Kubernetes serversTransport - Traefik

A ServersTransport allows you to configure the connection between Traefik and the HTTP servers in Kubernetes.

Before creating ServersTransport objects, you need to apply the Traefik Kubernetes CRDs to your Kubernetes cluster.

This registers the ServersTransport kind and other Traefik-specific resources.

It can be applied on a service using:

The option services.serverstransport on a IngressRoute (if the service is a Kubernetes Service)
The option serverstransport on a TraefikService (if the service is a Kubernetes Service)

!!! note "Reference a ServersTransport CRD from another namespace"

The value must be of form `namespace-name@kubernetescrd`, and the `allowCrossNamespace` option must be enabled at the provider level.

Configuration Example

yaml

apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
  name: mytransport
  namespace: default

spec:
  serverName: example.org
  insecureSkipVerify: true

yaml

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: testroute
  namespace: default

spec:
  entryPoints:
    - web
  routes:
  - match: Host(`example.com`)
    kind: Rule
    services:
    - name: whoami
      port: 80
      serversTransport: mytransport

Configuration Options

Field	Description	Default	Required
<a id="opt-serverstransport-serverName" href="#opt-serverstransport-serverName" title="#opt-serverstransport-serverName">`serverstransport.`
`serverName`</a>	Defines the server name that will be used for SNI.		No
<a id="opt-serverstransport-insecureSkipVerify" href="#opt-serverstransport-insecureSkipVerify" title="#opt-serverstransport-insecureSkipVerify">`serverstransport.`
`insecureSkipVerify`</a>	Controls whether the server's certificate chain and host name is verified.	false	No
<a id="opt-serverstransport-rootcas" href="#opt-serverstransport-rootcas" title="#opt-serverstransport-rootcas">`serverstransport.`
`rootcas`</a>	Set of root certificate authorities to use when verifying server certificates. (for mTLS connections).		No
<a id="opt-serverstransport-certificatesSecrets" href="#opt-serverstransport-certificatesSecrets" title="#opt-serverstransport-certificatesSecrets">`serverstransport.`
`certificatesSecrets`</a>	Certificates to present to the server for mTLS.		No
<a id="opt-serverstransport-maxIdleConnsPerHost" href="#opt-serverstransport-maxIdleConnsPerHost" title="#opt-serverstransport-maxIdleConnsPerHost">`serverstransport.`
`maxIdleConnsPerHost`</a>	Maximum idle (keep-alive) connections to keep per-host.	200	No
<a id="opt-serverstransport-disableHTTP2" href="#opt-serverstransport-disableHTTP2" title="#opt-serverstransport-disableHTTP2">`serverstransport.`
`disableHTTP2`</a>	Disables HTTP/2 for connections with servers.	false	No
<a id="opt-serverstransport-peerCertURI" href="#opt-serverstransport-peerCertURI" title="#opt-serverstransport-peerCertURI">`serverstransport.`
`peerCertURI`</a>	Defines the URI used to match against SAN URIs during the server's certificate verification.	""	No
<a id="opt-serverstransport-forwardingTimeouts-dialTimeout" href="#opt-serverstransport-forwardingTimeouts-dialTimeout" title="#opt-serverstransport-forwardingTimeouts-dialTimeout">`serverstransport.`
`forwardingTimeouts.dialTimeout`</a>	Amount of time to wait until a connection to a server can be established.
Zero means no timeout.	30s	No
<a id="opt-serverstransport-forwardingTimeouts-responseHeaderTimeout" href="#opt-serverstransport-forwardingTimeouts-responseHeaderTimeout" title="#opt-serverstransport-forwardingTimeouts-responseHeaderTimeout">`serverstransport.`
`forwardingTimeouts.responseHeaderTimeout`</a>	Amount of time to wait for a server's response headers after fully writing the request (including its body, if any).
Zero means no timeout	0s	No
<a id="opt-serverstransport-forwardingTimeouts-idleConnTimeout" href="#opt-serverstransport-forwardingTimeouts-idleConnTimeout" title="#opt-serverstransport-forwardingTimeouts-idleConnTimeout">`serverstransport.`
`forwardingTimeouts.idleConnTimeout`</a>	Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.
Zero means no timeout.	90s	No
<a id="opt-serverstransport-spiffe-ids" href="#opt-serverstransport-spiffe-ids" title="#opt-serverstransport-spiffe-ids">`serverstransport.`
`spiffe.ids`</a>	Allow SPIFFE IDs.
This takes precedence over the SPIFFE TrustDomain.		No
<a id="opt-serverstransport-spiffe-trustDomain" href="#opt-serverstransport-spiffe-trustDomain" title="#opt-serverstransport-spiffe-trustDomain">`serverstransport.`
`spiffe.trustDomain`</a>	Allow SPIFFE trust domain.	""	No
<a id="opt-serverstransport-serverName-2" href="#opt-serverstransport-serverName-2" title="#opt-serverstransport-serverName-2">`serverstransport.`
`serverName`</a>	Defines the server name that will be used for SNI.		No
<a id="opt-serverstransport-insecureSkipVerify-2" href="#opt-serverstransport-insecureSkipVerify-2" title="#opt-serverstransport-insecureSkipVerify-2">`serverstransport.`
`insecureSkipVerify`</a>	Controls whether the server's certificate chain and host name is verified.	false	No
<a id="opt-serverstransport-rootcas-2" href="#opt-serverstransport-rootcas-2" title="#opt-serverstransport-rootcas-2">`serverstransport.`
`rootcas`</a>	Set of root certificate authorities to use when verifying server certificates. (for mTLS connections).		No
<a id="opt-serverstransport-certificatesSecrets-2" href="#opt-serverstransport-certificatesSecrets-2" title="#opt-serverstransport-certificatesSecrets-2">`serverstransport.`
`certificatesSecrets`</a>	Certificates to present to the server for mTLS.		No
<a id="opt-serverstransport-cipherSuites" href="#opt-serverstransport-cipherSuites" title="#opt-serverstransport-cipherSuites">`serverstransport.`
`cipherSuites`</a>	Defines the cipher suites to use when contacting backend servers.	[]	No
<a id="opt-serverstransport-minVersion" href="#opt-serverstransport-minVersion" title="#opt-serverstransport-minVersion">`serverstransport.`
`minVersion`</a>	Defines the minimum TLS version to use when contacting backend servers.	""	No
<a id="opt-serverstransport-maxVersion" href="#opt-serverstransport-maxVersion" title="#opt-serverstransport-maxVersion">`serverstransport.`
`maxVersion`</a>	Defines the maximum TLS version to use when contacting backend servers.	""	No
<a id="opt-serverstransport-maxIdleConnsPerHost-2" href="#opt-serverstransport-maxIdleConnsPerHost-2" title="#opt-serverstransport-maxIdleConnsPerHost-2">`serverstransport.`
`maxIdleConnsPerHost`</a>	Maximum idle (keep-alive) connections to keep per-host.	200	No
<a id="opt-serverstransport-disableHTTP2-2" href="#opt-serverstransport-disableHTTP2-2" title="#opt-serverstransport-disableHTTP2-2">`serverstransport.`
`disableHTTP2`</a>	Disables HTTP/2 for connections with servers.	false	No
<a id="opt-serverstransport-peerCertURI-2" href="#opt-serverstransport-peerCertURI-2" title="#opt-serverstransport-peerCertURI-2">`serverstransport.`
`peerCertURI`</a>	Defines the URI used to match against SAN URIs during the server's certificate verification.	""	No
<a id="opt-serverstransport-forwardingTimeouts-dialTimeout-2" href="#opt-serverstransport-forwardingTimeouts-dialTimeout-2" title="#opt-serverstransport-forwardingTimeouts-dialTimeout-2">`serverstransport.`
`forwardingTimeouts.dialTimeout`</a>	Amount of time to wait until a connection to a server can be established.
Zero means no timeout.	30s	No
<a id="opt-serverstransport-forwardingTimeouts-responseHeaderTimeout-2" href="#opt-serverstransport-forwardingTimeouts-responseHeaderTimeout-2" title="#opt-serverstransport-forwardingTimeouts-responseHeaderTimeout-2">`serverstransport.`
`forwardingTimeouts.responseHeaderTimeout`</a>	Amount of time to wait for a server's response headers after fully writing the request (including its body, if any).
Zero means no timeout	0s	No
<a id="opt-serverstransport-forwardingTimeouts-idleConnTimeout-2" href="#opt-serverstransport-forwardingTimeouts-idleConnTimeout-2" title="#opt-serverstransport-forwardingTimeouts-idleConnTimeout-2">`serverstransport.`
`forwardingTimeouts.idleConnTimeout`</a>	Maximum amount of time an idle (keep-alive) connection will remain idle before closing itself.
Zero means no timeout.	90s	No
<a id="opt-serverstransport-spiffe-ids-2" href="#opt-serverstransport-spiffe-ids-2" title="#opt-serverstransport-spiffe-ids-2">`serverstransport.`
`spiffe.ids`</a>	Allow SPIFFE IDs.
This takes precedence over the SPIFFE TrustDomain.		No
<a id="opt-serverstransport-spiffe-trustDomain-2" href="#opt-serverstransport-spiffe-trustDomain-2" title="#opt-serverstransport-spiffe-trustDomain-2">`serverstransport.`
`spiffe.trustDomain`</a>	Allow SPIFFE trust domain.	""	No

!!! note "CA Secret" The CA secret must contain a base64 encoded certificate under either a tls.ca or a ca.crt key.