From 9bc71b00106a3ca10f3ae20aecbfc4e67a031f2f Mon Sep 17 00:00:00 2001 From: Romain Date: Mon, 28 Apr 2025 09:10:04 +0200 Subject: [PATCH 1/3] Add a note about how to disable connection reuse with backends --- docs/content/routing/overview.md | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/docs/content/routing/overview.md b/docs/content/routing/overview.md index b49c9748b..96adbc649 100644 --- a/docs/content/routing/overview.md +++ b/docs/content/routing/overview.md @@ -325,6 +325,11 @@ serversTransport: --serversTransport.maxIdleConnsPerHost=7 ``` +!!! info "Disable connection reuse" + + The default value of `maxIdleConnsPerHost` is 2, and the zero value is the fallback to the default (2). + If you want to disable connection reuse, set `maxIdleConnsPerHost` to -1. + ### `forwardingTimeouts` `forwardingTimeouts` is about a number of timeouts relevant to when forwarding requests to the backend servers. From 448785d83058b8866fee9b123c7b1d98e2c2e651 Mon Sep 17 00:00:00 2001 From: Sheddy Date: Wed, 7 May 2025 08:16:04 +0100 Subject: [PATCH 2/3] Add multi-tenant TLS guidance to the docs --- docs/content/middlewares/http/buffering.md | 2 +- .../{best-practices => }/content-length.md | 0 .../tls-certs-in-multi-tenant-kubernetes.md | 38 +++++++++++++++++++ docs/mkdocs.yml | 4 +- 4 files changed, 41 insertions(+), 3 deletions(-) rename docs/content/security/{best-practices => }/content-length.md (100%) create mode 100644 docs/content/security/tls-certs-in-multi-tenant-kubernetes.md diff --git a/docs/content/middlewares/http/buffering.md b/docs/content/middlewares/http/buffering.md index 47c7d3022..8a575d566 100644 --- a/docs/content/middlewares/http/buffering.md +++ b/docs/content/middlewares/http/buffering.md @@ -334,4 +334,4 @@ The retry expression is defined as a logical combination of the functions below ### Content-Length -See [Best Practices: Content‑Length](../../security/best-practices/content-length.md) \ No newline at end of file +See [Best Practices: Content‑Length](../../security/content-length.md) diff --git a/docs/content/security/best-practices/content-length.md b/docs/content/security/content-length.md similarity index 100% rename from docs/content/security/best-practices/content-length.md rename to docs/content/security/content-length.md diff --git a/docs/content/security/tls-certs-in-multi-tenant-kubernetes.md b/docs/content/security/tls-certs-in-multi-tenant-kubernetes.md new file mode 100644 index 000000000..8fd7ef959 --- /dev/null +++ b/docs/content/security/tls-certs-in-multi-tenant-kubernetes.md @@ -0,0 +1,38 @@ +--- +title: "TLS Certificates in Multi‑Tenant Kubernetes" +description: "Isolate TLS certificates in multi‑tenant clusters by keeping Secrets and routes in the same namespace and disabling cross‑namespace look‑ups in Traefik. Read the technical guidelines." +--- + +# TLS Certificates in Multi‑Tenant Kubernetes + +In a shared cluster, different teams can create `Ingress` or `IngressRoute` objects that Traefik consumes. + +Traefik does not support multi-tenancy when using the Kubernetes `Ingress` or `IngressRoute` specifications due to the way TLS certificate management is handled. + +At the core of this limitation is the TLS Store, which holds all the TLS certificates used by Traefik. +As this Store is global in Traefik, it is shared across all namespaces, meaning any `Ingress` or `IngressRoute` in the cluster can potentially reference or affect TLS configurations intended for other tenants. + +This lack of isolation poses a risk in multi-tenant environments where different teams or applications require strict boundaries between resources, especially around sensitive data like TLS certificates. + +In contrast, the [Kubernetes Gateway API](../providers/kubernetes-gateway.md) provides better primitives for secure multi-tenancy. +Specifically, the `Listener` resource in the Gateway API allows administrators to explicitly define which Route resources (e.g., `HTTPRoute`) are permitted to bind to which domain names or ports. +This capability enforces stricter ownership and isolation, making it a safer choice for multi-tenant use cases. + +## Recommended setup + +When strict boundaries are required between resources and teams, we recommend using one Traefik instance per tenant. + +In Kubernetes one way to isolate a tenant is to restrict it to a namespace. +In that case, the namespace options from the Kubernetes [CRD](../providers/kubernetes-crd.md#namespaces) and [Ingress](../providers/kubernetes-ingress.md#namespaces) providers can be leveraged. + +!!! tip "Dedicate one Traefik instance per tenant using the Helm Chart" + + ```yaml + providers: + kubernetesCRD: + namespaces: + - tenant + kubernetesIngress: + namespaces: + - tenant + ``` diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml index f6ac2d1d7..e7a270874 100644 --- a/docs/mkdocs.yml +++ b/docs/mkdocs.yml @@ -167,8 +167,8 @@ nav: - 'Elastic': 'observability/tracing/elastic.md' - 'OpenTelemetry': 'observability/tracing/opentelemetry.md' - 'Security': - - 'Best Practices': - - 'security/best-practices/content-length.md' + - 'Content-Length': 'security/content-length.md' + - 'TLS in Multi-Tenant Kubernetes': 'security/tls-certs-in-multi-tenant-kubernetes.md' - 'User Guides': - 'Kubernetes and Let''s Encrypt': 'user-guides/crd-acme/index.md' - 'gRPC Examples': 'user-guides/grpc.md' From 49b598d087aa05813b1e616a77bd995a2e513d4e Mon Sep 17 00:00:00 2001 From: Patrick Evans <31580846+holysoles@users.noreply.github.com> Date: Mon, 12 May 2025 12:30:04 +0000 Subject: [PATCH 3/3] tests: create redis sentinel config with permissive perms --- integration/redis_sentinel_test.go | 3 +++ 1 file changed, 3 insertions(+) diff --git a/integration/redis_sentinel_test.go b/integration/redis_sentinel_test.go index 2dfc1d72f..6b452c0f9 100644 --- a/integration/redis_sentinel_test.go +++ b/integration/redis_sentinel_test.go @@ -92,6 +92,9 @@ func (s *RedisSentinelSuite) setupSentinelConfiguration(ports []string) { require.NoError(s.T(), err) defer tmpFile.Close() + err = tmpFile.Chmod(0o666) + require.NoError(s.T(), err) + model := structs.Map(templateValue) model["SelfFilename"] = tmpFile.Name()