Servers Transport in Kubernetes
A ServersTransport allows you to configure the connection between Traefik Hub API Gateway and the HTTP servers.
If there is no ServersTransport specified on a service, by default ServersTransport is applied.
This default ServersTransport can be customized using options in the static configuration.
A ServersTransport can be applied on a service using:
- An annotation on the Kubernetes Service (is the service is exposed using an Ingress)
- The option
services.serverstransporton an IngressRoute (if the service is a Kubernetes Service) - The option
serverstransporton an TraefikService (if the service is a Kubernetes Service)
"Reference a ServersTransport CRD from another namespace"
The value must be of form namespace-name@kubernetescrd,
and the allowCrossNamespace option must be enabled at the provider level.
Configuration Example
- IngressRoute
- ServerTransport
- Kubernetes Service
- Secret
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: test-name
namespace: apps
spec:
entryPoints:
- websecure
routes:
- match: Host(`example.com`) && PathPrefix(`/foo`)
kind: Rule
services:
- kind: Service
name: svc1
namespace: apps
# Format: namespace-name@providername
serversTransport: apps-mytransport@kubernetescrd
tls:
# Add a TLS certificate from a Kubernetes Secret
secretName: supersecret
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: mytransport
namespace: apps
spec:
insecureSkipVerify: true
maxIdleConnsPerHost: 1
forwardingTimeouts:
dialTimeout: 42s
responseHeaderTimeout: 42s
idleConnTimeout: 42s
peerCertURI: foobar
disableHTTP2: true
spiffe:
ids:
- spiffe://trust-domain/id1
- spiffe://trust-domain/id2
trustDomain: "spiffe://trust-domain"
apiVersion: v1
kind: Service
metadata:
name: svc1
namespace: apps
spec:
ports:
- name: http
port: 80
selector:
app: traefiklabs
task: app1
apiVersion: v1
kind: Secret
metadata:
name: supersecret
namespace: apps
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
Configuration Options
| Field | Description | Default | Required |
|---|---|---|---|
serverName | Server name that will be used for SNI. | "" | No |
insecureSkipVerify | Controls whether the server's certificate chain and host name is verified. | false | No |
rootCAsSecrets | Set of root certificate authorities to use when verifying server certificates. (for mTLS connections). The secrets must contain a certificate under either a tls.ca or a ca.crt key. | No | |
certificatesSecrets | Certificates to present to the server (for mTLS connections).. The secrets must contain a certificate under either a tls.key and tls.crt keys. | No | |
maxIdleConnsPerHost | Maximum idle (keep-alive) connections to keep per-host. | 2 | No |
forwardingTimeouts.dialTimeout | Amount of time to wait until a connection to a server can be established. 0 = no timeout | 30s | No |
forwardingTimeouts.responseHeaderTimeout | Amount of time to wait for a server's response headers after fully writing the request (including its body, if any). 0 = no timeout | 0s | No |
forwardingTimeouts.idleConnTimeout | Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself. 0 = no timeout | 90s | No |
forwardingTimeouts.readIdleTimeout | Timeout after which a health check using ping frame will be carried out if no frame is received on the HTTP/2 connection. A ping response will be considered a received frame, if there is no other traffic on the connection, the health check will be performed every readIdleTimeout interval.0 = no healthcheck. | 0s | No |
forwardingTimeouts.pingTimeout | Timeout after which the HTTP/2 connection will be closed if a response to ping is not received. | 15s | No |
peerCertURI | URI used to match against SAN URIs during the server's certificate verification. | "" | No |
disableHTTP2 | Disables HTTP/2 for connections with servers. | false | No |
spiffe.ids | Allowed SPIFFE IDs. This takes precedence over the SPIFFE TrustDomain. | No | |
spiffe.trustDomain | Allowed SPIFFE trust domain. | "" | No |