This page explains how to attach a custom certificate to an API.
This guide provides a concise overview of how custom certificates can be attached to an API (microservice) to secure the connection in a Kubernetes cluster.
Connecting a custom certificate to an API requires two steps:
In the first step, you have to create the ServersTransport CRD.
ServersTransport allows configuring the transport between the Traefik Hub agent and your Services.
The referenced ServersTransport CRD must be defined in the same Kubernetes Service namespace.
||ServerName used to contact the server.|
||Controls whether the server's certificate chain and host name is verified.|
||Defines the set of root certificate authorities to use when verifying server certificates. The secret must contain a certificate under either a tls.ca or a ca.crt key.|
||Certificates to present to the server for mTLS.|
||Controls the maximum idle (keep-alive) connections to keep per-host. If zero,
||Timeouts for requests forwarded to the servers.|
||The amount of time to wait until a connection to a server can be established. If zero, no timeout exists.|
||The amount of time to wait for a server's response headers after fully writing the request (including its body, if any). If zero, no timeout exists.|
||The maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. If zero, no timeout exists.|
||URI used to match against SAN URIs during the server's certificate verification.|
||Disables HTTP/2 for connections with servers.|
||The SPIFFE configuration.|
||Defines the allowed SPIFFE IDs (takes precedence over the SPIFFE TrustDomain).|
||Defines the allowed SPIFFE trust domain.|
The CA secret must contain a base64 encoded certificate under either a
tls.ca or a
--- apiVersion: traefik.io/v1alpha1 kind: ServersTransport metadata: name: demo-api-transport namespace: apps spec: serverName: gateway.domain.tld insecureSkipVerify: true
In the second step, you need to add the traefik.ingress.kubernetes.io/service.serverstransport annotation to the Service definition of the API.
The syntax of the annotation is important!
You have to reference the namespace and the name of your ServersTransport CRD.
--- apiVersion: v1 kind: Service metadata: name: api-demo-svc namespace: apps annotations: traefik.ingress.kubernetes.io/service.serverstransport: apps-demo-api-transport@kubernetescrd labels: app: api-demo spec: type: ClusterIP ports: - port: 443 name: https selector: app: api-demo
- Check out the full CRD reference guide for API management