Provider documentation fixes

This commit is contained in:
Brendan Le Glaunec 2021-02-11 19:04:03 +01:00 committed by GitHub
parent 5597d7633d
commit 0937cba870
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
15 changed files with 940 additions and 857 deletions

View file

@ -42,6 +42,8 @@ See the dedicated section in [routing](../routing/providers/consul-catalog.md).
_Optional, Default=15s_ _Optional, Default=15s_
Defines the polling interval.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog] [providers.consulCatalog]
refreshInterval = "30s" refreshInterval = "30s"
@ -60,12 +62,12 @@ providers:
# ... # ...
``` ```
Defines the polling interval.
### `prefix` ### `prefix`
_required, Default="traefik"_ _required, Default="traefik"_
The prefix for Consul Catalog tags defining Traefik labels.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog] [providers.consulCatalog]
prefix = "test" prefix = "test"
@ -84,12 +86,18 @@ providers:
# ... # ...
``` ```
The prefix for Consul Catalog tags defining traefik labels.
### `requireConsistent` ### `requireConsistent`
_Optional, Default=false_ _Optional, Default=false_
Forces the read to be fully consistent.
!!! note ""
It is more expensive due to an extra round-trip but prevents ever performing a stale read.
For more information, see the consul [documentation on consistency](https://www.consul.io/api-docs/features/consistency).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog] [providers.consulCatalog]
requireConsistent = true requireConsistent = true
@ -108,12 +116,18 @@ providers:
# ... # ...
``` ```
Forces the read to be fully consistent.
### `stale` ### `stale`
_Optional, Default=false_ _Optional, Default=false_
Use stale consistency for catalog reads.
!!! note ""
This makes reads very fast and scalable at the cost of a higher likelihood of stale values.
For more information, see the consul [documentation on consistency](https://www.consul.io/api-docs/features/consistency).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog] [providers.consulCatalog]
stale = true stale = true
@ -132,12 +146,12 @@ providers:
# ... # ...
``` ```
Use stale consistency for catalog reads.
### `cache` ### `cache`
_Optional, Default=false_ _Optional, Default=false_
Use local agent caching for catalog reads.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog] [providers.consulCatalog]
cache = true cache = true
@ -156,14 +170,14 @@ providers:
# ... # ...
``` ```
Use local agent caching for catalog reads.
### `endpoint` ### `endpoint`
Defines the Consul server endpoint. Defines the Consul server endpoint.
#### `address` #### `address`
Defines the address of the Consul server.
_Optional, Default="127.0.0.1:8500"_ _Optional, Default="127.0.0.1:8500"_
```toml tab="File (TOML)" ```toml tab="File (TOML)"
@ -186,12 +200,12 @@ providers:
# ... # ...
``` ```
Defines the address of the Consul server.
#### `scheme` #### `scheme`
_Optional, Default=""_ _Optional, Default=""_
Defines the URI scheme for the Consul server.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog] [providers.consulCatalog]
[providers.consulCatalog.endpoint] [providers.consulCatalog.endpoint]
@ -212,12 +226,13 @@ providers:
# ... # ...
``` ```
Defines the URI scheme for the Consul server.
#### `datacenter` #### `datacenter`
_Optional, Default=""_ _Optional, Default=""_
Defines the datacenter to use.
If not provided in Traefik, Consul uses the default agent datacenter.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog] [providers.consulCatalog]
[providers.consulCatalog.endpoint] [providers.consulCatalog.endpoint]
@ -238,13 +253,12 @@ providers:
# ... # ...
``` ```
Defines the Data center to use.
If not provided, the default agent data center is used.
#### `token` #### `token`
_Optional, Default=""_ _Optional, Default=""_
Token is used to provide a per-request ACL token which overwrites the agent's default token.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog] [providers.consulCatalog]
[providers.consulCatalog.endpoint] [providers.consulCatalog.endpoint]
@ -265,12 +279,13 @@ providers:
# ... # ...
``` ```
Token is used to provide a per-request ACL token which overrides the agent's default token.
#### `endpointWaitTime` #### `endpointWaitTime`
_Optional, Default=""_ _Optional, Default=""_
Limits the duration for which a Watch can block.
If not provided, the agent default values will be used.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog] [providers.consulCatalog]
[providers.consulCatalog.endpoint] [providers.consulCatalog.endpoint]
@ -291,18 +306,17 @@ providers:
# ... # ...
``` ```
WaitTime limits how long a Watch will block.
If not provided, the agent default values will be used
#### `httpAuth` #### `httpAuth`
_Optional_ _Optional_
Used to authenticate http client with HTTP Basic Authentication. Used to authenticate the HTTP client using HTTP Basic Authentication.
##### `username` ##### `username`
_Optional_ _Optional, Default=""_
Username to use for HTTP Basic Authentication.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.httpAuth] [providers.consulCatalog.endpoint.httpAuth]
@ -321,11 +335,11 @@ providers:
--providers.consulcatalog.endpoint.httpauth.username=test --providers.consulcatalog.endpoint.httpauth.username=test
``` ```
Username to use for HTTP Basic Authentication
##### `password` ##### `password`
_Optional_ _Optional, Default=""_
Password to use for HTTP Basic Authentication.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.httpAuth] [providers.consulCatalog.endpoint.httpAuth]
@ -344,8 +358,6 @@ providers:
--providers.consulcatalog.endpoint.httpauth.password=test --providers.consulcatalog.endpoint.httpauth.password=test
``` ```
Password to use for HTTP Basic Authentication
#### `tls` #### `tls`
_Optional_ _Optional_
@ -356,6 +368,8 @@ Defines TLS options for Consul server endpoint.
_Optional_ _Optional_
`ca` is the path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.tls] [providers.consulCatalog.endpoint.tls]
ca = "path/to/ca.crt" ca = "path/to/ca.crt"
@ -373,12 +387,20 @@ providers:
--providers.consulcatalog.endpoint.tls.ca=path/to/ca.crt --providers.consulcatalog.endpoint.tls.ca=path/to/ca.crt
``` ```
`ca` is the path to the CA certificate used for Consul communication, defaults to the system bundle if not specified.
##### `caOptional` ##### `caOptional`
_Optional_ _Optional_
The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
!!! warning ""
If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.tls] [providers.consulCatalog.endpoint.tls]
caOptional = true caOptional = true
@ -396,17 +418,14 @@ providers:
--providers.consulcatalog.endpoint.tls.caoptional=true --providers.consulcatalog.endpoint.tls.caoptional=true
``` ```
Policy followed for the secured connection with TLS Client Authentication to Consul.
Requires `tls.ca` to be defined.
- `true`: VerifyClientCertIfGiven
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert
##### `cert` ##### `cert`
_Optional_ _Optional_
`cert` is the path to the public certificate to use for Consul communication.
When using this option, setting the `key` option is required.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.tls] [providers.consulCatalog.endpoint.tls]
cert = "path/to/foo.cert" cert = "path/to/foo.cert"
@ -427,13 +446,14 @@ providers:
--providers.consulcatalog.endpoint.tls.key=path/to/foo.key --providers.consulcatalog.endpoint.tls.key=path/to/foo.key
``` ```
`cert` is the path to the public certificate for Consul communication.
If this is set then you need to also set `key.
##### `key` ##### `key`
_Optional_ _Optional_
`key` is the path to the private key for Consul communication.
When using this option, setting the `cert` option is required.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.tls] [providers.consulCatalog.endpoint.tls]
cert = "path/to/foo.cert" cert = "path/to/foo.cert"
@ -454,13 +474,12 @@ providers:
--providers.consulcatalog.endpoint.tls.key=path/to/foo.key --providers.consulcatalog.endpoint.tls.key=path/to/foo.key
``` ```
`key` is the path to the private key for Consul communication.
If this is set then you need to also set `cert`.
##### `insecureSkipVerify` ##### `insecureSkipVerify`
_Optional_ _Optional_
If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog.endpoint.tls] [providers.consulCatalog.endpoint.tls]
insecureSkipVerify = true insecureSkipVerify = true
@ -478,12 +497,15 @@ providers:
--providers.consulcatalog.endpoint.tls.insecureskipverify=true --providers.consulcatalog.endpoint.tls.insecureskipverify=true
``` ```
If `insecureSkipVerify` is `true`, TLS for the connection to Consul server accepts any certificate presented by the server and any host name in that certificate.
### `exposedByDefault` ### `exposedByDefault`
_Optional, Default=true_ _Optional, Default=true_
Expose Consul Catalog services by default in Traefik.
If set to `false`, services that don't have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.
For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog] [providers.consulCatalog]
exposedByDefault = false exposedByDefault = false
@ -502,15 +524,20 @@ providers:
# ... # ...
``` ```
Expose Consul Catalog services by default in Traefik.
If set to false, services that don't have a `traefik.enable=true` tag will be ignored from the resulting routing configuration.
See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
### `defaultRule` ### `defaultRule`
_Optional, Default=```Host(`{{ normalize .Name }}`)```_ _Optional, Default=```Host(`{{ normalize .Name }}`)```_
The default host rule for all services.
For a given service, if no routing rule was defined by a tag, it is defined by this `defaultRule` instead.
The `defaultRule` must be set to a valid [Go template](https://golang.org/pkg/text/template/),
and can include [sprig template functions](http://masterminds.github.io/sprig/).
The service name can be accessed with the `Name` identifier,
and the template has access to all the labels (i.e. tags beginning with the `prefix`) defined on this service.
The option can be overridden on an instance basis with the `traefik.http.routers.{name-of-your-choice}.rule` tag.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consulCatalog] [providers.consulCatalog]
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)" defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
@ -529,41 +556,13 @@ providers:
# ... # ...
``` ```
The default host rule for all services.
For a given service if no routing rule was defined by a tag, it is defined by this defaultRule instead.
It must be a valid [Go template](https://golang.org/pkg/text/template/),
augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
The service name can be accessed as the `Name` identifier,
and the template has access to all the labels (i.e. tags beginning with the `prefix`) defined on this service.
The option can be overridden on an instance basis with the `traefik.http.routers.{name-of-your-choice}.rule` tag.
### `constraints` ### `constraints`
_Optional, Default=""_ _Optional, Default=""_
```toml tab="File (TOML)" The `constraints` option can be set to an expression that Traefik matches against the service tags to determine whether
[providers.consulCatalog] to create any route for that service. If none of the service tags match the expression, no route for that service is
constraints = "Tag(`a.tag.name`)" created. If the expression is empty, all detected services are included.
# ...
```
```yaml tab="File (YAML)"
providers:
consulCatalog:
constraints: "Tag(`a.tag.name`)"
# ...
```
```bash tab="CLI"
--providers.consulcatalog.constraints="Tag(`a.tag.name`)"
# ...
```
Constraints is an expression that Traefik matches against the service's tags to determine whether to create any route for that service.
That is to say, if none of the service's tags match the expression, no route for that service is created.
If the expression is empty, all detected services are included.
The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions, The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
as well as the usual boolean logic, as shown in examples below. as well as the usual boolean logic, as shown in examples below.
@ -600,4 +599,22 @@ as well as the usual boolean logic, as shown in examples below.
constraints = "TagRegex(`a\.tag\.t.+`)" constraints = "TagRegex(`a\.tag\.t.+`)"
``` ```
See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery). ```toml tab="File (TOML)"
[providers.consulCatalog]
constraints = "Tag(`a.tag.name`)"
# ...
```
```yaml tab="File (YAML)"
providers:
consulCatalog:
constraints: "Tag(`a.tag.name`)"
# ...
```
```bash tab="CLI"
--providers.consulcatalog.constraints="Tag(`a.tag.name`)"
# ...
```
For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).

View file

@ -35,10 +35,10 @@ providers:
### `rootKey` ### `rootKey`
Defines the root key of the configuration.
_Required, Default="traefik"_ _Required, Default="traefik"_
Defines the root key of the configuration.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consul] [providers.consul]
rootKey = "traefik" rootKey = "traefik"
@ -56,10 +56,10 @@ providers:
### `username` ### `username`
Defines a username to connect with Consul.
_Optional, Default=""_ _Optional, Default=""_
Defines a username to connect to Consul with.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consul] [providers.consul]
# ... # ...
@ -81,7 +81,7 @@ providers:
_Optional, Default=""_ _Optional, Default=""_
Defines a password to connect with Consul. Defines a password with which to connect to Consul.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consul] [providers.consul]
@ -106,7 +106,7 @@ _Optional_
#### `tls.ca` #### `tls.ca`
Certificate Authority used for the secured connection to Consul. Certificate Authority used for the secure connection to Consul.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consul.tls] [providers.consul.tls]
@ -126,12 +126,15 @@ providers:
#### `tls.caOptional` #### `tls.caOptional`
Policy followed for the secured connection with TLS Client Authentication to Consul. The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Consul.
Requires `tls.ca` to be defined.
- `true`: VerifyClientCertIfGiven !!! warning ""
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consul.tls] [providers.consul.tls]
@ -151,7 +154,7 @@ providers:
#### `tls.cert` #### `tls.cert`
Public certificate used for the secured connection to Consul. Public certificate used for the secure connection to Consul.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consul.tls] [providers.consul.tls]
@ -174,7 +177,7 @@ providers:
#### `tls.key` #### `tls.key`
Private certificate used for the secured connection to Consul. Private certificate used for the secure connection to Consul.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consul.tls] [providers.consul.tls]
@ -197,7 +200,7 @@ providers:
#### `tls.insecureSkipVerify` #### `tls.insecureSkipVerify`
If `insecureSkipVerify` is `true`, TLS for the connection to Consul accepts any certificate presented by the server and any host name in that certificate. If `insecureSkipVerify` is `true`, the TLS connection to Consul accepts any certificate presented by the server regardless of the hostnames it covers.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.consul.tls] [providers.consul.tls]

View file

@ -11,7 +11,8 @@ Traefik works with both [Docker (standalone) Engine](https://docs.docker.com/eng
and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/). and [Docker Swarm Mode](https://docs.docker.com/engine/swarm/).
!!! tip "The Quick Start Uses Docker" !!! tip "The Quick Start Uses Docker"
If you haven't already, maybe you'd like to go through the [quick start](../getting-started/quick-start.md) that uses the docker provider!
If you have not already read it, maybe you would like to go through the [quick start guide](../getting-started/quick-start.md) that uses the Docker provider.
## Configuration Examples ## Configuration Examples
@ -102,17 +103,18 @@ When using Docker Compose, labels are specified by the directive
["services" objects](https://docs.docker.com/compose/compose-file/compose-file-v3/#service-configuration-reference). ["services" objects](https://docs.docker.com/compose/compose-file/compose-file-v3/#service-configuration-reference).
!!! tip "Not Only Docker" !!! tip "Not Only Docker"
Please note that any tool like Nomad, Terraform, Ansible, etc. Please note that any tool like Nomad, Terraform, Ansible, etc.
that is able to define a Docker container with labels can work that is able to define a Docker container with labels can work
with Traefik & the Docker provider. with Traefik and the Docker provider.
### Port Detection ### Port Detection
Traefik retrieves the private IP and port of containers from the Docker API. Traefik retrieves the private IP and port of containers from the Docker API.
Ports detection works as follows: Port detection works as follows:
- If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) only one port, - If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) a single port,
then Traefik uses this port for private communication. then Traefik uses this port for private communication.
- If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) multiple ports, - If a container [exposes](https://docs.docker.com/engine/reference/builder/#expose) multiple ports,
or does not expose any port, then you must manually specify which port Traefik should use for communication or does not expose any port, then you must manually specify which port Traefik should use for communication
@ -126,12 +128,11 @@ the IP address of the host is resolved as follows:
<!-- TODO: verify and document the swarm mode case with container.Node.IPAddress coming from the API --> <!-- TODO: verify and document the swarm mode case with container.Node.IPAddress coming from the API -->
- try a lookup of `host.docker.internal` - try a lookup of `host.docker.internal`
- otherwise fall back to `127.0.0.1` - if the lookup was unsuccessful, fall back to `127.0.0.1`
On Linux, (and until [github.com/moby/moby/pull/40007](https://github.com/moby/moby/pull/40007) is included in a release), On Linux, for versions of Docker older than 20.10.0, for `host.docker.internal` to be defined, it should be provided
for `host.docker.internal` to be defined, it should be provided as an `extra_host` to the Traefik container, as an `extra_host` to the Traefik container, using the `--add-host` flag. For example, to set it to the IP address of
using the `--add-host` flag. For example, to set it to the IP address of the bridge interface (docker0 by default): the bridge interface (`docker0` by default): `--add-host=host.docker.internal:172.17.0.1`
`--add-host=host.docker.internal:172.17.0.1`
### Docker API Access ### Docker API Access
@ -145,9 +146,10 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
If Traefik is attacked, then the attacker might get access to the underlying host. If Traefik is attacked, then the attacker might get access to the underlying host.
{: #security-note } {: #security-note }
As explained in the Docker documentation: ([Docker Daemon Attack Surface page](https://docs.docker.com/engine/security/#docker-daemon-attack-surface)): As explained in the [Docker Daemon Attack Surface documentation](https://docs.docker.com/engine/security/#docker-daemon-attack-surface):
!!! quote !!! quote
[...] only **trusted** users should be allowed to control your Docker daemon [...] [...] only **trusted** users should be allowed to control your Docker daemon [...]
??? success "Solutions" ??? success "Solutions"
@ -165,6 +167,7 @@ You can specify which Docker API Endpoint to use with the directive [`endpoint`]
- SSH public key authentication (SSH is supported with Docker > 18.09) - SSH public key authentication (SSH is supported with Docker > 18.09)
??? info "More Resources and Examples" ??? info "More Resources and Examples"
- ["Paranoid about mounting /var/run/docker.sock?"](https://medium.com/@containeroo/traefik-2-0-paranoid-about-mounting-var-run-docker-sock-22da9cb3e78c) - ["Paranoid about mounting /var/run/docker.sock?"](https://medium.com/@containeroo/traefik-2-0-paranoid-about-mounting-var-run-docker-sock-22da9cb3e78c)
- [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.traefik.io/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88) - [Traefik and Docker: A Discussion with Docker Captain, Bret Fisher](https://blog.traefik.io/traefik-and-docker-a-discussion-with-docker-captain-bret-fisher-7f0b9a54ff88)
- [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY) - [KubeCon EU 2018 Keynote, Running with Scissors, from Liz Rice](https://www.youtube.com/watch?v=ltrV-Qmh3oY)
@ -194,15 +197,15 @@ This behavior is only enabled for docker-compose version 3+ ([Compose file refer
Docker Swarm does not provide any [port detection](#port-detection) information to Traefik. Docker Swarm does not provide any [port detection](#port-detection) information to Traefik.
Therefore you **must** specify the port to use for communication by using the label `traefik.http.services.<service_name>.loadbalancer.server.port` Therefore, you **must** specify the port to use for communication by using the label `traefik.http.services.<service_name>.loadbalancer.server.port`
(Check the reference for this label in the [routing section for Docker](../routing/providers/docker.md#port)). (Check the reference for this label in the [routing section for Docker](../routing/providers/docker.md#port)).
### Docker API Access ### Docker API Access
Docker Swarm Mode follows the same rules as Docker [API Access](#docker-api-access). Docker Swarm Mode follows the same rules as Docker [API Access](#docker-api-access).
As the Swarm API is only exposed on the [manager nodes](https://docs.docker.com/engine/swarm/how-swarm-mode-works/nodes/#manager-nodes), you should schedule Traefik on the Swarm manager nodes by default, Since the Swarm API is only exposed on the [manager nodes](https://docs.docker.com/engine/swarm/how-swarm-mode-works/nodes/#manager-nodes),
by deploying Traefik with a constraint on the node's "role": these are the nodes that Traefik should be scheduled on by deploying Traefik with a constraint on the node "role":
```shell tab="With Docker CLI" ```shell tab="With Docker CLI"
docker service create \ docker service create \
@ -238,21 +241,6 @@ services:
_Required, Default="unix:///var/run/docker.sock"_ _Required, Default="unix:///var/run/docker.sock"_
```toml tab="File (TOML)"
[providers.docker]
endpoint = "unix:///var/run/docker.sock"
```
```yaml tab="File (YAML)"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
```
```bash tab="CLI"
--providers.docker.endpoint=unix:///var/run/docker.sock
```
See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API Access](#docker-api-access_1) for more information. See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API Access](#docker-api-access_1) for more information.
??? example "Using the docker.sock" ??? example "Using the docker.sock"
@ -315,34 +303,31 @@ See the sections [Docker API Access](#docker-api-access) and [Docker Swarm API A
# ... # ...
``` ```
### `useBindPortIP`
_Optional, Default=false_
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.docker] [providers.docker]
useBindPortIP = true endpoint = "unix:///var/run/docker.sock"
# ...
``` ```
```yaml tab="File (YAML)" ```yaml tab="File (YAML)"
providers: providers:
docker: docker:
useBindPortIP: true endpoint: "unix:///var/run/docker.sock"
# ...
``` ```
```bash tab="CLI" ```bash tab="CLI"
--providers.docker.useBindPortIP=true --providers.docker.endpoint=unix:///var/run/docker.sock
# ...
``` ```
Traefik routes requests to the IP/Port of the matching container. ### `useBindPortIP`
_Optional, Default=false_
Traefik routes requests to the IP/port of the matching container.
When setting `useBindPortIP=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port. When setting `useBindPortIP=true`, you tell Traefik to use the IP/Port attached to the container's _binding_ instead of its inner network IP/Port.
When used in conjunction with the `traefik.http.services.<name>.loadbalancer.server.port` label (that tells Traefik to route requests to a specific port), When used in conjunction with the `traefik.http.services.<name>.loadbalancer.server.port` label (that tells Traefik to route requests to a specific port),
Traefik tries to find a binding on port `traefik.http.services.<name>.loadbalancer.server.port`. Traefik tries to find a binding on port `traefik.http.services.<name>.loadbalancer.server.port`.
If it can't find such a binding, Traefik falls back on the internal network IP of the container, If it cannot find such a binding, Traefik falls back on the internal network IP of the container,
but still uses the `traefik.http.services.<name>.loadbalancer.server.port` that is set in the label. but still uses the `traefik.http.services.<name>.loadbalancer.server.port` that is set in the label.
??? example "Examples of `usebindportip` in different situations." ??? example "Examples of `usebindportip` in different situations."
@ -365,10 +350,33 @@ but still uses the `traefik.http.services.<name>.loadbalancer.server.port` that
- `ExtPort` stands for "external Port found in the binding" - `ExtPort` stands for "external Port found in the binding"
- `IntPort` stands for "internal network container's port." - `IntPort` stands for "internal network container's port."
```toml tab="File (TOML)"
[providers.docker]
useBindPortIP = true
# ...
```
```yaml tab="File (YAML)"
providers:
docker:
useBindPortIP: true
# ...
```
```bash tab="CLI"
--providers.docker.useBindPortIP=true
# ...
```
### `exposedByDefault` ### `exposedByDefault`
_Optional, Default=true_ _Optional, Default=true_
Expose containers by default through Traefik.
If set to `false`, containers that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.docker] [providers.docker]
exposedByDefault = false exposedByDefault = false
@ -387,14 +395,13 @@ providers:
# ... # ...
``` ```
Expose containers by default through Traefik.
If set to false, containers that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
### `network` ### `network`
_Optional, Default=empty_ _Optional, Default=""_
Defines a default docker network to use for connections to all containers.
This option can be overridden on a per-container basis with the `traefik.docker.network` label.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.docker] [providers.docker]
@ -414,14 +421,17 @@ providers:
# ... # ...
``` ```
Defines a default docker network to use for connections to all containers.
This option can be overridden on a container basis with the `traefik.docker.network` label.
### `defaultRule` ### `defaultRule`
_Optional, Default=```Host(`{{ normalize .Name }}`)```_ _Optional, Default=```Host(`{{ normalize .Name }}`)```_
The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.
It must be a valid [Go template](https://golang.org/pkg/text/template/), and can use
[sprig template functions](http://masterminds.github.io/sprig/).
The container service name can be accessed with the `Name` identifier,
and the template has access to all the labels defined on this container.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.docker] [providers.docker]
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)" defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
@ -440,16 +450,12 @@ providers:
# ... # ...
``` ```
For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
It must be a valid [Go template](https://golang.org/pkg/text/template/),
augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
The container service name can be accessed as the `Name` identifier,
and the template has access to all the labels defined on this container.
### `swarmMode` ### `swarmMode`
_Optional, Default=false_ _Optional, Default=false_
Enables the Swarm Mode (instead of standalone Docker).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.docker] [providers.docker]
swarmMode = true swarmMode = true
@ -468,12 +474,12 @@ providers:
# ... # ...
``` ```
Activates the Swarm Mode (instead of standalone Docker).
### `swarmModeRefreshSeconds` ### `swarmModeRefreshSeconds`
_Optional, Default=15_ _Optional, Default=15_
Defines the polling interval (in seconds) for Swarm Mode.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.docker] [providers.docker]
swarmModeRefreshSeconds = 30 swarmModeRefreshSeconds = 30
@ -492,12 +498,12 @@ providers:
# ... # ...
``` ```
Defines the polling interval (in seconds) in Swarm Mode.
### `httpClientTimeout` ### `httpClientTimeout`
_Optional, Default=0_ _Optional, Default=0_
Defines the client timeout (in seconds) for HTTP connections. If its value is `0`, no timeout is set.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.docker] [providers.docker]
httpClientTimeout = 300 httpClientTimeout = 300
@ -516,12 +522,12 @@ providers:
# ... # ...
``` ```
Defines the client timeout (in seconds) for HTTP connections. If zero, no timeout is set.
### `watch` ### `watch`
_Optional, Default=true_ _Optional, Default=true_
Watch Docker Swarm events.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.docker] [providers.docker]
watch = false watch = false
@ -540,35 +546,16 @@ providers:
# ... # ...
``` ```
Watch Docker Swarm events.
### `constraints` ### `constraints`
_Optional, Default=""_ _Optional, Default=""_
```toml tab="File (TOML)" The `constraints` option can be set to an expression that Traefik matches against the container tags to determine whether
[providers.docker] to create any route for that container. If none of the container tags match the expression, no route for that container is
constraints = "Label(`a.label.name`,`foo`)" created. If the expression is empty, all detected containers are included.
# ...
```
```yaml tab="File (YAML)" The expression syntax is based on the ```Tag(`tag`)```, and ```TagRegex(`tag`)``` functions,
providers: as well as the usual boolean logic, as shown in examples below.
docker:
constraints: "Label(`a.label.name`,`foo`)"
# ...
```
```bash tab="CLI"
--providers.docker.constraints=Label(`a.label.name`,`foo`)
# ...
```
Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
That is to say, if none of the container's labels match the expression, no route for the container is created.
If the expression is empty, all detected containers are included.
The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.
??? example "Constraints Expression Examples" ??? example "Constraints Expression Examples"
@ -602,7 +589,25 @@ The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("
constraints = "LabelRegex(`a.label.name`, `a.+`)" constraints = "LabelRegex(`a.label.name`, `a.+`)"
``` ```
See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery). For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
```toml tab="File (TOML)"
[providers.docker]
constraints = "Label(`a.label.name`,`foo`)"
# ...
```
```yaml tab="File (YAML)"
providers:
docker:
constraints: "Label(`a.label.name`,`foo`)"
# ...
```
```bash tab="CLI"
--providers.docker.constraints=Label(`a.label.name`,`foo`)
# ...
```
### `tls` ### `tls`
@ -610,7 +615,7 @@ _Optional_
#### `tls.ca` #### `tls.ca`
Certificate Authority used for the secured connection to Docker. Certificate Authority used for the secure connection to Docker.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.docker.tls] [providers.docker.tls]
@ -630,12 +635,15 @@ providers:
#### `tls.caOptional` #### `tls.caOptional`
Policy followed for the secured connection with TLS Client Authentication to Docker. The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Docker.
Requires `tls.ca` to be defined.
- `true`: VerifyClientCertIfGiven !!! warning ""
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.docker.tls] [providers.docker.tls]
@ -655,7 +663,7 @@ providers:
#### `tls.cert` #### `tls.cert`
Public certificate used for the secured connection to Docker. Public certificate used for the secure connection to Docker.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.docker.tls] [providers.docker.tls]
@ -678,7 +686,7 @@ providers:
#### `tls.key` #### `tls.key`
Private certificate used for the secured connection to Docker. Private certificate used for the secure connection to Docker.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.docker.tls] [providers.docker.tls]
@ -701,7 +709,7 @@ providers:
#### `tls.insecureSkipVerify` #### `tls.insecureSkipVerify`
If `insecureSkipVerify` is `true`, TLS for the connection to Docker accepts any certificate presented by the server and any host name in that certificate. If `insecureSkipVerify` is `true`, the TLS connection to Docker accepts any certificate presented by the server regardless of the hostnames it covers.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.docker.tls] [providers.docker.tls]

View file

@ -52,12 +52,17 @@ Traefik needs the following policy to read ECS information:
} }
``` ```
## Provider configuration ## Provider Configuration
### `autoDiscoverClusters` ### `autoDiscoverClusters`
_Optional, Default=false_ _Optional, Default=false_
Search for services in cluster list.
- If set to `true` service discovery is disabled on configured clusters, but enabled for all other clusters.
- If set to `false` service discovery is enabled on configured clusters only.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.ecs] [providers.ecs]
autoDiscoverClusters = true autoDiscoverClusters = true
@ -76,15 +81,12 @@ providers:
# ... # ...
``` ```
Search for services in clusters list.
- If set to `true` the configured clusters will be ignored and the clusters will be discovered.
- If set to `false` the services will be discovered only in configured clusters.
### `clusters` ### `clusters`
_Optional, Default=["default"]_ _Optional, Default=["default"]_
Search for services in cluster list.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.ecs] [providers.ecs]
clusters = ["default"] clusters = ["default"]
@ -104,12 +106,14 @@ providers:
# ... # ...
``` ```
Search for services in clusters list.
### `exposedByDefault` ### `exposedByDefault`
_Optional, Default=true_ _Optional, Default=true_
Expose ECS services by default in Traefik.
If set to `false`, services that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.ecs] [providers.ecs]
exposedByDefault = false exposedByDefault = false
@ -128,13 +132,17 @@ providers:
# ... # ...
``` ```
Expose ECS services by default in Traefik.
If set to false, services that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
### `defaultRule` ### `defaultRule`
_Optional, Default=```Host(`{{ normalize .Name }}`)```_ _Optional, Default=```Host(`{{ normalize .Name }}`)```_
The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.
It must be a valid [Go template](https://golang.org/pkg/text/template/), and can use
[sprig template functions](http://masterminds.github.io/sprig/).
The container service name can be accessed with the `Name` identifier,
and the template has access to all the labels defined on this container.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.ecs] [providers.ecs]
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)" defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
@ -153,16 +161,12 @@ providers:
# ... # ...
``` ```
For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
It must be a valid [Go template](https://golang.org/pkg/text/template/),
augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
The service name can be accessed as the `Name` identifier,
and the template has access to all the labels defined on this container.
### `refreshSeconds` ### `refreshSeconds`
_Optional, Default=15_ _Optional, Default=15_
Polling interval (in seconds).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.ecs] [providers.ecs]
refreshSeconds = 15 refreshSeconds = 15
@ -181,12 +185,19 @@ providers:
# ... # ...
``` ```
Polling interval (in seconds).
### Credentials ### Credentials
_Optional_ _Optional_
If `region` is not provided, it is resolved from the EC2 metadata endpoint for EC2 tasks.
In a FARGATE context it is resolved from the `AWS_REGION` environment variable.
If `accessKeyID` and `secretAccessKey` are not provided, credentials are resolved in the following order:
- Using the environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
- Using shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to `default` and `~/.aws/credentials`.
- Using EC2 instance role or ECS task role
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.ecs] [providers.ecs]
region = "us-east-1" region = "us-east-1"
@ -209,12 +220,3 @@ providers:
--providers.ecs.secretAccessKey="123" --providers.ecs.secretAccessKey="123"
# ... # ...
``` ```
If `region` is not provided, it will be resolved from the EC2 metadata endpoint for EC2 tasks.
In a FARGATE context it will be resolved from the `AWS_REGION` env variable.
If `accessKeyID` / `secretAccessKey` are not provided, credentials will be resolved in the following order:
- From environment variables `AWS_ACCESS_KEY_ID`, `AWS_SECRET_ACCESS_KEY`, and `AWS_SESSION_TOKEN`.
- Shared credentials, determined by `AWS_PROFILE` and `AWS_SHARED_CREDENTIALS_FILE`, defaults to default and `~/.aws/credentials`.
- EC2 instance role or ECS task role

View file

@ -3,7 +3,7 @@
A Story of KV store & Containers A Story of KV store & Containers
{: .subtitle } {: .subtitle }
Store your configuration in Etcd and let Traefik do the rest! Store your configuration in etcd and let Traefik do the rest!
## Routing Configuration ## Routing Configuration
@ -15,7 +15,7 @@ See the dedicated section in [routing](../routing/providers/kv.md).
_Required, Default="127.0.0.1:2379"_ _Required, Default="127.0.0.1:2379"_
Defines how to access to Etcd. Defines how to access etcd.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.etcd] [providers.etcd]
@ -35,10 +35,10 @@ providers:
### `rootKey` ### `rootKey`
Defines the root key of the configuration.
_Required, Default="traefik"_ _Required, Default="traefik"_
Defines the root key of the configuration.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.etcd] [providers.etcd]
rootKey = "traefik" rootKey = "traefik"
@ -56,10 +56,10 @@ providers:
### `username` ### `username`
Defines a username to connect with Etcd.
_Optional, Default=""_ _Optional, Default=""_
Defines a username with which to connect to etcd.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.etcd] [providers.etcd]
# ... # ...
@ -81,7 +81,7 @@ providers:
_Optional, Default=""_ _Optional, Default=""_
Defines a password to connect with Etcd. Defines a password with which to connect to etcd.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.etcd] [providers.etcd]
@ -106,7 +106,7 @@ _Optional_
#### `tls.ca` #### `tls.ca`
Certificate Authority used for the secured connection to Etcd. Certificate Authority used for the secure connection to etcd.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.etcd.tls] [providers.etcd.tls]
@ -126,12 +126,15 @@ providers:
#### `tls.caOptional` #### `tls.caOptional`
Policy followed for the secured connection with TLS Client Authentication to Etcd. The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to etcd.
Requires `tls.ca` to be defined.
- `true`: VerifyClientCertIfGiven !!! warning ""
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.etcd.tls] [providers.etcd.tls]
@ -151,7 +154,7 @@ providers:
#### `tls.cert` #### `tls.cert`
Public certificate used for the secured connection to Etcd. Public certificate used for the secure connection to etcd.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.etcd.tls] [providers.etcd.tls]
@ -174,7 +177,7 @@ providers:
#### `tls.key` #### `tls.key`
Private certificate used for the secured connection to Etcd. Private certificate used for the secure connection to etcd.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.etcd.tls] [providers.etcd.tls]
@ -197,7 +200,7 @@ providers:
#### `tls.insecureSkipVerify` #### `tls.insecureSkipVerify`
If `insecureSkipVerify` is `true`, TLS for the connection to Etcd accepts any certificate presented by the server and any host name in that certificate. If `insecureSkipVerify` is `true`, the TLS connection to etcd accepts any certificate presented by the server regardless of the hostnames it covers.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.etcd.tls] [providers.etcd.tls]

View file

@ -4,16 +4,16 @@ Good Old Configuration File
{: .subtitle } {: .subtitle }
The file provider lets you define the [dynamic configuration](./overview.md) in a TOML or YAML file. The file provider lets you define the [dynamic configuration](./overview.md) in a TOML or YAML file.
You can write one of these mutually exclusive configuration elements:
* In [a dedicated file](#filename) It supports providing configuration through a [single configuration file]](#filename) or [multiple separate files](#directory).
* In [several dedicated files](#directory)
!!! info !!! info
The file provider is the default format used throughout the documentation to show samples of the configuration for many features. The file provider is the default format used throughout the documentation to show samples of the configuration for many features.
!!! tip !!! tip
The file provider can be a good location for common elements you'd like to re-use from other providers; e.g. declaring whitelist middlewares, basic authentication, ...
The file provider can be a good solution for reusing common elements from other providers (e.g. declaring whitelist middlewares, basic authentication, ...)
## Configuration Examples ## Configuration Examples
@ -98,7 +98,7 @@ You can write one of these mutually exclusive configuration elements:
## Provider Configuration ## Provider Configuration
If you're in a hurry, maybe you'd rather go through the [dynamic configuration](../reference/dynamic-configuration/file.md) references and the [static configuration](../reference/static-configuration/overview.md). For an overview of all the options that can be set with the file provider, see the [dynamic configuration](../reference/dynamic-configuration/file.md) and [static configuration](../reference/static-configuration/overview.md) references.
!!! warning "Limitations" !!! warning "Limitations"
@ -107,13 +107,13 @@ If you're in a hurry, maybe you'd rather go through the [dynamic configuration](
If you use a mounted/bound file system in your orchestrator (like docker or kubernetes), the way the files are linked may be a source of errors. If you use a mounted/bound file system in your orchestrator (like docker or kubernetes), the way the files are linked may be a source of errors.
If the link between the file systems is broken, when a source file/directory is changed/renamed, nothing will be reported to the linked file/directory, so the file system notifications will be neither triggered nor caught. If the link between the file systems is broken, when a source file/directory is changed/renamed, nothing will be reported to the linked file/directory, so the file system notifications will be neither triggered nor caught.
For example, in docker, if the host file is renamed, the link to the mounted file will be broken and the container's file will not be updated. For example, in Docker, if the host file is renamed, the link to the mounted file is broken and the container's file is no longer updated.
To avoid this kind of issue, a good practice is to: To avoid this kind of issue, it is recommended to:
* set the Traefik [**directory**](#directory) configuration with the parent directory * set the Traefik [**directory**](#directory) configuration with the parent directory
* mount/bind the parent directory * mount/bind the parent directory
As it is very difficult to listen to all file system notifications, Traefik use [fsnotify](https://github.com/fsnotify/fsnotify). As it is very difficult to listen to all file system notifications, Traefik uses [fsnotify](https://github.com/fsnotify/fsnotify).
If using a directory with a mounted directory does not fix your issue, please check your file system compatibility with fsnotify. If using a directory with a mounted directory does not fix your issue, please check your file system compatibility with fsnotify.
### `filename` ### `filename`
@ -121,8 +121,9 @@ If you're in a hurry, maybe you'd rather go through the [dynamic configuration](
Defines the path to the configuration file. Defines the path to the configuration file.
!!! warning "" !!! warning ""
`filename` and `directory` are mutually exclusive.
The recommendation is to use `directory`. The `filename` and `directory` options are mutually exclusive.
It is recommended to use `directory`.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers] [providers]
@ -145,8 +146,9 @@ providers:
Defines the path to the directory that contains the configuration files. Defines the path to the directory that contains the configuration files.
!!! warning "" !!! warning ""
`filename` and `directory` are mutually exclusive.
The recommendation is to use `directory`. The `filename` and `directory` options are mutually exclusive.
It is recommended to use `directory`.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers] [providers]
@ -191,14 +193,15 @@ providers:
### Go Templating ### Go Templating
!!! warning !!! warning
Go Templating only works with dedicated dynamic configuration files. Go Templating only works with dedicated dynamic configuration files.
Templating does not work in the Traefik main static configuration file. Templating does not work in the Traefik main static configuration file.
Traefik supports using Go templating to automatically generate repetitive portions of configuration files. Traefik supports using Go templating to automatically generate repetitive sections of configuration files.
These sections must be valid [Go templates](https://golang.org/pkg/text/template/), These sections must be a valid [Go template](https://golang.org/pkg/text/template/), and can use
augmented with the [Sprig template functions](http://masterminds.github.io/sprig/). [sprig template functions](http://masterminds.github.io/sprig/).
To illustrate, it's possible to easily define multiple routers, services, and TLS certificates as described in the following examples: To illustrate, it is possible to easily define multiple routers, services, and TLS certificates as described in the following examples:
??? example "Configuring Using Templating" ??? example "Configuring Using Templating"
@ -212,7 +215,6 @@ To illustrate, it's possible to easily define multiple routers, services, and TL
# ... # ...
{{ end }} {{ end }}
[http.services] [http.services]
{{ range $i, $e := until 100 }} {{ range $i, $e := until 100 }}
[http.services.service{{ $e }}] [http.services.service{{ $e }}]
@ -227,7 +229,6 @@ To illustrate, it's possible to easily define multiple routers, services, and TL
# ... # ...
{{ end }} {{ end }}
[tcp.services] [tcp.services]
{{ range $i, $e := until 100 }} {{ range $i, $e := until 100 }}
[http.services.service{{ $e }}] [http.services.service{{ $e }}]

View file

@ -1,6 +1,6 @@
# Traefik & HTTP # Traefik & HTTP
Provide your [dynamic configuration](./overview.md) via an HTTP(s) endpoint and let Traefik do the rest! Provide your [dynamic configuration](./overview.md) via an HTTP(S) endpoint and let Traefik do the rest!
## Routing Configuration ## Routing Configuration
@ -12,7 +12,7 @@ The HTTP provider uses the same configuration as the [File Provider](./file.md)
_Required_ _Required_
Defines the HTTP(s) endpoint to poll. Defines the HTTP(S) endpoint to poll.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.http] [providers.http]
@ -78,7 +78,7 @@ _Optional_
#### `tls.ca` #### `tls.ca`
Certificate Authority used for the secured connection to the configured Endpoint. Certificate Authority used for the secure connection to the configured endpoint.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.http.tls] [providers.http.tls]
@ -98,12 +98,15 @@ providers:
#### `tls.caOptional` #### `tls.caOptional`
Policy followed for the secured connection with TLS Client Authentication to the configured Endpoint. The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to the configured endpoint.
Requires `tls.ca` to be defined.
- `true`: VerifyClientCertIfGiven !!! warning ""
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.http.tls] [providers.http.tls]
@ -123,7 +126,7 @@ providers:
#### `tls.cert` #### `tls.cert`
Public certificate used for the secured connection to the configured Endpoint. Public certificate used for the secure connection to the configured endpoint.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.http.tls] [providers.http.tls]
@ -146,7 +149,7 @@ providers:
#### `tls.key` #### `tls.key`
Private certificate used for the secured connection to the configured Endpoint. Private certificate used for the secure connection to the configured endpoint.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.http.tls] [providers.http.tls]
@ -169,8 +172,7 @@ providers:
#### `tls.insecureSkipVerify` #### `tls.insecureSkipVerify`
If `insecureSkipVerify` is `true`, TLS connection to the configured Endpoint accepts any certificate presented by the If `insecureSkipVerify` is `true`, the TLS connection to the endpoint accepts any certificate presented by the server regardless of the hostnames it covers.
server and any host name in that certificate.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.http.tls] [providers.http.tls]

View file

@ -3,10 +3,11 @@
The Kubernetes Ingress Controller, The Custom Resource Way. The Kubernetes Ingress Controller, The Custom Resource Way.
{: .subtitle } {: .subtitle }
Traefik used to support Kubernetes only through the [Kubernetes Ingress provider](./kubernetes-ingress.md), which is a Kubernetes Ingress controller in the strict sense of the term. In early versions, Traefik supported Kubernetes only through the [Kubernetes Ingress provider](./kubernetes-ingress.md), which is a Kubernetes Ingress controller in the strict sense of the term.
However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations, However, as the community expressed the need to benefit from Traefik features without resorting to (lots of) annotations,
we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/) (alias CRD in the following) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster. the Traefik engineering team developed a [Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
(CRD) for an IngressRoute type, defined below, in order to provide a better way to configure access to a Kubernetes cluster.
## Configuration Requirements ## Configuration Requirements
@ -17,7 +18,7 @@ we ended up writing a [Custom Resource Definition](https://kubernetes.io/docs/co
* Use [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart) or use a custom Traefik Deployment * Use [Helm Chart](../getting-started/install-traefik.md#use-the-helm-chart) or use a custom Traefik Deployment
* Enable the kubernetesCRD provider * Enable the kubernetesCRD provider
* Apply the needed kubernetesCRD provider [configuration](#provider-configuration) * Apply the needed kubernetesCRD provider [configuration](#provider-configuration)
* Add all needed traefik custom [resources](../reference/dynamic-configuration/kubernetes-crd.md#resources) * Add all necessary Traefik custom [resources](../reference/dynamic-configuration/kubernetes-crd.md#resources)
??? example "Initializing Resource Definition and RBAC" ??? example "Initializing Resource Definition and RBAC"
@ -37,13 +38,11 @@ Traefik uses [Custom Resource Definition](https://kubernetes.io/docs/concepts/ex
Traefik Custom Resource Definitions are a Kubernetes implementation of the Traefik concepts. The main particularities are: Traefik Custom Resource Definitions are a Kubernetes implementation of the Traefik concepts. The main particularities are:
* The usage of `name` **and** `namespace` to refer to another Kubernetes resource. * The usage of `name` **and** `namespace` to refer to another Kubernetes resource.
* The usage of [secret](https://kubernetes.io/docs/concepts/configuration/secret/) for sensible data like: * The usage of [secret](https://kubernetes.io/docs/concepts/configuration/secret/) for sensitive data (TLS certificates and credentials).
* TLS certificate.
* Authentication data.
* The structure of the configuration. * The structure of the configuration.
* The obligation to declare all the [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions). * The requirement to declare all the [definitions](../reference/dynamic-configuration/kubernetes-crd.md#definitions).
The Traefik CRD are building blocks which you can assemble according to your needs. The Traefik CRDs are building blocks that you can assemble according to your needs.
See the list of CRDs in the dedicated [routing section](../routing/providers/kubernetes-crd.md). See the list of CRDs in the dedicated [routing section](../routing/providers/kubernetes-crd.md).
## LetsEncrypt Support with the Custom Resource Definition Provider ## LetsEncrypt Support with the Custom Resource Definition Provider
@ -51,23 +50,36 @@ See the list of CRDs in the dedicated [routing section](../routing/providers/kub
By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration. By design, Traefik is a stateless application, meaning that it only derives its configuration from the environment it runs in, without additional configuration.
For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem. For this reason, users can run multiple instances of Traefik at the same time to achieve HA, as is a common pattern in the kubernetes ecosystem.
When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, however this could be a single point of failure. When using a single instance of Traefik with Let's Encrypt, you should encounter no issues. However, this could be a single point of failure.
Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses. Unfortunately, it is not possible to run multiple instances of Traefik Proxy 2.0 with Let's Encrypt enabled, because there is no way to ensure that the correct instance of Traefik will receive the challenge request and subsequent responses.
Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance was dropped as a feature in 2.0. Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this, but due to sub-optimal performance that feature was dropped in 2.0.
If you require LetsEncrypt with HA in a kubernetes environment, we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) where distributed LetsEncrypt is a supported feature. If you need Let's Encrypt with HA in a Kubernetes environment, we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/), which includes distributed Let's Encrypt as a supported feature.
If you want to continue to run Traefik Community Edition, LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html). If you want to keep using Traefik Proxy, high availability for Let's Encrypt can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
When using Cert-Manager to manage certificates, it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls). When using Cert-Manager to manage certificates, it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot interface directly with the CRDs _yet_, but this is being worked on by our team. When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot yet interface directly with the CRDs.
A workaround is to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges. A workaround is to enable the [Kubernetes Ingress provider](./kubernetes-ingress.md) to allow Cert-Manager to create ingress objects to complete the challenges.
Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once created, Cert-Manager will keep the certificate renewed. Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once the certificates are created, Cert-Manager keeps them renewed.
## Provider Configuration ## Provider Configuration
### `endpoint` ### `endpoint`
_Optional, Default=empty_ _Optional, Default=""_
The Kubernetes server endpoint URL.
When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
Both are mounted automatically when deployed inside Kubernetes.
The endpoint may be specified to override the environment variable values inside a cluster.
When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
In this case, the endpoint is required.
Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesCRD] [providers.kubernetesCRD]
@ -86,22 +98,11 @@ providers:
--providers.kubernetescrd.endpoint=http://localhost:8080 --providers.kubernetescrd.endpoint=http://localhost:8080
``` ```
The Kubernetes server endpoint as URL.
When deployed into Kubernetes, Traefik will read the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
The access token will be looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
Both are provided mounted automatically when deployed inside Kubernetes.
The endpoint may be specified to override the environment variable values inside a cluster.
When the environment variables are not found, Traefik will try to connect to the Kubernetes API server with an external-cluster client.
In this case, the endpoint is required.
Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
### `token` ### `token`
_Optional, Default=empty_ _Optional, Default=""_
Bearer token used for the Kubernetes client configuration.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesCRD] [providers.kubernetesCRD]
@ -120,11 +121,12 @@ providers:
--providers.kubernetescrd.token=mytoken --providers.kubernetescrd.token=mytoken
``` ```
Bearer token used for the Kubernetes client configuration.
### `certAuthFilePath` ### `certAuthFilePath`
_Optional, Default=empty_ _Optional, Default=""_
Path to the certificate authority file.
Used for the Kubernetes client configuration.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesCRD] [providers.kubernetesCRD]
@ -143,12 +145,12 @@ providers:
--providers.kubernetescrd.certauthfilepath=/my/ca.crt --providers.kubernetescrd.certauthfilepath=/my/ca.crt
``` ```
Path to the certificate authority file.
Used for the Kubernetes client configuration.
### `namespaces` ### `namespaces`
_Optional, Default: all namespaces (empty array)_ _Optional, Default: []_
Array of namespaces to watch.
If left empty, watches all namespaces if the value of `namespaces`.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesCRD] [providers.kubernetesCRD]
@ -169,11 +171,20 @@ providers:
--providers.kubernetescrd.namespaces=default,production --providers.kubernetescrd.namespaces=default,production
``` ```
Array of namespaces to watch.
### `labelselector` ### `labelselector`
_Optional,Default: empty (process all resources)_ _Optional, Default: ""_
A label selector can be defined to filter on specific resource objects only,
this applies only to Traefik [Custom Resources](../routing/providers/kubernetes-crd.md#custom-resource-definition-crd)
and has no effect on Kubernetes `Secrets`, `Endpoints` and `Services`.
If left empty, Traefik processes all resource objects in the configured namespaces.
See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
!!! warning
Because the label selector is applied to all Traefik Custom Resources, they all must match the filter.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesCRD] [providers.kubernetesCRD]
@ -192,20 +203,14 @@ providers:
--providers.kubernetescrd.labelselector="app=traefik" --providers.kubernetescrd.labelselector="app=traefik"
``` ```
By default, Traefik processes all resource objects in the configured namespaces.
A label selector can be defined to filter on specific resource objects only,
this will apply only on Traefik [Custom Resources](../routing/providers/kubernetes-crd.md#custom-resource-definition-crd)
and has no effect on Kubernetes `Secrets`, `Endpoints` and `Services`.
See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
!!! warning
As the LabelSelector is applied to all Traefik Custom Resources, they all must match the filter.
### `ingressClass` ### `ingressClass`
_Optional, Default: empty_ _Optional, Default: ""_
Value of `kubernetes.io/ingress.class` annotation that identifies resource objects to be processed.
If the parameter is set, only resources containing an annotation with the same value are processed.
Otherwise, resources missing the annotation, having an empty value, or the value `traefik` are processed.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesCRD] [providers.kubernetesCRD]
@ -224,14 +229,17 @@ providers:
--providers.kubernetescrd.ingressclass=traefik-internal --providers.kubernetescrd.ingressclass=traefik-internal
``` ```
Value of `kubernetes.io/ingress.class` annotation that identifies resource objects to be processed.
If the parameter is non-empty, only resources containing an annotation with the same value are processed.
Otherwise, resources missing the annotation, having an empty value, or the value `traefik` are processed.
### `throttleDuration` ### `throttleDuration`
_Optional, Default: 0 (no throttling)_ _Optional, Default: 0_
The `throttleDuration` option defines how often the provider is allowed to handle events from Kubernetes. This prevents
a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
If left empty, the provider does not apply any throttling and does not drop any Kubernetes events.
The value of `throttleDuration` should be provided in seconds or as a valid duration format,
see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesCRD] [providers.kubernetesCRD]
@ -254,6 +262,12 @@ providers:
_Optional, Default: true_ _Optional, Default: true_
If the parameter is set to `false`, IngressRoutes are not able to reference any resources in other namespaces than theirs.
!!! warning "Deprecation"
Please note that the default value for this option will be set to `false` in a future version.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesCRD] [providers.kubernetesCRD]
allowCrossNamespace = false allowCrossNamespace = false
@ -271,13 +285,6 @@ providers:
--providers.kubernetescrd.allowCrossNamespace=false --providers.kubernetescrd.allowCrossNamespace=false
``` ```
If the parameter is set to `false`, an IngressRoute will not be able to reference any resources ## Full Example
in another namespace than the IngressRoute namespace.
!!! warning "Deprecation" For additional information, refer to the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.
Please notice that the default value for this option will be set to `false` in a future version.
## Further
Also see the [full example](../user-guides/crd-acme/index.md) with Let's Encrypt.

View file

@ -3,17 +3,17 @@
The Kubernetes Gateway API, The Experimental Way. The Kubernetes Gateway API, The Experimental Way.
{: .subtitle } {: .subtitle }
Gateway API is the evolution of Kubernetes APIs that relate to `Services`, e.g. `Ingress`. Gateway API is the evolution of Kubernetes APIs that relate to `Services`, such as `Ingress`.
The Gateway API project is part of Kubernetes, working under SIG-NETWORK. The Gateway API project is part of Kubernetes, working under SIG-NETWORK.
The Kubernetes Gateway provider is a Traefik implementation of the [service apis](https://github.com/kubernetes-sigs/service-apis) The Kubernetes Gateway provider is a Traefik implementation of the [Service APIs](https://kubernetes-sigs.github.io/service-apis/)
specifications from the Kubernetes SIGs. specifications from the Kubernetes Special Interest Groups (SIGs).
This provider is proposed as an experimental feature and partially supports the service apis [v0.1.0](https://github.com/kubernetes-sigs/service-apis/releases/tag/v0.1.0) specification. This provider is proposed as an experimental feature and partially supports the Service APIs [v0.1.0](https://github.com/kubernetes-sigs/service-apis/releases/tag/v0.1.0) specification.
!!! warning "Enabling The Experimental Kubernetes Gateway Provider" !!! warning "Enabling The Experimental Kubernetes Gateway Provider"
As this provider is in experimental stage, it needs to be activated in the experimental section of the static configuration. Since this provider is still experimental, it needs to be activated in the experimental section of the static configuration.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[experimental] [experimental]
@ -71,12 +71,15 @@ This provider is proposed as an experimental feature and partially supports the
--8<-- "content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml" --8<-- "content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml"
``` ```
The Kubernetes Service APIs provides several [guides](https://kubernetes-sigs.github.io/service-apis/guides/) of how to use their API. The Kubernetes Service APIs project provides several [guides](https://kubernetes-sigs.github.io/service-apis/guides/) on how to use the APIs.
Those guides will help you to go further than the example above. These guides can help you to go further than the example above.
The [getting started](https://kubernetes-sigs.github.io/service-apis/getting-started/) show you how to install the CRDs from their repository. The [getting started guide](https://kubernetes-sigs.github.io/service-apis/getting-started/) details how to install the CRDs from their repository.
Thus, keep in mind that the Traefik Gateway provider only supports the `v0.1.0`.
For now, the Traefik Gateway Provider could be used to achieve the following set-up guides: !!! note ""
Keep in mind that the Traefik Gateway provider only supports the `v0.1.0`.
For now, the Traefik Gateway Provider can be used while following the below guides:
* [Simple Gateway](https://kubernetes-sigs.github.io/service-apis/simple-gateway/) * [Simple Gateway](https://kubernetes-sigs.github.io/service-apis/simple-gateway/)
* [HTTP routing](https://kubernetes-sigs.github.io/service-apis/http-routing/) * [HTTP routing](https://kubernetes-sigs.github.io/service-apis/http-routing/)
@ -84,9 +87,8 @@ For now, the Traefik Gateway Provider could be used to achieve the following set
## Resource Configuration ## Resource Configuration
When using Kubernetes Gateway API as a provider, When using Kubernetes Gateway API as a provider, Traefik uses Kubernetes
Traefik uses Kubernetes [Custom Resource Definitions](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
[Custom Resource Definition](https://kubernetes.io/docs/concepts/extend-kubernetes/api-extension/custom-resources/)
to retrieve its routing configuration. to retrieve its routing configuration.
All concepts can be found in the official API concepts [documentation](https://kubernetes-sigs.github.io/service-apis/api-overview/). All concepts can be found in the official API concepts [documentation](https://kubernetes-sigs.github.io/service-apis/api-overview/).
@ -100,7 +102,20 @@ Traefik implements the following resources:
### `endpoint` ### `endpoint`
_Optional, Default=empty_ _Optional, Default=""_
The Kubernetes server endpoint URL.
When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
Both are mounted automatically when deployed inside Kubernetes.
The endpoint may be specified to override the environment variable values inside a cluster.
When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
In this case, the endpoint is required.
Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesGateway] [providers.kubernetesGateway]
@ -119,22 +134,11 @@ providers:
--providers.kubernetesgateway.endpoint=http://localhost:8080 --providers.kubernetesgateway.endpoint=http://localhost:8080
``` ```
The Kubernetes server endpoint as URL.
When deployed into Kubernetes, Traefik will read the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
The access token will be looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
Both are mounted automatically when deployed inside Kubernetes.
The endpoint may be specified to override the environment variable values inside a cluster.
When the environment variables are not found, Traefik will try to connect to the Kubernetes API server with an external-cluster client.
In this case, the endpoint is required.
Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
### `token` ### `token`
_Optional, Default=empty_ _Optional, Default=""_
Bearer token used for the Kubernetes client configuration.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesGateway] [providers.kubernetesGateway]
@ -153,11 +157,12 @@ providers:
--providers.kubernetesgateway.token=mytoken --providers.kubernetesgateway.token=mytoken
``` ```
Bearer token used for the Kubernetes client configuration.
### `certAuthFilePath` ### `certAuthFilePath`
_Optional, Default=empty_ _Optional, Default=""_
Path to the certificate authority file.
Used for the Kubernetes client configuration.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesGateway] [providers.kubernetesGateway]
@ -176,12 +181,12 @@ providers:
--providers.kubernetesgateway.certauthfilepath=/my/ca.crt --providers.kubernetesgateway.certauthfilepath=/my/ca.crt
``` ```
Path to the certificate authority file.
Used for the Kubernetes client configuration.
### `namespaces` ### `namespaces`
_Optional, Default: all namespaces (empty array)_ _Optional, Default: []_
Array of namespaces to watch.
If left empty, watches all namespaces if the value of `namespaces`.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesGateway] [providers.kubernetesGateway]
@ -202,11 +207,14 @@ providers:
--providers.kubernetesgateway.namespaces=default,production --providers.kubernetesgateway.namespaces=default,production
``` ```
Array of namespaces to watch.
### `labelselector` ### `labelselector`
_Optional, Default: empty (process all resources)_ _Optional, Default: ""_
A label selector can be defined to filter on specific GatewayClass objects only.
If left empty, Traefik processes all GatewayClass objects in the configured namespaces.
See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesGateway] [providers.kubernetesGateway]
@ -225,14 +233,17 @@ providers:
--providers.kubernetesgateway.labelselector="app=traefik" --providers.kubernetesgateway.labelselector="app=traefik"
``` ```
By default, Traefik processes all resource objects in the configured namespaces.
A label selector can be defined to filter on specific GatewayClass objects only.
See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
### `throttleDuration` ### `throttleDuration`
_Optional, Default: 0 (no throttling)_ _Optional, Default: 0_
The `throttleDuration` option defines how often the provider is allowed to handle events from Kubernetes. This prevents
a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
If left empty, the provider does not apply any throttling and does not drop any Kubernetes events.
The value of `throttleDuration` should be provided in seconds or as a valid duration format,
see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesGateway] [providers.kubernetesGateway]

View file

@ -12,7 +12,7 @@ See the dedicated section in [routing](../routing/providers/kubernetes-ingress.m
## Enabling and Using the Provider ## Enabling and Using the Provider
As usual, the provider is enabled through the static configuration: You can enable the provider in the static configuration:
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesIngress] [providers.kubernetesIngress]
@ -29,7 +29,7 @@ providers:
The provider then watches for incoming ingresses events, such as the example below, The provider then watches for incoming ingresses events, such as the example below,
and derives the corresponding dynamic configuration from it, and derives the corresponding dynamic configuration from it,
which in turn will create the resulting routers, services, handlers, etc. which in turn creates the resulting routers, services, handlers, etc.
```yaml tab="File (YAML)" ```yaml tab="File (YAML)"
kind: Ingress kind: Ingress
@ -61,26 +61,39 @@ without additional configuration.
For this reason, users can run multiple instances of Traefik at the same time to achieve HA, For this reason, users can run multiple instances of Traefik at the same time to achieve HA,
as is a common pattern in the kubernetes ecosystem. as is a common pattern in the kubernetes ecosystem.
When using a single instance of Traefik with LetsEncrypt, no issues should be encountered, When using a single instance of Traefik Proxy with Let's Encrypt, you should encounter no issues.
however this could be a single point of failure. However, this could be a single point of failure.
Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with LetsEncrypt enabled, Unfortunately, it is not possible to run multiple instances of Traefik 2.0 with Let's Encrypt enabled,
because there is no way to ensure that the correct instance of Traefik will receive the challenge request, and subsequent responses. because there is no way to ensure that the correct instance of Traefik receives the challenge request, and subsequent responses.
Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this, Previous versions of Traefik used a [KV store](https://doc.traefik.io/traefik/v1.7/configuration/acme/#storage) to attempt to achieve this,
but due to sub-optimal performance was dropped as a feature in 2.0. but due to sub-optimal performance that feature was dropped in 2.0.
If you require LetsEncrypt with HA in a kubernetes environment, If you need Let's Encrypt with high availability in a Kubernetes environment,
we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) where distributed LetsEncrypt is a supported feature. we recommend using [Traefik Enterprise](https://traefik.io/traefik-enterprise/) which includes distributed Let's Encrypt as a supported feature.
If you are wanting to continue to run Traefik Community Edition, If you want to keep using Traefik Proxy,
LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html). LetsEncrypt HA can be achieved by using a Certificate Controller such as [Cert-Manager](https://docs.cert-manager.io/en/latest/index.html).
When using Cert-Manager to manage certificates, When using Cert-Manager to manage certificates,
it will create secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls). it creates secrets in your namespaces that can be referenced as TLS secrets in your [ingress objects](https://kubernetes.io/docs/concepts/services-networking/ingress/#tls).
## Provider Configuration ## Provider Configuration
### `endpoint` ### `endpoint`
_Optional, Default=empty_ _Optional, Default=""_
The Kubernetes server endpoint URL.
When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
Both are mounted automatically when deployed inside Kubernetes.
The endpoint may be specified to override the environment variable values inside a cluster.
When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
In this case, the endpoint is required.
Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication and authorization of the associated kubeconfig.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesIngress] [providers.kubernetesIngress]
@ -99,21 +112,11 @@ providers:
--providers.kubernetesingress.endpoint=http://localhost:8080 --providers.kubernetesingress.endpoint=http://localhost:8080
``` ```
The Kubernetes server endpoint as URL, which is only used when the behavior based on environment variables described below does not apply.
When deployed into Kubernetes, Traefik reads the environment variables `KUBERNETES_SERVICE_HOST` and `KUBERNETES_SERVICE_PORT` or `KUBECONFIG` to construct the endpoint.
The access token is looked up in `/var/run/secrets/kubernetes.io/serviceaccount/token` and the SSL CA certificate in `/var/run/secrets/kubernetes.io/serviceaccount/ca.crt`.
They are both provided automatically as mounts in the pod where Traefik is deployed.
When the environment variables are not found, Traefik tries to connect to the Kubernetes API server with an external-cluster client.
In which case, the endpoint is required.
Specifically, it may be set to the URL used by `kubectl proxy` to connect to a Kubernetes cluster using the granted authentication
and authorization of the associated kubeconfig.
### `token` ### `token`
_Optional, Default=empty_ _Optional, Default=""_
Bearer token used for the Kubernetes client configuration.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesIngress] [providers.kubernetesIngress]
@ -132,11 +135,12 @@ providers:
--providers.kubernetesingress.token=mytoken --providers.kubernetesingress.token=mytoken
``` ```
Bearer token used for the Kubernetes client configuration.
### `certAuthFilePath` ### `certAuthFilePath`
_Optional, Default=empty_ _Optional, Default=""_
Path to the certificate authority file.
Used for the Kubernetes client configuration.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesIngress] [providers.kubernetesIngress]
@ -155,12 +159,12 @@ providers:
--providers.kubernetesingress.certauthfilepath=/my/ca.crt --providers.kubernetesingress.certauthfilepath=/my/ca.crt
``` ```
Path to the certificate authority file.
Used for the Kubernetes client configuration.
### `namespaces` ### `namespaces`
_Optional, Default: all namespaces (empty array)_ _Optional, Default: []_
Array of namespaces to watch.
If left empty, watches all namespaces if the value of `namespaces`.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesIngress] [providers.kubernetesIngress]
@ -181,11 +185,14 @@ providers:
--providers.kubernetesingress.namespaces=default,production --providers.kubernetesingress.namespaces=default,production
``` ```
Array of namespaces to watch.
### `labelSelector` ### `labelSelector`
_Optional,Default: empty (process all Ingresses)_ _Optional, Default: ""_
A label selector can be defined to filter on specific Ingress objects only.
If left empty, Traefik processes all Ingress objects in the configured namespaces.
See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesIngress] [providers.kubernetesIngress]
@ -204,36 +211,14 @@ providers:
--providers.kubernetesingress.labelselector="app=traefik" --providers.kubernetesingress.labelselector="app=traefik"
``` ```
By default, Traefik processes all `Ingress` objects in the configured namespaces.
A label selector can be defined to filter on specific `Ingress` objects only.
See [label-selectors](https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/#label-selectors) for details.
### `ingressClass` ### `ingressClass`
_Optional, Default: empty_ _Optional, Default: ""_
```toml tab="File (TOML)"
[providers.kubernetesIngress]
ingressClass = "traefik-internal"
# ...
```
```yaml tab="File (YAML)"
providers:
kubernetesIngress:
ingressClass: "traefik-internal"
# ...
```
```bash tab="CLI"
--providers.kubernetesingress.ingressclass=traefik-internal
```
Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed. Value of `kubernetes.io/ingress.class` annotation that identifies Ingress objects to be processed.
If the parameter is non-empty, only Ingresses containing an annotation with the same value are processed. If the parameter is set, only Ingresses containing an annotation with the same value are processed.
Otherwise, Ingresses missing the annotation, having an empty value, or with the value `traefik` are processed. Otherwise, Ingresses missing the annotation, having an empty value, or the value `traefik` are processed.
!!! info "Kubernetes 1.18+" !!! info "Kubernetes 1.18+"
@ -269,11 +254,30 @@ Otherwise, Ingresses missing the annotation, having an empty value, or with the
servicePort: 80 servicePort: 80
``` ```
```toml tab="File (TOML)"
[providers.kubernetesIngress]
ingressClass = "traefik-internal"
# ...
```
```yaml tab="File (YAML)"
providers:
kubernetesIngress:
ingressClass: "traefik-internal"
# ...
```
```bash tab="CLI"
--providers.kubernetesingress.ingressclass=traefik-internal
```
### `ingressEndpoint` ### `ingressEndpoint`
#### `hostname` #### `hostname`
_Optional, Default: empty_ _Optional, Default: ""_
Hostname used for Kubernetes Ingress endpoints.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesIngress.ingressEndpoint] [providers.kubernetesIngress.ingressEndpoint]
@ -293,11 +297,11 @@ providers:
--providers.kubernetesingress.ingressendpoint.hostname=example.net --providers.kubernetesingress.ingressendpoint.hostname=example.net
``` ```
Hostname used for Kubernetes Ingress endpoints.
#### `ip` #### `ip`
_Optional, Default: empty_ _Optional, Default: ""_
IP used for Kubernetes Ingress endpoints.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesIngress.ingressEndpoint] [providers.kubernetesIngress.ingressEndpoint]
@ -317,11 +321,12 @@ providers:
--providers.kubernetesingress.ingressendpoint.ip=1.2.3.4 --providers.kubernetesingress.ingressendpoint.ip=1.2.3.4
``` ```
IP used for Kubernetes Ingress endpoints.
#### `publishedService` #### `publishedService`
_Optional, Default: empty_ _Optional, Default: ""_
Published Kubernetes Service to copy status from.
Format: `namespace/servicename`.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesIngress.ingressEndpoint] [providers.kubernetesIngress.ingressEndpoint]
@ -341,12 +346,17 @@ providers:
--providers.kubernetesingress.ingressendpoint.publishedservice=namespace/foo-service --providers.kubernetesingress.ingressendpoint.publishedservice=namespace/foo-service
``` ```
Published Kubernetes Service to copy status from.
Format: `namespace/servicename`.
### `throttleDuration` ### `throttleDuration`
_Optional, Default: 0 (no throttling)_ _Optional, Default: 0_
The `throttleDuration` option defines how often the provider is allowed to handle events from Kubernetes. This prevents
a Kubernetes cluster that updates many times per second from continuously changing your Traefik configuration.
If left empty, the provider does not apply any throttling and does not drop any Kubernetes events.
The value of `throttleDuration` should be provided in seconds or as a valid duration format,
see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.kubernetesIngress] [providers.kubernetesIngress]
@ -367,5 +377,5 @@ providers:
### Further ### Further
If one wants to know more about the various aspects of the Ingress spec that Traefik supports, To learn more about the various aspects of the Ingress specification that Traefik supports,
many examples of Ingresses definitions are located in the tests [data](https://github.com/traefik/traefik/tree/v2.4/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository. many examples of Ingresses definitions are located in the test [examples](https://github.com/traefik/traefik/tree/v2.4/pkg/provider/kubernetes/ingress/fixtures) of the Traefik repository.

View file

@ -3,13 +3,13 @@
Traefik can be configured to use Marathon as a provider. Traefik can be configured to use Marathon as a provider.
{: .subtitle } {: .subtitle }
See also [Marathon user guide](../user-guides/marathon.md). For additional information, refer to [Marathon user guide](../user-guides/marathon.md).
## Configuration Examples ## Configuration Examples
??? example "Configuring Marathon & Deploying / Exposing Applications" ??? example "Configuring Marathon & Deploying / Exposing Applications"
Enabling the marathon provider Enabling the Marathon provider
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon] [providers.marathon]
@ -24,7 +24,7 @@ See also [Marathon user guide](../user-guides/marathon.md).
--providers.marathon=true --providers.marathon=true
``` ```
Attaching labels to marathon applications Attaching labels to Marathon applications
```json ```json
{ {
@ -59,6 +59,8 @@ See the dedicated section in [routing](../routing/providers/marathon.md).
_Optional_ _Optional_
Enables Marathon basic authentication.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon.basic] [providers.marathon.basic]
httpBasicAuthUser = "foo" httpBasicAuthUser = "foo"
@ -78,12 +80,14 @@ providers:
--providers.marathon.basic.httpbasicpassword=bar --providers.marathon.basic.httpbasicpassword=bar
``` ```
Enables Marathon basic authentication.
### `dcosToken` ### `dcosToken`
_Optional_ _Optional_
Datacenter Operating System (DCOS) Token for DCOS environment.
If set, it overrides the Authorization header.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon] [providers.marathon]
dcosToken = "xxxxxx" dcosToken = "xxxxxx"
@ -101,14 +105,20 @@ providers:
--providers.marathon.dcosToken=xxxxxx --providers.marathon.dcosToken=xxxxxx
``` ```
DCOSToken for DCOS environment.
If set, it overrides the Authorization header.
### `defaultRule` ### `defaultRule`
_Optional, Default=```Host(`{{ normalize .Name }}`)```_ _Optional, Default=```Host(`{{ normalize .Name }}`)```_
The default host rule for all services.
For a given application, if no routing rule was defined by a label, it is defined by this `defaultRule` instead.
It must be a valid [Go template](https://golang.org/pkg/text/template/),
and can include [sprig template functions](http://masterminds.github.io/sprig/).
The app ID can be accessed with the `Name` identifier,
and the template has access to all the labels defined on this Marathon application.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon] [providers.marathon]
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)" defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
@ -127,18 +137,16 @@ providers:
# ... # ...
``` ```
For a given application if no routing rule was defined by a label, it is defined by this defaultRule instead.
It must be a valid [Go template](https://golang.org/pkg/text/template/),
augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
The app ID can be accessed as the Name identifier,
and the template has access to all the labels defined on this Marathon application.
### `dialerTimeout` ### `dialerTimeout`
_Optional, Default=5s_ _Optional, Default=5s_
Amount of time the Marathon provider should wait before timing out,
when trying to open a TCP connection to a Marathon master.
The value of `dialerTimeout` should be provided in seconds or as a valid duration format,
see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon] [providers.marathon]
dialerTimeout = "10s" dialerTimeout = "10s"
@ -156,18 +164,14 @@ providers:
--providers.marathon.dialerTimeout=10s --providers.marathon.dialerTimeout=10s
``` ```
Overrides DialerTimeout.
Amount of time the Marathon provider should wait before timing out,
when trying to open a TCP connection to a Marathon master.
Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
or directly as a number of seconds.
### `endpoint` ### `endpoint`
_Optional, Default=http://127.0.0.1:8080_ _Optional, Default=http://127.0.0.1:8080_
Marathon server endpoint.
You can optionally specify multiple endpoints.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon] [providers.marathon]
endpoint = "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080" endpoint = "http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080"
@ -185,14 +189,16 @@ providers:
--providers.marathon.endpoint=http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080 --providers.marathon.endpoint=http://10.241.1.71:8080,10.241.1.72:8080,10.241.1.73:8080
``` ```
Marathon server endpoint.
You can optionally specify multiple endpoints:
### `exposedByDefault` ### `exposedByDefault`
_Optional, Default=true_ _Optional, Default=true_
Exposes Marathon applications by default through Traefik.
If set to `false`, applications that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon] [providers.marathon]
exposedByDefault = false exposedByDefault = false
@ -211,41 +217,18 @@ providers:
# ... # ...
``` ```
Exposes Marathon applications by default through Traefik.
If set to false, applications that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
### `constraints` ### `constraints`
_Optional, Default=""_ _Optional, Default=""_
```toml tab="File (TOML)" The `constraints` option can be set to an expression that Traefik matches against the application labels to determine whether
[providers.marathon] to create any route for that application. If none of the application labels match the expression, no route for that application is
constraints = "Label(`a.label.name`,`foo`)" created. In addition, the expression is also matched against the application constraints, such as described
# ... in [Marathon constraints](https://mesosphere.github.io/marathon/docs/constraints.html).
```
```yaml tab="File (YAML)"
providers:
marathon:
constraints: "Label(`a.label.name`,`foo`)"
# ...
```
```bash tab="CLI"
--providers.marathon.constraints=Label(`a.label.name`,`foo`)
# ...
```
Constraints is an expression that Traefik matches against the application's labels to determine whether to create any route for that application.
That is to say, if none of the application's labels match the expression, no route for the application is created.
In addition, the expression also matched against the application's constraints, such as described in [Marathon constraints](https://mesosphere.github.io/marathon/docs/constraints.html).
If the expression is empty, all detected applications are included. If the expression is empty, all detected applications are included.
The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")`, as well as the usual boolean logic. The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic.
In addition, to match against marathon constraints, the function `MarathonConstraint("field:operator:value")` can be used, where the field, operator, and value parts are joined together in a single string with the `:` separator. In addition, to match against Marathon constraints, the function `MarathonConstraint("field:operator:value")` can be used, where the field, operator, and value parts are concatenated in a single string using the `:` separator.
??? example "Constraints Expression Examples" ??? example "Constraints Expression Examples"
@ -289,12 +272,34 @@ In addition, to match against marathon constraints, the function `MarathonConstr
constraints = "MarathonConstraint(`A:B:C`) && Label(`a.label.name`, `value`)" constraints = "MarathonConstraint(`A:B:C`) && Label(`a.label.name`, `value`)"
``` ```
See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery). For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
```toml tab="File (TOML)"
[providers.marathon]
constraints = "Label(`a.label.name`,`foo`)"
# ...
```
```yaml tab="File (YAML)"
providers:
marathon:
constraints: "Label(`a.label.name`,`foo`)"
# ...
```
```bash tab="CLI"
--providers.marathon.constraints=Label(`a.label.name`,`foo`)
# ...
```
### `forceTaskHostname` ### `forceTaskHostname`
_Optional, Default=false_ _Optional, Default=false_
By default, the task IP address (as returned by the Marathon API) is used as backend server if an IP-per-task configuration can be found;
otherwise, the name of the host running the task is used.
The latter behavior can be enforced by setting this option to `true`.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon] [providers.marathon]
forceTaskHostname = true forceTaskHostname = true
@ -313,14 +318,14 @@ providers:
# ... # ...
``` ```
By default, a task's IP address (as returned by the Marathon API) is used as backend server if an IP-per-task configuration can be found;
otherwise, the name of the host running the task is used.
The latter behavior can be enforced by enabling this switch.
### `keepAlive` ### `keepAlive`
_Optional, Default=10s_ _Optional, Default=10s_
Set the TCP Keep Alive duration for the Marathon HTTP Client.
The value of `keepAlive` should be provided in seconds or as a valid duration format,
see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon] [providers.marathon]
keepAlive = "30s" keepAlive = "30s"
@ -339,14 +344,16 @@ providers:
# ... # ...
``` ```
Set the TCP Keep Alive interval for the Marathon HTTP Client.
Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
or directly as a number of seconds.
### `respectReadinessChecks` ### `respectReadinessChecks`
_Optional, Default=false_ _Optional, Default=false_
Applications may define readiness checks which are probed by Marathon during deployments periodically, and these check results are exposed via the API.
Enabling `respectReadinessChecks` causes Traefik to filter out tasks whose readiness checks have not succeeded.
Note that the checks are only valid during deployments.
See the Marathon guide for details.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon] [providers.marathon]
respectReadinessChecks = true respectReadinessChecks = true
@ -365,16 +372,16 @@ providers:
# ... # ...
``` ```
Applications may define readiness checks which are probed by Marathon during deployments periodically, and these check results are exposed via the API.
Enabling respectReadinessChecks causes Traefik to filter out tasks whose readiness checks have not succeeded.
Note that the checks are only valid at deployment times.
See the Marathon guide for details.
### `responseHeaderTimeout` ### `responseHeaderTimeout`
_Optional, Default=60s_ _Optional, Default=60s_
Amount of time the Marathon provider should wait before timing out when waiting for the first response header
from a Marathon master.
The value of `responseHeaderTimeout` should be provided in seconds or as a valid duration format,
see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon] [providers.marathon]
responseHeaderTimeout = "66s" responseHeaderTimeout = "66s"
@ -393,19 +400,13 @@ providers:
# ... # ...
``` ```
Overrides ResponseHeaderTimeout.
Amount of time the Marathon provider should wait before timing out,
when waiting for the first response header from a Marathon master.
Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration), or directly as a number of seconds.
### `tls` ### `tls`
_Optional_ _Optional_
#### `tls.ca` #### `tls.ca`
Certificate Authority used for the secured connection to Marathon. Certificate Authority used for the secure connection to Marathon.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon.tls] [providers.marathon.tls]
@ -425,12 +426,15 @@ providers:
#### `tls.caOptional` #### `tls.caOptional`
Policy followed for the secured connection to Marathon with TLS Client Authentication. The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Marathon.
Requires `tls.ca` to be defined.
- `true`: VerifyClientCertIfGiven !!! warning ""
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon.tls] [providers.marathon.tls]
@ -450,7 +454,7 @@ providers:
#### `tls.cert` #### `tls.cert`
Public certificate used for the secured connection to Marathon. Public certificate used for the secure connection to Marathon.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon.tls] [providers.marathon.tls]
@ -473,7 +477,7 @@ providers:
#### `tls.key` #### `tls.key`
Private certificate used for the secured connection to Marathon. Private certificate used for the secure connection to Marathon.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon.tls] [providers.marathon.tls]
@ -496,7 +500,7 @@ providers:
#### `tls.insecureSkipVerify` #### `tls.insecureSkipVerify`
If `insecureSkipVerify` is `true`, TLS for the connection to Marathon accepts any certificate presented by the server and any host name in that certificate. If `insecureSkipVerify` is `true`, the TLS connection to Marathon accepts any certificate presented by the server regardless of the hostnames it covers.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon.tls] [providers.marathon.tls]
@ -518,6 +522,12 @@ providers:
_Optional, Default=5s_ _Optional, Default=5s_
Amount of time the Marathon provider should wait before timing out,
when waiting for the TLS handshake to complete.
The value of `tlsHandshakeTimeout` should be provided in seconds or as a valid duration format,
see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon] [providers.marathon]
responseHeaderTimeout = "10s" responseHeaderTimeout = "10s"
@ -536,17 +546,12 @@ providers:
# ... # ...
``` ```
Overrides TLSHandshakeTimeout.
Amount of time the Marathon provider should wait before timing out,
when waiting for the TLS handshake to complete.
Can be provided in a format supported by [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration),
or directly as a number of seconds.
### `trace` ### `trace`
_Optional, Default=false_ _Optional, Default=false_
Displays additional provider logs when available.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon] [providers.marathon]
trace = true trace = true
@ -565,12 +570,12 @@ providers:
# ... # ...
``` ```
Displays additional provider logs (if available).
### `watch` ### `watch`
_Optional, Default=true_ _Optional, Default=true_
When set to `true`, watches for Marathon changes.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.marathon] [providers.marathon]
watch = false watch = false
@ -588,5 +593,3 @@ providers:
--providers.marathon.watch=false --providers.marathon.watch=false
# ... # ...
``` ```
Enables watching for Marathon changes.

View file

@ -7,30 +7,28 @@ Traefik's Many Friends
Configuration discovery in Traefik is achieved through _Providers_. Configuration discovery in Traefik is achieved through _Providers_.
The _providers_ are existing infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores. The _providers_ are infrastructure components, whether orchestrators, container engines, cloud providers, or key-value stores.
The idea is that Traefik will query the providers' API in order to find relevant information about routing, The idea is that Traefik queries the provider APIs in order to find relevant information about routing,
and each time Traefik detects a change, it dynamically updates the routes. and when Traefik detects a change, it dynamically updates the routes.
Deploy and forget is Traefik's credo.
## Orchestrators ## Orchestrators
Even if each provider is different, we can categorize them in four groups: While each provider is different, you can think of each as belonging to one of four categories:
- Label based (each deployed container has a set of labels attached to it) - Label-based: each deployed container has a set of labels attached to it
- Key-Value based (each deployed container updates a key-value store with relevant information) - Key-Value-based: each deployed container updates a key-value store with relevant information
- Annotation based (a separate object, with annotations, defines the characteristics of the container) - Annotation-based: a separate object, with annotations, defines the characteristics of the container
- File based (the good old configuration file) - File-based: uses files to define configuration
## Provider Namespace ## Provider Namespace
When you declare certain objects, in Traefik dynamic configuration, When you declare certain objects in the Traefik dynamic configuration,
such as middleware, service, TLS options or servers transport, they live in its provider's namespace. such as middleware, services, TLS options or server transports, they reside in their provider's namespace.
For example, if you declare a middleware using a Docker label, under the hoods, it will reside in the docker provider namespace. For example, if you declare a middleware using a Docker label, it resides in the Docker provider namespace.
If you use multiple providers and wish to reference such an object declared in another provider If you use multiple providers and wish to reference such an object declared in another provider
(aka referencing a cross-provider object, e.g. middleware), then you'll have to append the `@` separator, (e.g. referencing a cross-provider object like middleware), then the object name should be suffixed by the `@`
followed by the provider name to the object name. separator, and the provider name.
```text ```text
<resource-name>@<provider-name> <resource-name>@<provider-name>
@ -39,14 +37,15 @@ followed by the provider name to the object name.
!!! important "Kubernetes Namespace" !!! important "Kubernetes Namespace"
As Kubernetes also has its own notion of namespace, As Kubernetes also has its own notion of namespace,
one should not confuse the "provider namespace" with the "kubernetes namespace" of a resource when in the context of a cross-provider usage. one should not confuse the _provider namespace_ with the _Kubernetes Namespace_ of a resource when in the context of cross-provider usage.
In this case, since the definition of a traefik dynamic configuration object is not in kubernetes,
specifying a "kubernetes namespace" when referring to the resource does not make any sense,
and therefore this specification would be ignored even if present.
On the other hand, if you, say, declare a middleware as a Custom Resource in Kubernetes and use the non-crd Ingress objects,
you'll have to add the Kubernetes namespace of the middleware to the annotation like this `<middleware-namespace>-<middleware-name>@kubernetescrd`.
!!! abstract "Referencing a Traefik dynamic configuration object from Another Provider" In this case, since the definition of a Traefik dynamic configuration object is not in Kubernetes,
specifying a Kubernetes Namespace when referring to the resource does not make any sense.
On the other hand, if you were to declare a middleware as a Custom Resource in Kubernetes and use the non-CRD Ingress objects,
you would have to add the Kubernetes Namespace of the middleware to the annotation like this `<middleware-namespace>-<middleware-name>@kubernetescrd`.
!!! abstract "Referencing a Traefik Dynamic Configuration Object from Another Provider"
Declaring the add-foo-prefix in the file provider. Declaring the add-foo-prefix in the file provider.
@ -143,26 +142,32 @@ Below is the list of the currently supported providers in Traefik.
!!! info "More Providers" !!! info "More Providers"
The current version of Traefik doesn't support (yet) every provider. The current version of Traefik does not yet support every provider that Traefik v1.7 did.
See the [previous version (v1.7)](https://doc.traefik.io/traefik/v1.7/) for more providers. See the [previous version (v1.7)](https://doc.traefik.io/traefik/v1.7/) for more providers.
### Configuration reload frequency ### Configuration Reload Frequency
#### `providers.providersThrottleDuration`
_Optional, Default: 2s_
In some cases, some providers might undergo a sudden burst of changes, In some cases, some providers might undergo a sudden burst of changes,
which would generate a lot of configuration change events. which would generate a lot of configuration change events.
If Traefik took them all into account, If Traefik took them all into account,
that would trigger a lot more configuration reloads than what is necessary, that would trigger a lot more configuration reloads than is necessary,
or even useful. or even useful.
In order to mitigate that, the `providers.providersThrottleDuration` option can be set. In order to mitigate that, the `providers.providersThrottleDuration` option can be set.
It is the duration that Traefik waits for, after a configuration reload, It is the duration that Traefik waits for, after a configuration reload,
before taking into account any new configuration refresh event. before taking into account any new configuration refresh event.
If any event arrives during that duration, only the most recent one is taken into account, If multiple events occur within this time, only the most recent one is taken into account,
and all the previous others are dropped. and all others are discarded.
This option cannot be set per provider, This option cannot be set per provider,
but the throttling algorithm applies independently to each of them. but the throttling algorithm applies to each of them independently.
It defaults to 2 seconds.
The value of `providers.providersThrottleDuration` should be provided in seconds or as a valid duration format,
see [time.ParseDuration](https://golang.org/pkg/time/#ParseDuration).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers] [providers]
@ -184,17 +189,18 @@ TODO (document TCP VS HTTP dynamic configuration)
## Restrict the Scope of Service Discovery ## Restrict the Scope of Service Discovery
By default Traefik will create routes for all detected containers. By default, Traefik creates routes for all detected containers.
If you want to limit the scope of Traefik's service discovery, If you want to limit the scope of the Traefik service discovery,
i.e. disallow route creation for some containers, i.e. disallow route creation for some containers,
you can do so in two different ways: you can do so in two different ways:
either with the generic configuration option `exposedByDefault`,
or with a finer granularity mechanism based on constraints. - the generic configuration option `exposedByDefault`,
- a finer granularity mechanism based on constraints.
### `exposedByDefault` and `traefik.enable` ### `exposedByDefault` and `traefik.enable`
List of providers that support that feature: List of providers that support these features:
- [Docker](./docker.md#exposedbydefault) - [Docker](./docker.md#exposedbydefault)
- [Consul Catalog](./consul-catalog.md#exposedbydefault) - [Consul Catalog](./consul-catalog.md#exposedbydefault)
@ -211,3 +217,4 @@ List of providers that support constraints:
- [Marathon](./marathon.md#constraints) - [Marathon](./marathon.md#constraints)
- [Kubernetes CRD](./kubernetes-crd.md#labelselector) - [Kubernetes CRD](./kubernetes-crd.md#labelselector)
- [Kubernetes Ingress](./kubernetes-ingress.md#labelselector) - [Kubernetes Ingress](./kubernetes-ingress.md#labelselector)
- [Kubernetes Gateway](./kubernetes-gateway.md#labelselector)

View file

@ -10,13 +10,13 @@ Attach labels to your services and let Traefik do the rest!
!!! important "This provider is specific to Rancher 1.x." !!! important "This provider is specific to Rancher 1.x."
Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query. Rancher 2.x requires Kubernetes and does not have a metadata endpoint of its own for Traefik to query.
As such, Rancher 2.x users should utilize the [Kubernetes provider](./kubernetes-crd.md) directly. As such, Rancher 2.x users should utilize the [Kubernetes CRD provider](./kubernetes-crd.md) directly.
## Configuration Examples ## Configuration Examples
??? example "Configuring Rancher & Deploying / Exposing Services" ??? example "Configuring Rancher & Deploying / Exposing Services"
Enabling the rancher provider Enabling the Rancher provider
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.rancher] [providers.rancher]
@ -45,7 +45,8 @@ See the dedicated section in [routing](../routing/providers/rancher.md).
## Provider Configuration ## Provider Configuration
??? tip "Browse the Reference" ??? tip "Browse the Reference"
If you're in a hurry, maybe you'd rather go through the configuration reference:
For an overview of all the options that can be set with the Rancher provider, see the following snippets:
```toml tab="File (TOML)" ```toml tab="File (TOML)"
--8<-- "content/providers/rancher.toml" --8<-- "content/providers/rancher.toml"
@ -63,6 +64,11 @@ See the dedicated section in [routing](../routing/providers/rancher.md).
_Optional, Default=true_ _Optional, Default=true_
Expose Rancher services by default in Traefik.
If set to `false`, services that do not have a `traefik.enable=true` label are ignored from the resulting routing configuration.
For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.rancher] [providers.rancher]
exposedByDefault = false exposedByDefault = false
@ -81,15 +87,21 @@ providers:
# ... # ...
``` ```
Expose Rancher services by default in Traefik.
If set to false, services that don't have a `traefik.enable=true` label will be ignored from the resulting routing configuration.
See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
### `defaultRule` ### `defaultRule`
_Optional, Default=```Host(`{{ normalize .Name }}`)```_ _Optional, Default=```Host(`{{ normalize .Name }}`)```_
The default host rule for all services.
The `defaultRule` option defines what routing rule to apply to a container if no rule is defined by a label.
It must be a valid [Go template](https://golang.org/pkg/text/template/), and can use
[sprig template functions](http://masterminds.github.io/sprig/).
The service name can be accessed with the `Name` identifier,
and the template has access to all the labels defined on this container.
This option can be overridden on a container basis with the `traefik.http.routers.Router1.rule` label.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.rancher] [providers.rancher]
defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)" defaultRule = "Host(`{{ .Name }}.{{ index .Labels \"customLabel\"}}`)"
@ -108,20 +120,12 @@ providers:
# ... # ...
``` ```
The default host rule for all services.
For a given container if no routing rule was defined by a label, it is defined by this defaultRule instead.
It must be a valid [Go template](https://golang.org/pkg/text/template/),
augmented with the [sprig template functions](http://masterminds.github.io/sprig/).
The service name can be accessed as the `Name` identifier,
and the template has access to all the labels defined on this container.
This option can be overridden on a container basis with the `traefik.http.routers.Router1.rule` label.
### `enableServiceHealthFilter` ### `enableServiceHealthFilter`
_Optional, Default=true_ _Optional, Default=true_
Filter out services with unhealthy states and inactive states.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.rancher] [providers.rancher]
enableServiceHealthFilter = false enableServiceHealthFilter = false
@ -140,12 +144,12 @@ providers:
# ... # ...
``` ```
Filter services with unhealthy states and inactive states.
### `refreshSeconds` ### `refreshSeconds`
_Optional, Default=15_ _Optional, Default=15_
Defines the polling interval (in seconds).
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.rancher] [providers.rancher]
refreshSeconds = 30 refreshSeconds = 30
@ -164,12 +168,13 @@ providers:
# ... # ...
``` ```
Defines the polling interval (in seconds).
### `intervalPoll` ### `intervalPoll`
_Optional, Default=false_ _Optional, Default=false_
Poll the Rancher metadata service for changes every `rancher.refreshSeconds`,
which is less accurate than the default long polling technique which provides near instantaneous updates to Traefik.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.rancher] [providers.rancher]
intervalPoll = true intervalPoll = true
@ -188,12 +193,11 @@ providers:
# ... # ...
``` ```
Poll the Rancher metadata service for changes every `rancher.refreshSeconds`,
which is less accurate than the default long polling technique which will provide near instantaneous updates to Traefik.
### `prefix` ### `prefix`
_Optional, Default=/latest_ _Optional, Default="/latest"_
Prefix used for accessing the Rancher metadata service.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.rancher] [providers.rancher]
@ -213,35 +217,16 @@ providers:
# ... # ...
``` ```
Prefix used for accessing the Rancher metadata service
### `constraints` ### `constraints`
_Optional, Default=""_ _Optional, Default=""_
```toml tab="File (TOML)" The `constraints` option can be set to an expression that Traefik matches against the container labels to determine whether
[providers.rancher] to create any route for that container. If none of the container tags match the expression, no route for that container is
constraints = "Label(`a.label.name`,`foo`)" created. If the expression is empty, all detected containers are included.
# ...
```
```yaml tab="File (YAML)" The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as
providers: the usual boolean logic, as shown in examples below.
rancher:
constraints: "Label(`a.label.name`,`foo`)"
# ...
```
```bash tab="CLI"
--providers.rancher.constraints=Label(`a.label.name`,`foo`)
# ...
```
Constraints is an expression that Traefik matches against the container's labels to determine whether to create any route for that container.
That is to say, if none of the container's labels match the expression, no route for the container is created.
If the expression is empty, all detected containers are included.
The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("key", "value")` functions, as well as the usual boolean logic, as shown in examples below.
??? example "Constraints Expression Examples" ??? example "Constraints Expression Examples"
@ -275,4 +260,22 @@ The expression syntax is based on the `Label("key", "value")`, and `LabelRegex("
constraints = "LabelRegex(`a.label.name`, `a.+`)" constraints = "LabelRegex(`a.label.name`, `a.+`)"
``` ```
See also [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery). For additional information, refer to [Restrict the Scope of Service Discovery](./overview.md#restrict-the-scope-of-service-discovery).
```toml tab="File (TOML)"
[providers.rancher]
constraints = "Label(`a.label.name`,`foo`)"
# ...
```
```yaml tab="File (YAML)"
providers:
rancher:
constraints: "Label(`a.label.name`,`foo`)"
# ...
```
```bash tab="CLI"
--providers.rancher.constraints=Label(`a.label.name`,`foo`)
# ...
```

View file

@ -35,10 +35,10 @@ providers:
### `rootKey` ### `rootKey`
Defines the root key of the configuration.
_Required, Default="traefik"_ _Required, Default="traefik"_
Defines the root key of the configuration.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.redis] [providers.redis]
rootKey = "traefik" rootKey = "traefik"
@ -56,10 +56,10 @@ providers:
### `username` ### `username`
Defines a username to connect with Redis.
_Optional, Default=""_ _Optional, Default=""_
Defines a username to connect with Redis.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.redis] [providers.redis]
# ... # ...
@ -106,7 +106,7 @@ _Optional_
#### `tls.ca` #### `tls.ca`
Certificate Authority used for the secured connection to Redis. Certificate Authority used for the secure connection to Redis.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.redis.tls] [providers.redis.tls]
@ -126,12 +126,15 @@ providers:
#### `tls.caOptional` #### `tls.caOptional`
Policy followed for the secured connection with TLS Client Authentication to Redis. The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Redis.
Requires `tls.ca` to be defined.
- `true`: VerifyClientCertIfGiven !!! warning ""
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.redis.tls] [providers.redis.tls]
@ -151,7 +154,7 @@ providers:
#### `tls.cert` #### `tls.cert`
Public certificate used for the secured connection to Redis. Public certificate used for the secure connection to Redis.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.redis.tls] [providers.redis.tls]
@ -174,7 +177,7 @@ providers:
#### `tls.key` #### `tls.key`
Private certificate used for the secured connection to Redis. Private certificate used for the secure connection to Redis.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.redis.tls] [providers.redis.tls]
@ -197,7 +200,7 @@ providers:
#### `tls.insecureSkipVerify` #### `tls.insecureSkipVerify`
If `insecureSkipVerify` is `true`, TLS for the connection to Redis accepts any certificate presented by the server and any host name in that certificate. If `insecureSkipVerify` is `true`, the TLS connection to Redis accepts any certificate presented by the server regardless of the hostnames it covers.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.redis.tls] [providers.redis.tls]

View file

@ -1,6 +1,6 @@
# Traefik & ZooKeeper # Traefik & ZooKeeper
A Story of KV store & Containers A Story of KV Store & Containers
{: .subtitle } {: .subtitle }
Store your configuration in ZooKeeper and let Traefik do the rest! Store your configuration in ZooKeeper and let Traefik do the rest!
@ -35,10 +35,10 @@ providers:
### `rootKey` ### `rootKey`
Defines the root key of the configuration.
_Required, Default="traefik"_ _Required, Default="traefik"_
Defines the root key of the configuration.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.zooKeeper] [providers.zooKeeper]
rootKey = "traefik" rootKey = "traefik"
@ -56,10 +56,10 @@ providers:
### `username` ### `username`
Defines a username to connect with ZooKeeper.
_Optional, Default=""_ _Optional, Default=""_
Defines a username to connect with ZooKeeper.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.zooKeeper] [providers.zooKeeper]
# ... # ...
@ -106,7 +106,7 @@ _Optional_
#### `tls.ca` #### `tls.ca`
Certificate Authority used for the secured connection to ZooKeeper. Certificate Authority used for the secure connection to ZooKeeper.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.zooKeeper.tls] [providers.zooKeeper.tls]
@ -126,12 +126,15 @@ providers:
#### `tls.caOptional` #### `tls.caOptional`
Policy followed for the secured connection with TLS Client Authentication to ZooKeeper. The value of `tls.caOptional` defines which policy should be used for the secure connection with TLS Client Authentication to Zookeeper.
Requires `tls.ca` to be defined.
- `true`: VerifyClientCertIfGiven !!! warning ""
- `false`: RequireAndVerifyClientCert
- if `tls.ca` is undefined NoClientCert If `tls.ca` is undefined, this option will be ignored, and no client certificate will be requested during the handshake. Any provided certificate will thus never be verified.
When this option is set to `true`, a client certificate is requested during the handshake but is not required. If a certificate is sent, it is required to be valid.
When this option is set to `false`, a client certificate is requested during the handshake, and at least one valid certificate should be sent by the client.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.zooKeeper.tls] [providers.zooKeeper.tls]
@ -151,7 +154,7 @@ providers:
#### `tls.cert` #### `tls.cert`
Public certificate used for the secured connection to ZooKeeper. Public certificate used for the secure connection to ZooKeeper.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.zooKeeper.tls] [providers.zooKeeper.tls]
@ -174,7 +177,7 @@ providers:
#### `tls.key` #### `tls.key`
Private certificate used for the secured connection to ZooKeeper. Private certificate used for the secure connection to ZooKeeper.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.zooKeeper.tls] [providers.zooKeeper.tls]
@ -197,7 +200,7 @@ providers:
#### `tls.insecureSkipVerify` #### `tls.insecureSkipVerify`
If `insecureSkipVerify` is `true`, TLS for the connection to ZooKeeper accepts any certificate presented by the server and any host name in that certificate. If `insecureSkipVerify` is `true`, the TLS connection to Zookeeper accepts any certificate presented by the server regardless of the hostnames it covers.
```toml tab="File (TOML)" ```toml tab="File (TOML)"
[providers.zooKeeper.tls] [providers.zooKeeper.tls]