Data Sharing
This document provides an overview about data sharing between the Traefik Hub’s SaaS control plane and a Kubernetes cluster hosting the Traefik Hub agent.
Introduction
The Traefik Hub's SaaS (Software as a Service) control plane is hosted by Traefik Labs in the cloud. The Traefik Hub agent (acting as the data plane) is hosted in a Kubernetes cluster. They communicate with each other to manage and control Traefik Hub's API Gateway and API Portal instances running in the cluster.
The Traefik Hub agent collects data related to API management (Traefik Hub CRDs), Ingress management (for example Traefik Proxy CRDs) and general Kubernetes components (Namespaces, Nodes, Services, etc.).
Depending on the configuration, the data shared between the control plane and the Kubernetes cluster could be less than all the possible items listed in this document.
Besides the data collected by the Traefik Hub agent, the Traefik Platform stores data related to the platform authorization, identity providers and such.
Shared Data
API Management Related Objects
Custom Resource Definitions (CRDs)
Traefik Hub CRDs are sent to the Traefik Hub Platform for synchronization purposes and validation:
- Access Control Policies (ACPs)
- APIs
- APIAcesses
- APIPortals
- APIPlans
- APIBundles
- APIVersions
Besides the CRDs, the Traefik Hub agent also sent its own configuration. As of now, it only consists of one field: DistributedRateLimitAvailable.
Ingress Related Objects
Custom Resource Definitions (CRDs)
If Traefik Proxy is used as Ingress Controller (default setting if the Traefik Hub agent is installed in Ingress Controller mode), the Traefik Hub agent has access to the following Traefik Proxy CRDs.
| Name | Permission | Description |
|---|---|---|
| Middlewares | Read/Write | Tweaks the HTTP requests before they are sent to your service. |
| IngressRoute | Read/Write | HTTP Routing. |
| IngressClass | Read/Write | The annotation that identifies Ingress objects to be processed. |
| MiddlewareTCP | Read | Tweaks the TCP requests before they are sent to your service. |
| TraefikService | Read | Abstraction for HTTP loadbalancing/mirroring. |
| IngressRouteTCP | Read | TCP routing. |
| IngressRouteUDP | Read | UDP routing |
| TLSOptions | Read | Allows to configure some parameters of the TLS connection. |
| TLSStores | Read | Allows to configure the default TLS store. |
| ServersTransport | Read | Allows to configure the transport between Traefik and the backends. |
Kubernetes
The Traefik Hub agent has access to the following Kubernetes components:
| Name | Permission | Description |
|---|---|---|
| Ingresses | Read/Write | This is used for service discovery. Also used to set ACP to Ingresses. |
| Secrets | Read/Write | This is used to store secrets like certificates. |
| Pods | Read | Used to get the list of agent Pods and fetch metrics from them. |
| Pod logs | Read | Collect log of the Pods (will be removed soon). |
| Namespaces | Read | This is used to get the Namespace system for the leader election. |
| Leases | Read/Write | Used to handle the leader election for the agent. |
| Endpoint slices | Read | This is used to list on which nodes the services exposed by APIs are. |
| Events | Write | This is used to write several events on resources managed by Traefik Hub, for example, when the OpenAPI spec is not found. |
| Services | Read | Used in service discovery and for routing. |
| Nodes | Read | This is used for license purposes. |
| Endpoints | Read | This is used for routing. |
Metrics
The following metrics are transmitted to the Traefik Hub platform.
These metrics are displayed in the control plane:
- Request per seconds
- Request error per seconds
- Request error percent
- Request client error per seconds
- Request client error percent
- Average response time
- Requests number
- Requests error number
- Requests client error number
- Response time sum
- Response time count
These metrics below are used for internal purposes and will be soon integrated into the control plane:
- API Request number
- API Request bytes number
- API Response Bytes number
- Nodes count
- API Gateways count
- API count
Logs
Error logs generated by the Traefik Hub agent are transmitted to the Traefik Hub platform and stored for 24 hours to assist in resolving support requests quickly.
Certificates
The Traefik Hub Platform stores data related to certificates obtained with Let's Encrypt on generated domains and custom domains. The certificates are encrypted in the database and are renewed regularly.
Traefik Hub Dashboard
Overview about all data which is collected by the Traefik Hub dashboard.
Identity Provider
The Traefik Hub Platform stores data related to IdPs. This data is needed for authentication and permission management.
General
The following user data is stored:
- First Name
- Last Name
- Company
- Group IDs
- External ID
Internal IdP
All general user data plus:
- Password hash
For each group, the Traefik Hub Platform only stores the name of the group.
Keycloak
- URL
- Realm
- Username for realm access
- Password for realm access (encrypted)
Okta
- Org URL
- Issuer URL
- Token (encrypted)