Traefik and Nomad Service Discovery¶
A story of Tags, Services & Nomads
Attach tags to your Nomad services and let Traefik do the rest!
One of the best feature of Traefik is to delegate the routing configuration to the application level. With Nomad, Traefik can leverage tags attached to a service to generate routing rules.
Tags & sensitive data
We recommend to not use tags to store sensitive data (certificates, credentials, etc). Instead, we recommend to store sensitive data in a safer storage (secrets, file, etc).
Routing Configuration¶
tags
- tags are case-insensitive.
- The complete list of tags can be found the reference page
General¶
Traefik creates, for each Nomad service, a corresponding Traefik service and router.
The Traefik service automatically gets a server per instance in this Nomad service, and the router gets a default rule attached to it, based on the Nomad service name.
Routers¶
To update the configuration of the Router automatically attached to the service, add tags starting with traefik.routers.{name-of-your-choice}.
and followed by the option you want to change.
For example, to change the rule, you could add the tag traefik.http.routers.my-service.rule=Host(`example.com`)
.
traefik.http.routers.<router_name>.rule
See rule for more information.
traefik.http.routers.myrouter.rule=Host(`example.com`)
traefik.http.routers.<router_name>.entrypoints
See entry points for more information.
traefik.http.routers.myrouter.entrypoints=web,websecure
traefik.http.routers.<router_name>.middlewares
See middlewares and middlewares overview for more information.
traefik.http.routers.myrouter.middlewares=auth,prefix,cb
traefik.http.routers.<router_name>.service
See rule for more information.
traefik.http.routers.myrouter.service=myservice
traefik.http.routers.<router_name>.tls
See tls for more information.
traefik.http.routers.myrouter.tls=true
traefik.http.routers.<router_name>.tls.certresolver
See certResolver for more information.
traefik.http.routers.myrouter.tls.certresolver=myresolver
traefik.http.routers.<router_name>.tls.domains[n].main
See domains for more information.
traefik.http.routers.myrouter.tls.domains[0].main=example.org
traefik.http.routers.<router_name>.tls.domains[n].sans
See domains for more information.
traefik.http.routers.myrouter.tls.domains[0].sans=test.example.org,dev.example.org
traefik.http.routers.<router_name>.tls.options
See options for more information.
traefik.http.routers.myrouter.tls.options=foobar
traefik.http.routers.<router_name>.observability.accesslogs
See accesslogs option for more information.
traefik.http.routers.myrouter.observability.accesslogs=true
traefik.http.routers.<router_name>.observability.metrics
See metrics option for more information.
traefik.http.routers.myrouter.observability.metrics=true
traefik.http.routers.<router_name>.observability.tracing
See tracing option for more information.
traefik.http.routers.myrouter.observability.tracing=true
traefik.http.routers.<router_name>.priority
See priority for more information.
traefik.http.routers.myrouter.priority=42
Services¶
To update the configuration of the Service automatically attached to the service,
add tags starting with traefik.http.services.{name-of-your-choice}.
, followed by the option you want to change.
For example, to change the passHostHeader
behavior,
you'd add the tag traefik.http.services.{name-of-your-choice}.loadbalancer.passhostheader=false
.
traefik.http.services.<service_name>.loadbalancer.server.port
Registers a port. Useful when the service exposes multiples ports.
traefik.http.services.myservice.loadbalancer.server.port=8080
traefik.http.services.<service_name>.loadbalancer.server.scheme
Overrides the default scheme.
traefik.http.services.myservice.loadbalancer.server.scheme=http
traefik.http.services.<service_name>.loadbalancer.serverstransport
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one. See serverstransport for more information.
traefik.http.services.myservice.loadbalancer.serverstransport=foobar@file
traefik.http.services.<service_name>.loadbalancer.passhostheader
See pass Host header for more information.
traefik.http.services.myservice.loadbalancer.passhostheader=true
traefik.http.services.<service_name>.loadbalancer.healthcheck.headers.<header_name>
See health check for more information.
traefik.http.services.myservice.loadbalancer.healthcheck.headers.X-Foo=foobar
traefik.http.services.<service_name>.loadbalancer.healthcheck.hostname
See health check for more information.
traefik.http.services.myservice.loadbalancer.healthcheck.hostname=example.org
traefik.http.services.<service_name>.loadbalancer.healthcheck.interval
See health check for more information.
traefik.http.services.myservice.loadbalancer.healthcheck.interval=10
traefik.http.services.<service_name>.loadbalancer.healthcheck.path
See health check for more information.
traefik.http.services.myservice.loadbalancer.healthcheck.path=/foo
traefik.http.services.<service_name>.loadbalancer.healthcheck.status
See health check for more information.
traefik.http.services.myservice.loadbalancer.healthcheck.status=42
traefik.http.services.<service_name>.loadbalancer.healthcheck.port
See health check for more information.
traefik.http.services.myservice.loadbalancer.healthcheck.port=42
traefik.http.services.<service_name>.loadbalancer.healthcheck.scheme
See health check for more information.
traefik.http.services.myservice.loadbalancer.healthcheck.scheme=http
traefik.http.services.<service_name>.loadbalancer.healthcheck.timeout
See health check for more information.
traefik.http.services.myservice.loadbalancer.healthcheck.timeout=10
traefik.http.services.<service_name>.loadbalancer.healthcheck.followredirects
See health check for more information.
traefik.http.services.myservice.loadbalancer.healthcheck.followredirects=true
traefik.http.services.<service_name>.loadbalancer.sticky.cookie
See sticky sessions for more information.
traefik.http.services.myservice.loadbalancer.sticky.cookie=true
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.httponly
See sticky sessions for more information.
traefik.http.services.myservice.loadbalancer.sticky.cookie.httponly=true
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.name
See sticky sessions for more information.
traefik.http.services.myservice.loadbalancer.sticky.cookie.name=foobar
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.secure
See sticky sessions for more information.
traefik.http.services.myservice.loadbalancer.sticky.cookie.secure=true
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.samesite
See sticky sessions for more information.
traefik.http.services.myservice.loadbalancer.sticky.cookie.samesite=none
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.maxage
See sticky sessions for more information.
traefik.http.services.myservice.loadbalancer.sticky.cookie.maxage=42
traefik.http.services.<service_name>.loadbalancer.sticky.cookie.path
See sticky sessions for more information.
traefik.http.services.myservice.loadbalancer.sticky.cookie.path=/foobar
traefik.http.services.<service_name>.loadbalancer.responseforwarding.flushinterval
See response forwarding for more information.
traefik.http.services.myservice.loadbalancer.responseforwarding.flushinterval=10
Middleware¶
You can declare pieces of middleware using tags starting with traefik.http.middlewares.{name-of-your-choice}.
, followed by the middleware type/options.
For example, to declare a middleware redirectscheme
named my-redirect
, you'd write traefik.http.middlewares.my-redirect.redirectscheme.scheme: https
.
More information about available middlewares in the dedicated middlewares section.
Declaring and Referencing a Middleware
# ...
# Declaring a middleware
traefik.http.middlewares.my-redirect.redirectscheme.scheme=https
# Referencing a middleware
traefik.http.routers.my-service.middlewares=my-redirect
Conflicts in Declaration
If you declare multiple middleware with the same name but with different parameters, the middleware fails to be declared.
TCP¶
You can declare TCP Routers and/or Services using tags.
Declaring TCP Routers and Services
traefik.tcp.routers.my-router.rule=HostSNI(`example.com`)
traefik.tcp.routers.my-router.tls=true
traefik.tcp.services.my-service.loadbalancer.server.port=4123
TCP and HTTP
If you declare a TCP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no TCP Router/Service is defined). You can declare both a TCP Router/Service and an HTTP Router/Service for the same Nomad service (but you have to do so manually).
TCP Routers¶
traefik.tcp.routers.<router_name>.entrypoints
See entry points for more information.
traefik.tcp.routers.mytcprouter.entrypoints=ep1,ep2
traefik.tcp.routers.<router_name>.rule
See rule for more information.
traefik.tcp.routers.mytcprouter.rule=HostSNI(`example.com`)
traefik.tcp.routers.<router_name>.service
See service for more information.
traefik.tcp.routers.mytcprouter.service=myservice
traefik.tcp.routers.<router_name>.tls
See TLS for more information.
traefik.tcp.routers.mytcprouter.tls=true
traefik.tcp.routers.<router_name>.tls.certresolver
See certResolver for more information.
traefik.tcp.routers.mytcprouter.tls.certresolver=myresolver
traefik.tcp.routers.<router_name>.tls.domains[n].main
See domains for more information.
traefik.tcp.routers.mytcprouter.tls.domains[0].main=example.org
traefik.tcp.routers.<router_name>.tls.domains[n].sans
See domains for more information.
traefik.tcp.routers.mytcprouter.tls.domains[0].sans=test.example.org,dev.example.org
traefik.tcp.routers.<router_name>.tls.options
See options for more information.
traefik.tcp.routers.mytcprouter.tls.options=myoptions
traefik.tcp.routers.<router_name>.tls.passthrough
See TLS for more information.
traefik.tcp.routers.mytcprouter.tls.passthrough=true
TCP Services¶
traefik.tcp.services.<service_name>.loadbalancer.server.port
Registers a port of the application.
traefik.tcp.services.mytcpservice.loadbalancer.server.port=423
traefik.tcp.services.<service_name>.loadbalancer.server.tls
Determines whether to use TLS when dialing with the backend.
traefik.tcp.services.mytcpservice.loadbalancer.server.tls=true
traefik.tcp.services.<service_name>.loadbalancer.proxyprotocol.version
See PROXY protocol for more information.
traefik.tcp.services.mytcpservice.loadbalancer.proxyprotocol.version=1
traefik.tcp.services.<service_name>.loadbalancer.serverstransport
Allows to reference a ServersTransport resource that is defined either with the File provider or the Kubernetes CRD one. See serverstransport for more information.
traefik.tcp.services.myservice.loadbalancer.serverstransport=foobar@file
UDP¶
You can declare UDP Routers and/or Services using tags.
Declaring UDP Routers and Services
traefik.udp.routers.my-router.entrypoints=udp
traefik.udp.services.my-service.loadbalancer.server.port=4123
UDP and HTTP
If you declare a UDP Router/Service, it will prevent Traefik from automatically creating an HTTP Router/Service (like it does by default if no UDP Router/Service is defined). You can declare both a UDP Router/Service and an HTTP Router/Service for the same Nomad service (but you have to do so manually).
UDP Routers¶
traefik.udp.routers.<router_name>.entrypoints
See entry points for more information.
traefik.udp.routers.myudprouter.entrypoints=ep1,ep2
traefik.udp.routers.<router_name>.service
See service for more information.
traefik.udp.routers.myudprouter.service=myservice
UDP Services¶
traefik.udp.services.<service_name>.loadbalancer.server.port
Registers a port of the application.
traefik.udp.services.myudpservice.loadbalancer.server.port=423
Specific Provider Options¶
traefik.enable
¶
traefik.enable=true
You can tell Traefik to consider (or not) the service by setting traefik.enable
to true or false.
This option overrides the value of exposedByDefault
.
traefik.nomad.canary
¶
traefik.nomad.canary=true
When Nomad orchestrator is a provider (of service registration) for Traefik, one might have the need to distinguish within Traefik between a Canary instance of a service, or a production one. For example if one does not want them to be part of the same load-balancer.
Therefore, this option, which is meant to be provided as one of the values of the canary_tags
field in the Nomad service stanza,
allows Traefik to identify that the associated instance is a canary one.
Port Lookup¶
Traefik is capable of detecting the port to use, by following the default Nomad Service Discovery flow.
That means, if you just expose lets say port :1337
on the Nomad job, traefik will pick up this port and use it.