homelab/traefik
1
0
Fork 0
Code Activity

Merge current v2.11 into v3.4

Browse source
This commit is contained in:
mmatur 2025-05-12 15:06:32 +02:00
commit 0dc5b7d013
No known key found for this signature in database
GPG key ID: 2FFE42FC256CFF8E
6 changed files with 49 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

2
docs/content/middlewares/http/buffering.md
View file

@ -267,4 +267,4 @@ The retry expression is defined as a logical combination of the functions below
### Content-Length
See [Best Practices: ContentLength](../../security/best-practices/content-length.md)
See [Best Practices: ContentLength](../../security/content-length.md)

5
docs/content/routing/overview.md
View file

@ -327,6 +327,11 @@ serversTransport:
--serversTransport.maxIdleConnsPerHost=7
```
!!! info "Disable connection reuse"
The default value of `maxIdleConnsPerHost` is 2, and the zero value is the fallback to the default (2).
If you want to disable connection reuse, set `maxIdleConnsPerHost` to -1.
#### `spiffe`
Please note that [SPIFFE](../https/spiffe.md) must be enabled in the static configuration

0
docs/content/security/best-practices/content-length.md → docs/content/security/content-length.md
View file

38
docs/content/security/tls-certs-in-multi-tenant-kubernetes.md Normal file
View file

@ -0,0 +1,38 @@
---
title: "TLS Certificates in MultiTenant Kubernetes"
description: "Isolate TLS certificates in multitenant clusters by keeping Secrets and routes in the same namespace and disabling crossnamespace lookups in Traefik. Read the technical guidelines."
---
# TLS Certificates in MultiTenant Kubernetes
In a shared cluster, different teams can create `Ingress` or `IngressRoute` objects that Traefik consumes.
Traefik does not support multi-tenancy when using the Kubernetes `Ingress` or `IngressRoute` specifications due to the way TLS certificate management is handled.
At the core of this limitation is the TLS Store, which holds all the TLS certificates used by Traefik.
As this Store is global in Traefik, it is shared across all namespaces, meaning any `Ingress` or `IngressRoute` in the cluster can potentially reference or affect TLS configurations intended for other tenants.
This lack of isolation poses a risk in multi-tenant environments where different teams or applications require strict boundaries between resources, especially around sensitive data like TLS certificates.
In contrast, the [Kubernetes Gateway API](../providers/kubernetes-gateway.md) provides better primitives for secure multi-tenancy.
Specifically, the `Listener` resource in the Gateway API allows administrators to explicitly define which Route resources (e.g., `HTTPRoute`) are permitted to bind to which domain names or ports.
This capability enforces stricter ownership and isolation, making it a safer choice for multi-tenant use cases.
## Recommended setup
When strict boundaries are required between resources and teams, we recommend using one Traefik instance per tenant.
In Kubernetes one way to isolate a tenant is to restrict it to a namespace.
In that case, the namespace options from the Kubernetes [CRD](../providers/kubernetes-crd.md#namespaces) and [Ingress](../providers/kubernetes-ingress.md#namespaces) providers can be leveraged.
!!! tip "Dedicate one Traefik instance per tenant using the Helm Chart"
```yaml
providers:
kubernetesCRD:
namespaces:
- tenant
kubernetesIngress:
namespaces:
- tenant
```