SPIFFE

Secure the backend connection with SPIFFE.

SPIFFE (Secure Production Identity Framework For Everyone), provides a secure identity in the form of a specially crafted X.509 certificate, to every workload in an environment.

Traefik is able to connect to the Workload API to obtain an x509-SVID used to secure the connection with SPIFFE enabled backends.

Configuration

General

Enabling SPIFFE is part of the static configuration. It can be defined by using a file (YAML or TOML) or CLI arguments.

Workload API

The workloadAPIAddr configuration defines the address of the SPIFFE Workload API.

Enabling SPIFFE in ServersTransports

Enabling SPIFFE does not imply that backend connections are going to use it automatically. Each ServersTransport or TCPServersTransport, that is meant to be secured with SPIFFE, must explicitly enable it (see SPIFFE with ServersTransport or SPIFFE with TCPServersTransport).

SPIFFE can cause Traefik to stall

When using SPIFFE, Traefik will wait for the first SVID to be delivered before starting. If Traefik is hanging when waiting on SPIFFE SVID delivery, please double check that it is correctly registered as workload in your SPIFFE infrastructure.

File (YAML)

  1. ## Static configuration
  2. spiffe:
  3.     workloadAPIAddr: localhost

File (TOML)

  1. ## Static configuration
  2. [spiffe]
  3.     workloadAPIAddr: localhost

CLI

  1. ## Static configuration
  2. --spiffe.workloadAPIAddr=localhost