteTweaks the HTTP requests before they are sent to your service.
IngressRouteRead/WriteHTTP Routing.
IngressClassRead/WriteThe annotation that identifies Ingress objects to be processed.
MiddlewareTCPReadTweaks the TCP requests before they are sent to your service.
TraefikServiceReadAbstraction for HTTP loadbalancing/mirroring.
IngressRouteTCPReadTCP routing.
IngressRouteUDPReadUDP routing
TLSOptionsReadAllows to configure some parameters of the TLS connection.
TLSStoresReadAllows to configure the default TLS store.
ServersTransportReadAllows to configure the transport between Traefik and the backends.

Kubernetes

The Traefik Hub agent has access to the following Kubernetes components:

NamePermissionDescription
IngressesRead/WriteThis is used for service discovery. Also used to set ACP to Ingresses.
SecretsRead/WriteThis is used to store secrets like certificates.
PodsReadUsed to get the list of agent Pods and fetch metrics from them.
Pod logsReadCollect log of the Pods (will be removed soon).
NamespacesReadThis is used to get the Namespace system for the leader election.
LeasesRead/WriteUsed to handle the leader election for the agent.
Endpoint slicesReadThis is used to list on which nodes the services exposed by APIs are.
EventsWriteThis is used to write several events on resources managed by Traefik Hub, for example, when the OpenAPI spec is not found.
ServicesReadUsed in service discovery and for routing.
NodesReadThis is used for license purposes.
EndpointsReadThis is used for routing.

Metrics

The following metrics are transmitted to the Traefik Hub platform.

These metrics are displayed in the control plane:

  • Request per seconds
  • Request error per seconds
  • Request error percent
  • Request client error per seconds
  • Request client error percent
  • Average response time
  • Requests number
  • Requests error number
  • Requests client error number
  • Response time sum
  • Response time count
info

These metrics below are used for internal purposes and will be soon integrated into the control plane:

  • API Request number
  • API Request bytes number
  • API Response Bytes number
  • Nodes count
  • API Gateways count
  • API count

Logs

Error logs generated by the Traefik Hub agent are transmitted to the Traefik Hub platform and stored for 24 hours to assist in resolving support requests quickly.

Certificates

The Traefik Hub Platform stores data related to certificates obtained with Let's Encrypt on generated domains and custom domains. The certificates are encrypted in the database and are renewed regularly.

Traefik Hub Dashboard

Overview about all data which is collected by the Traefik Hub dashboard.

Identity Provider

The Traefik Hub Platform stores data related to IdPs. This data is needed for authentication and permission management.

General

The following user data is stored:

  • First Name
  • Last Name
  • Company
  • Email
  • Group IDs
  • External ID
Internal IdP

All general user data plus:

  • Password hash

For each group, the Traefik Hub Platform only stores the name of the group.

Keycloak
  • URL
  • Realm
  • Username for realm access
  • Password for realm access (encrypted)
Okta
  • Org URL
  • Issuer URL
  • Token (encrypted)