traefikee Command Line Reference

The "TraefikEE" command line (traefikee) manages the elements in your TraefikEE cluster.

Synopsis

Check below the list of commands, with their respective flags.

TraefikEE (Enterprise Edition) is a Cloud Native Edge Routing Platform based on Traefik,
a modern HTTP reverse proxy and load balancer made to deploy microservices with ease.
Complete documentation is available at https://docs.containo.us.

Usage: traefikee [flags] <command> [<arguments>]

Use "traefikee <command> --help" for help on any command.

Commands:
        acme-add-account                                   Add an ACME account to the cluster
        acme-add-certificate                               Add an ACME certificate to the cluster
        acme-list-accounts                                 List all ACME accounts of a cluster and shows which is the current
        acme-list-certificates                             List all ACME certificates of a cluster
        acme-use-account                                   Sets the ACME account to use for ACME operations. (Can only be run once)
        backup                                             Deliver a new configuration to the cluster
        bootstrap                                          Initialize a new cluster
        deploy                                             Deliver a new configuration to the cluster
        env                                                Print environment variables
        healthcheck-node                                   Calls the TraefikEE ping entrypoint to check health on data nodes
        list-nodes                                         List all nodes of the cluster and their statuses
        rm-node                                            Remove nodes from the cluster
        start-control-node                                 Add a new control node to the cluster
        start-data-node                                    Add a new data node to the cluster
        support-dump                                       Gather data from the cluster to assist in support.
        update-license                                     Update the license key of the cluster
        version                                            Print versio

Commands

The TraefikEE command line (CLI) provides these commands:

Bootstrap Cluster (bootstrap)

This command initializes/recovers a TraefikEE cluster. It starts the first control node which becomes the first leader of the cluster.

Usage:

traefikee bootstrap --advertise="172.17.0.1:4242" --licensekey="XXXX"
traefikee bootstrap --advertise="172.17.0.1:4242" --licensekey="XXXX" --recovercluster --token="YYYY"

Flags:

    --advertise                      Address to advertise. Defaults to the address specified by '--listen'
    --api                            Enable cluster API on all Control Nodes                               (default "false")
    --api.address                    Address on which the API listens
    --api.metrics                    Enable metrics                                                        (default "false")
    --api.metrics.address            Address on which the data-nodes expose the metrics
    --cleanupperiod                  Period between each cluster cleanup                                   (default "5s")
    --clustername                    Name of the cluster                                                   (default "traefikee")
    --controlnodes                   Control Node count for bootstrapping cluster                          (default "1")
    --datanodegraceperiod            Period after which a down data node is removed from the cluster       (default "5s")
    --debug                          Enable debug mode                                                     (default "false")
    --frombackup                     Path to the backup archive to be restored
    --kubernetes                     Enable bootstrap token storage in the kubernetes API                  (default "false")
    --kubernetes.bearer              Bearer token to use for API access
    --kubernetes.endpoint            Kubernetes endpoint to use for API access
    --kubernetes.namespace           Namespace to use for storing secrets
    --kubernetes.secretname          Name of the secret for storing tokens
    --licensekey                     Set the license key. Overrides $TRAEFIKEE_LICENSE_KEY
    --listen                         Address to listen on                                                  (default "0.0.0.0:4242")
    --mtlscertsoutputdir             Directory in which TraefikEE Control API certificates are generated   (default "./.traefikee")
    --statedir                       Directory in which to store node state files                          (default "/var/lib/traefikee_state")
    --swarmmode                      Enable swarm mode integration                                         (default "false")
    --swarmmode.licensesecret        Name of the swarm secret in which the license is stored
    --swarmmode.network              Name of the swarm network to use
    --swarmmode.networkautodiscovery Enable automatic discovery of new swarm networks                      (default "false")
    --swarmmode.ucpbundle            Path to the UCP bundle to use to access the UCP API
    --timeout                        Timeout in seconds for bootstrapping cluster. Set to 0 to disable     (default "120")
    --traefikeectlapi                Configuration of the TraefikEE Control API                            (default "false")
    --traefikeectlapi.address        TraefikEE Control API listen address                                  (default ":55055")
    --traefikeectlapi.socket         TraefikEE Control API socket path                                     (default "/var/run/traefikeectl.sock")
    --traefikeelog                   TraefikEE log settings                                                (default "false")
    --traefikeelog.acme              Log level set to ACME logs
    --traefikeelog.cluster           Log level set to the cluster internal logs
    --traefikeelog.filepath          Traefik log file path. Stdout is used when omitted or empty
    --traefikeelog.format            Traefik log format: json | common
    --traefikeelog.traefik           Log level set to Traefik logs
    --traefikeesocket                Path to the TraefikEE socket                                          (default "/var/run/traefikee.sock")
-h, --help                           Print Help (this message) and exi

Start Control Node (start-control-node)

This command starts a control node and joins it to the TraefikEE cluster.

Usage:

traefikee start-control-node --peeraddresses=172.17.0.1:4242,172.17.0.3:4242,172.17.0.4:4242 --advertise=172.17.0.2:4242 --token="YYYY"

Flags:

    --advertise                 Address to advertise. Defaults to the listen address
    --debug                     Enable debug mode                                                               (default "false")
    --listen                    Address to listen on                                                            (default "0.0.0.0:4242")
    --peeraddresses             List of control node addresses to contact to join the cluster (Required to join
                                a cluster)
    --statedir                  Directory in which to store node state files                                    (default "/var/lib/traefikee_state")
    --swarmmode                 Enable swarm mode integration                                                   (default "false")
    --swarmmode.jointokensecret Name of the swarm secret where the control node join token is stored
    --swarmmode.network         Swarm network to use for the TraefikEE cluster.
    --token                     Cluster token (Required to join a cluster)
    --traefikeelog              TraefikEE log settings                                                          (default "false")
    --traefikeelog.acme         Log level set to ACME logs
    --traefikeelog.cluster      Log level set to the cluster internal logs
    --traefikeelog.filepath     Traefik log file path. Stdout is used when omitted or empty
    --traefikeelog.format       Traefik log format: json | common
    --traefikeelog.traefik      Log level set to Traefik logs
    --traefikeesocket           Path to the TraefikEE socket                                                    (default "/var/run/traefikee.sock")
-h, --help                      Print Help (this message) and exit

Start Data Node (start-data-node)

This command starts a data node and joins it to the TraefikEE cluster.

Usage:

traefikee start-data-node --peeraddresses=172.17.0.1:4242,172.17.0.2:4242,172.17.0.3:4242,172.17.0.4:4242 --token="ZZZZ"

Flags:

    --debug                     Enable debug mode                                                               (default "false")
    --peeraddresses             List of control node addresses to contact to join the cluster (Required to join
                                a cluster)
    --statedir                  Directory to save the node state files                                          (default "/var/lib/traefikee_state")
    --swarmmode                 Enable swarm mode integration                                                   (default "false")
    --swarmmode.jointokensecret Name of the swarm secret where the control node join token is stored
    --token                     Cluster token (Required to join a cluster)
    --traefikeelog              TraefikEE log settings                                                          (default "false")
    --traefikeelog.acme         Log level set to ACME logs
    --traefikeelog.cluster      Log level set to the cluster internal logs
    --traefikeelog.filepath     Traefik log file path. Stdout is used when omitted or empty
    --traefikeelog.format       Traefik log format: json | common
    --traefikeelog.traefik      Log level set to Traefik logs
-h, --help                      Print Help (this message) and exit

Deploy A Traefik Configuration (deploy)

This command deploys a Traefik configuration on all the TraefikEE cluster nodes.

  • The control nodes use this configuration to set the providers to listen to.
  • The data nodes use this configuration to parametrize the Reverse Proxies.

Usage:

traefikee deploy --kubernetes

Flags:

The deploy command supports all the Traefik flags.

Specific flags are available for TraefikEE:

    --accesslog                                   Access log settings                                                              (default "false")
    --accesslog.bufferingsize                     Number of access log lines to process in a buffered way. Default 0.              (default "0")
    --accesslog.fields                            AccessLogFields                                                                  (default "false")
    --accesslog.fields.defaultmode                Default mode for fields: keep | drop                                             (default "keep")
    --accesslog.fields.headers                    Headers to keep, drop or redact                                                  (default "false")
    --accesslog.fields.headers.defaultmode        Default mode for fields: keep | drop | redact                                    (default "keep")
    --accesslog.fields.headers.names              Override mode for headers                                                        (default "map[]")
    --accesslog.fields.names                      Override mode for fields                                                         (default "map[]")
    --accesslog.filepath                          Access log file path. Stdout is used when omitted or empty
    --accesslog.filters                           Access log filters, used to keep only specific access logs                       (default "false")
    --accesslog.filters.minduration               Keep access logs when request took longer than the specified duration            (default "0s")
    --accesslog.filters.retryattempts             Keep access logs when at least one retry happened                                (default "false")
    --accesslog.filters.statuscodes               Keep access logs with status codes in the specified range                        (default "[]")
    --accesslog.format                            Access log format: json | common                                                 (default "common")
    --accesslogsfile                              (Deprecated) Access logs file
    --acme                                        Enable ACME (Let's Encrypt): automatic SSL                                       (default "false")
    --acme.acmelogging                            Enable debug logging of ACME actions.                                            (default "false")
    --acme.caserver                               CA server to use.                                                                (default "(Deprecated) This configuration setting is not used in Traefik Enterprise Edition")
    --acme.delaydontcheckdns                      (Deprecated) Assume DNS propagates after a delay in seconds rather than finding  (default "0s")
                                                  and querying nameservers.
    --acme.dnschallenge                           Activate DNS-01 Challenge                                                        (default "false")
    --acme.dnschallenge.delaybeforecheck          Assume DNS propagates after a delay in seconds rather than finding and querying  (default "0s")
                                                  nameservers.
    --acme.dnschallenge.disablepropagationcheck   Disable the DNS propagation checks before notifying ACME that the DNS challenge  (default "false")
                                                  is ready. [not recommended]
    --acme.dnschallenge.provider                  Use a DNS-01 based challenge provider rather than HTTPS.
    --acme.dnschallenge.resolvers                 Use following DNS servers to resolve the FQDN authority.
    --acme.dnsprovider                            (Deprecated) Activate DNS-01 Challenge
    --acme.domains                                SANs (alternative domains) to each main domain using format:                     (default "[]")
                                                  --acme.domains='main.com,san1.com,san2.com'
                                                  --acme.domains='main.net,san1.net,san2.net'
    --acme.email                                  Email address used for registration                                              (default "(Deprecated) This configuration setting is not used in Traefik Enterprise Edition")
    --acme.entrypoint                             Entrypoint to proxy acme challenge to.
    --acme.httpchallenge                          Activate HTTP-01 Challenge                                                       (default "false")
    --acme.httpchallenge.entrypoint               HTTP challenge EntryPoint
    --acme.keytype                                KeyType used for generating certificate private key. Allow value 'EC256',
                                                  'EC384', 'RSA2048', 'RSA4096', 'RSA8192'. Default to 'RSA4096'
    --acme.ondemand                               (Deprecated) Enable on demand certificate generation. This will request a        (default "false")
                                                  certificate from Let's Encrypt during the first TLS handshake for a hostname    
                                                  that does not yet have a certificate.
    --acme.onhostrule                             Enable certificate generation on frontends Host rules.                           (default "false")
    --acme.overridecertificates                   Enable to override certificates in key-value store when using storeconfig        (default "false")
    --acme.storage                                File or key used for certificates storage.
    --acme.tlschallenge                           Activate TLS-ALPN-01 Challenge                                                   (default "false")
    --acme.tlsconfig                              TLS config in case wildcard certs are used                                       (default "false")
    --allowminweightzero                          Allow weight to take 0 as minimum real value.                                    (default "false")
    --boltdb                                      Enable Boltdb backend with default settings                                      (default "false")
    --boltdb.constraints                          Filter services by constraint, matching with Traefik tags.                       (default "[]")
    --boltdb.debugloggeneratedtemplate            Enable debug logging of generated configuration template.                        (default "false")
    --boltdb.endpoint                             Comma separated server endpoints                                                 (default "127.0.0.1:4001")
    --boltdb.filename                             Override default configuration template. For advanced users :)
    --boltdb.password                             KV Password
    --boltdb.prefix                               Prefix used for KV store                                                         (default "/traefik")
    --boltdb.templateversion                      Template version.                                                                (default "0")
    --boltdb.tls                                  Enable TLS support                                                               (default "false")
    --boltdb.tls.ca                               TLS CA
    --boltdb.tls.caoptional                       TLS CA.Optional                                                                  (default "false")
    --boltdb.tls.cert                             TLS cert
    --boltdb.tls.insecureskipverify               TLS insecure skip verify                                                         (default "false")
    --boltdb.tls.key                              TLS key
    --boltdb.trace                                Display additional provider logs (if available).                                 (default "false")
    --boltdb.username                             KV Username
    --boltdb.watch                                Watch provider                                                                   (default "true")
    --checknewversion                             Periodically check if a new version has been released                            (default "true")
    --clustername                                 Name of the cluster                                                              (default "traefikee")
-c, --configfile                                  Path to a traefik TOML configuration file
    --constraints                                 Filter services by constraint, matching with service tags                        (default "[]")
    --consul                                      Enable Consul backend with default settings                                      (default "true")
    --consul.constraints                          Filter services by constraint, matching with Traefik tags.                       (default "[]")
    --consul.debugloggeneratedtemplate            Enable debug logging of generated configuration template.                        (default "false")
    --consul.endpoint                             Comma separated server endpoints                                                 (default "127.0.0.1:8500")
    --consul.filename                             Override default configuration template. For advanced users :)
    --consul.password                             KV Password
    --consul.prefix                               Prefix used for KV store                                                         (default "traefik")
    --consul.templateversion                      Template version.                                                                (default "0")
    --consul.tls                                  Enable TLS support                                                               (default "false")
    --consul.tls.ca                               TLS CA
    --consul.tls.caoptional                       TLS CA.Optional                                                                  (default "false")
    --consul.tls.cert                             TLS cert
    --consul.tls.insecureskipverify               TLS insecure skip verify                                                         (default "false")
    --consul.tls.key                              TLS key
    --consul.trace                                Display additional provider logs (if available).                                 (default "false")
    --consul.username                             KV Username
    --consul.watch                                Watch provider                                                                   (default "true")
    --consulcatalog                               Enable Consul catalog backend with default settings                              (default "true")
    --consulcatalog.constraints                   Filter services by constraint, matching with Traefik tags.                       (default "[]")
    --consulcatalog.debugloggeneratedtemplate     Enable debug logging of generated configuration template.                        (default "false")
    --consulcatalog.domain                        Default domain used
    --consulcatalog.endpoint                      Consul server endpoint                                                           (default "127.0.0.1:8500")
    --consulcatalog.exposedbydefault              Expose Consul services by default                                                (default "true")
    --consulcatalog.filename                      Override default configuration template. For advanced users :)
    --consulcatalog.frontendrule                  Frontend rule used for Consul services                                           (default "Host:{{.ServiceName}}.{{.Domain}}")
    --consulcatalog.prefix                        Prefix used for Consul catalog tags                                              (default "traefik")
    --consulcatalog.stale                         Use stale consistency for catalog reads                                          (default "false")
    --consulcatalog.strictchecks                  Keep a Consul node only if all checks status are passing                         (default "true")
    --consulcatalog.templateversion               Template version.                                                                (default "0")
    --consulcatalog.tls                           Enable TLS support                                                               (default "true")
    --consulcatalog.tls.ca                        TLS CA
    --consulcatalog.tls.caoptional                TLS CA.Optional                                                                  (default "false")
    --consulcatalog.tls.cert                      TLS cert
    --consulcatalog.tls.insecureskipverify        TLS insecure skip verify                                                         (default "false")
    --consulcatalog.tls.key                       TLS key                                                                         
    --consulcatalog.trace                         Display additional provider logs (if available).                                 (default "false")
    --consulcatalog.watch                         Watch provider                                                                   (default "false")
-d, --debug                                       Enable debug mode                                                                (default "false")
    --defaultentrypoints                          Entrypoints to be used by frontends that do not specify any entrypoint           (default "http")
    --defaultentrypointsconfig                    Entrypoints to be used by frontends that do not specify any entrypoint           (default "http")
    --docker                                      Enable Docker backend with default settings                                      (default "false")
    --docker.constraints                          Filter services by constraint, matching with Traefik tags.                       (default "[]")
    --docker.debugloggeneratedtemplate            Enable debug logging of generated configuration template.                        (default "false")
    --docker.domain                               Default domain used
    --docker.endpoint                             Docker server endpoint. Can be a tcp or a unix socket endpoint                   (default "unix:///var/run/docker.sock")
    --docker.exposedbydefault                     Expose containers by default                                                     (default "true")
    --docker.filename                             Override default configuration template. For advanced users :)
    --docker.network                              Default Docker network used
    --docker.swarmmode                            Use Docker on Swarm Mode                                                         (default "false")
    --docker.swarmmoderefreshseconds              Polling interval for swarm mode (in seconds)                                     (default "15")
    --docker.templateversion                      Template version.                                                                (default "0")
    --docker.tls                                  Enable Docker TLS support                                                        (default "false")
    --docker.tls.ca                               TLS CA
    --docker.tls.caoptional                       TLS CA.Optional                                                                  (default "false")
    --docker.tls.cert                             TLS cert
    --docker.tls.insecureskipverify               TLS insecure skip verify                                                         (default "false")
    --docker.tls.key                              TLS key
    --docker.trace                                Display additional provider logs (if available).                                 (default "false")
    --docker.ucpbundle                            Path to a UCP bundle for use within Docker EE
    --docker.usebindportip                        Use the ip address from the bound port, rather than from the inner network       (default "false")
    --docker.watch                                Watch provider                                                                   (default "true")
    --dynamodb                                    Enable DynamoDB backend with default settings                                    (default "true")
    --dynamodb.accesskeyid                        The AWS credentials access key to use for making requests
    --dynamodb.constraints                        Filter services by constraint, matching with Traefik tags.                       (default "[]")
    --dynamodb.debugloggeneratedtemplate          Enable debug logging of generated configuration template.                        (default "false")
    --dynamodb.endpoint                           The endpoint of a dynamodb. Used for testing with a local dynamodb               
    --dynamodb.filename                           Override default configuration template. For advanced users :)
    --dynamodb.refreshseconds                     Polling interval (in seconds)                                                    (default "15")
    --dynamodb.region                             The AWS region to use for requests
    --dynamodb.secretaccesskey                    The AWS credentials secret key to use for making requests
    --dynamodb.tablename                          The AWS dynamodb table that stores configuration for traefik                     (default "traefik")
    --dynamodb.templateversion                    Template version.                                                                (default "0")
    --dynamodb.trace                              Display additional provider logs (if available).                                 (default "false")
    --dynamodb.watch                              Watch provider                                                                   (default "true")
    --ecs                                         Enable ECS backend with default settings                                         (default "true")
    --ecs.accesskeyid                             The AWS credentials access key to use for making requests
    --ecs.autodiscoverclusters                    Auto discover cluster                                                            (default "false")
    --ecs.cluster                                 deprecated - ECS Cluster name
    --ecs.clusters                                ECS Clusters name                                                                (default "[default]")
    --ecs.constraints                             Filter services by constraint, matching with Traefik tags.                       (default "[]")
    --ecs.debugloggeneratedtemplate               Enable debug logging of generated configuration template.                        (default "false")
    --ecs.domain                                  Default domain used
    --ecs.exposedbydefault                        Expose containers by default                                                     (default "true")
    --ecs.filename                                Override default configuration template. For advanced users :)
    --ecs.refreshseconds                          Polling interval (in seconds)                                                    (default "15")
    --ecs.region                                  The AWS region to use for requests
    --ecs.secretaccesskey                         The AWS credentials access key to use for making requests
    --ecs.templateversion                         Template version.                                                                (default "0")
    --ecs.trace                                   Display additional provider logs (if available).                                 (default "false")
    --ecs.watch                                   Watch provider                                                                   (default "true")
    --entrypoints                                 Entrypoints definition using format: --entryPoints='Name:http Address::8000      (default "map[]")
                                                  Redirect.EntryPoint:https' --entryPoints='Name:https Address::4442
                                                  TLS:tests/traefik.crt,tests/traefik.key;prod/traefik.crt,prod/traefik.key'
    --entrypointsconfig                           Entrypoints definition                                                           (default "map[]")
    --etcd                                        Enable Etcd backend with default settings                                        (default "true")
    --etcd.constraints                            Filter services by constraint, matching with Traefik tags.                       (default "[]")
    --etcd.debugloggeneratedtemplate              Enable debug logging of generated configuration template.                        (default "false")
    --etcd.endpoint                               Comma separated server endpoints                                                 (default "127.0.0.1:2379")
    --etcd.filename                               Override default configuration template. For advanced users :)
    --etcd.password                               KV Password
    --etcd.prefix                                 Prefix used for KV store                                                         (default "/traefik")
    --etcd.templateversion                        Template version.                                                                (default "0")
    --etcd.tls                                    Enable TLS support                                                               (default "false")
    --etcd.tls.ca                                 TLS CA
    --etcd.tls.caoptional                         TLS CA.Optional                                                                  (default "false")
    --etcd.tls.cert                               TLS cert
    --etcd.tls.insecureskipverify                 TLS insecure skip verify                                                         (default "false")
    --etcd.tls.key                                TLS key
    --etcd.trace                                  Display additional provider logs (if available).                                 (default "false")
    --etcd.useapiv3                               Use ETCD API V3                                                                  (default "false")
    --etcd.username                               KV Username
    --etcd.watch                                  Watch provider                                                                   (default "true")
    --eureka                                      Enable Eureka backend with default settings                                      (default "true")
    --eureka.constraints                          Filter services by constraint, matching with Traefik tags.                       (default "[]")
    --eureka.debugloggeneratedtemplate            Enable debug logging of generated configuration template.                        (default "false")
    --eureka.delay                                Override default configuration time between refresh (Deprecated)                 (default "0s")
    --eureka.endpoint                             Eureka server endpoint
    --eureka.filename                             Override default configuration template. For advanced users :)
    --eureka.refreshseconds                       Override default configuration time between refresh                              (default "30s")
    --eureka.templateversion                      Template version.                                                                (default "0")
    --eureka.trace                                Display additional provider logs (if available).                                 (default "false")
    --eureka.watch                                Watch provider                                                                   (default "false")
    --forwardingtimeouts                          Timeouts for requests forwarded to the backend servers                           (default "false")
    --forwardingtimeouts.dialtimeout              The amount of time to wait until a connection to a backend server can be         (default "30s")
                                                  established. Defaults to 30 seconds. If zero, no timeout exists
    --forwardingtimeouts.responseheadertimeout    The amount of time to wait for a server's response headers after fully writing   (default "0s")
                                                  the request (including its body, if any). If zero, no timeout exists
-g, --gracetimeout                                (Deprecated) Duration to give active requests a chance to finish before Traefik  (default "0s")
                                                  stops
    --healthcheck                                 Health check parameters                                                          (default "false")
    --healthcheck.interval                        Default periodicity of enabled health checks                                     (default "30s")
    --hostresolver                                Enable CNAME Flattening                                                          (default "false")
    --hostresolver.cnameflattening                A flag to enable/disable CNAME flattening                                        (default "false")
    --hostresolver.resolvconfig                   resolv.conf used for DNS resolving                                               (default "/etc/resolv.conf")
    --hostresolver.resolvdepth                    The maximal depth of DNS recursive resolving                                     (default "5")
    --idletimeout                                 (Deprecated) maximum amount of time an idle (keep-alive) connection will remain  (default "0s")
                                                  idle before closing itself.
    --insecureskipverify                          Disable SSL certificate verification                                             (default "false")
    --kubernetes                                  Enable Kubernetes backend with default settings                                  (default "false")
    --kubernetes.certauthfilepath                 Kubernetes certificate authority file path (not needed for in-cluster client)
    --kubernetes.constraints                      Filter services by constraint, matching with Traefik tags.                       (default "[]")
    --kubernetes.debugloggeneratedtemplate        Enable debug logging of generated configuration template.                        (default "false")
    --kubernetes.disablepasshostheaders           Kubernetes disable PassHost Headers                                              (default "false")
    --kubernetes.enablepasstlscert                Kubernetes enable Pass TLS Client Certs                                          (default "false")
    --kubernetes.endpoint                         Kubernetes server endpoint (required for external cluster client)
    --kubernetes.filename                         Override default configuration template. For advanced users :)
    --kubernetes.ingressclass                     Value of kubernetes.io/ingress.class annotation to watch for
    --kubernetes.ingressendpoint                  Kubernetes Ingress Endpoint                                                      (default "false")
    --kubernetes.ingressendpoint.hostname         Hostname used for Kubernetes Ingress endpoints
    --kubernetes.ingressendpoint.ip               IP used for Kubernetes Ingress endpoints
    --kubernetes.ingressendpoint.publishedservice Published Kubernetes Service to copy status from
    --kubernetes.labelselector                    Kubernetes Ingress label selector to use
    --kubernetes.namespaces                       Kubernetes namespaces                                                            (default "[]")
    --kubernetes.templateversion                  Template version.                                                                (default "0")
    --kubernetes.throttleduration                 Ingress refresh throttle duration                                                (default "0s")
    --kubernetes.token                            Kubernetes bearer token (not needed for in-cluster client)
    --kubernetes.trace                            Display additional provider logs (if available).                                 (default "false")
    --kubernetes.watch                            Watch provider                                                                   (default "true")
    --lifecycle                                   Timeouts influencing the server life cycle                                       (default "true")
    --lifecycle.gracetimeout                      Duration to give active requests a chance to finish before Traefik stops         (default "10s")
    --lifecycle.requestacceptgracetimeout         Duration to keep accepting requests before Traefik initiates the graceful        (default "0s")
                                                  shutdown procedure
-l, --loglevel                                    Log level
    --marathon                                    Enable Marathon backend with default settings                                    (default "true")
    --marathon.basic                              Enable basic authentication                                                      (default "true")
    --marathon.basic.httpbasicauthuser            Basic authentication User
    --marathon.basic.httpbasicpassword            Basic authentication Password
    --marathon.constraints                        Filter services by constraint, matching with Traefik tags.                       (default "[]")
    --marathon.dcostoken                          DCOSToken for DCOS environment, This will override the Authorization header
    --marathon.debugloggeneratedtemplate          Enable debug logging of generated configuration template.                        (default "false")
    --marathon.dialertimeout                      Set a dialer timeout for Marathon                                                (default "5s")
    --marathon.domain                             Default domain used
    --marathon.endpoint                           Marathon server endpoint. You can also specify multiple endpoint for Marathon    (default "http://127.0.0.1:8080")
    --marathon.exposedbydefault                   Expose Marathon apps by default                                                  (default "true")
    --marathon.filename                           Override default configuration template. For advanced users :)
    --marathon.filtermarathonconstraints          Enable use of Marathon constraints in constraint filtering                       (default "false")
    --marathon.forcetaskhostname                  Force to use the task's hostname.                                                (default "false")
    --marathon.groupsassubdomains                 Convert Marathon groups to subdomains                                            (default "false")
    --marathon.keepalive                          Set a TCP Keep Alive time in seconds                                             (default "10s")
    --marathon.marathonlbcompatibility            Add compatibility with marathon-lb labels                                        (default "false")
    --marathon.respectreadinesschecks             Filter out tasks with non-successful readiness checks during deployments         (default "false")
    --marathon.responseheadertimeout              Set a response header timeout for Marathon                                       (default "1m0s")
    --marathon.templateversion                    Template version.                                                                (default "0")
    --marathon.tls                                Enable TLS support                                                               (default "false")
    --marathon.tls.ca                             TLS CA
    --marathon.tls.caoptional                     TLS CA.Optional                                                                  (default "false")
    --marathon.tls.cert                           TLS cert
    --marathon.tls.insecureskipverify             TLS insecure skip verify                                                         (default "false")
    --marathon.tls.key                            TLS key
    --marathon.tlshandshaketimeout                Set a TLS handhsake timeout for Marathon                                         (default "5s")
    --marathon.trace                              Display additional provider logs (if available).                                 (default "false")
    --marathon.watch                              Watch provider                                                                   (default "true")
    --maxidleconnsperhost                         If non-zero, controls the maximum idle (keep-alive) to keep per-host.  If zero,  (default "200")
                                                  DefaultMaxIdleConnsPerHost is used
    --mesos                                       Enable Mesos backend with default settings                                       (default "true")
    --mesos.constraints                           Filter services by constraint, matching with Traefik tags.                       (default "[]")
    --mesos.debugloggeneratedtemplate             Enable debug logging of generated configuration template.                        (default "false")
    --mesos.domain                                Default domain used
    --mesos.endpoint                              Mesos server endpoint. You can also specify multiple endpoint for Mesos          (default "http://127.0.0.1:5050")
    --mesos.exposedbydefault                      Expose Mesos apps by default                                                     (default "true")
    --mesos.filename                              Override default configuration template. For advanced users :)
    --mesos.groupsassubdomains                    Convert Mesos groups to subdomains                                               (default "false")
    --mesos.ipsources                             IPSources (e.g. host, docker, mesos, netinfo)
    --mesos.refreshseconds                        Polling interval (in seconds)                                                    (default "30")
    --mesos.statetimeoutsecond                    HTTP Timeout (in seconds)                                                        (default "30")
    --mesos.templateversion                       Template version.                                                                (default "0")
    --mesos.trace                                 Display additional provider logs (if available).                                 (default "false")
    --mesos.watch                                 Watch provider                                                                   (default "true")
    --mesos.zkdetectiontimeout                    Zookeeper timeout (in seconds)                                                   (default "30")
    --metrics                                     Enable a metrics exporter                                                        (default "true")
    --metrics.datadog                             DataDog metrics exporter type                                                    (default "true")
    --metrics.datadog.address                     DataDog's address                                                                (default "localhost:8125")
    --metrics.datadog.pushinterval                DataDog push interval                                                            (default "10s")
    --metrics.influxdb                            InfluxDB metrics exporter type                                                   (default "true")
    --metrics.influxdb.address                    InfluxDB address                                                                 (default "localhost:8089")
    --metrics.influxdb.database                   InfluxDB database used when protocol is http
    --metrics.influxdb.protocol                   InfluxDB address protocol (udp or http)                                          (default "udp")
    --metrics.influxdb.pushinterval               InfluxDB push interval                                                           (default "10s")
    --metrics.influxdb.retentionpolicy            InfluxDB retention policy used when protocol is http
    --metrics.prometheus                          Prometheus metrics exporter type                                                 (default "true")
    --metrics.prometheus.buckets                  Buckets for latency metrics                                                      (default "[0.1 0.3 1.2 5]")
    --metrics.prometheus.entrypoint               EntryPoint                                                                       (default "traefik")
    --metrics.statsd                              StatsD metrics exporter type                                                     (default "true")
    --metrics.statsd.address                      StatsD address                                                                   (default "localhost:8125")
    --metrics.statsd.pushinterval                 StatsD push interval                                                             (default "10s")
    --providersthrottleduration                   Backends throttle duration: minimum duration between 2 events from providers     (default "2s")
                                                  before applying a new configuration. It avoids unnecessary reloads if multiples
                                                  events are sent in a short amount of time.
    --rancher                                     Enable Rancher backend with default settings                                     (default "true")
    --rancher.accesskey                           Rancher server API access key
    --rancher.api                                 Enable the Rancher API provider                                                  (default "true")
    --rancher.api.accesskey                       Rancher server API access key
    --rancher.api.endpoint                        Rancher server API HTTP(S) endpoint
    --rancher.api.secretkey                       Rancher server API secret key
    --rancher.constraints                         Filter services by constraint, matching with Traefik tags.                       (default "[]")
    --rancher.debugloggeneratedtemplate           Enable debug logging of generated configuration template.                        (default "false")
    --rancher.domain                              Default domain used
    --rancher.enableservicehealthfilter           Filter services with unhealthy states and inactive states                        (default "false")
    --rancher.endpoint                            Rancher server API HTTP(S) endpoint
    --rancher.exposedbydefault                    Expose services by default                                                       (default "true")
    --rancher.filename                            Override default configuration template. For advanced users :)
    --rancher.metadata                            Enable the Rancher metadata service provider                                     (default "true")
    --rancher.metadata.intervalpoll               Poll the Rancher metadata service every 'rancher.refreshseconds' (less accurate) (default "false")
    --rancher.metadata.prefix                     Prefix used for accessing the Rancher metadata service
    --rancher.refreshseconds                      Polling interval (in seconds)                                                    (default "15")
    --rancher.secretkey                           Rancher server API secret key
    --rancher.templateversion                     Template version.                                                                (default "0")
    --rancher.trace                               Display additional provider logs (if available).                                 (default "false")
    --rancher.watch                               Watch provider                                                                   (default "true")
    --respondingtimeouts                          Timeouts for incoming requests to the Traefik instance                           (default "true")
    --respondingtimeouts.idletimeout              IdleTimeout is the maximum amount duration an idle (keep-alive) connection will  (default "3m0s")
                                                  remain idle before closing itself. Defaults to 180 seconds. If zero, no timeout
                                                  is set
    --respondingtimeouts.readtimeout              ReadTimeout is the maximum duration for reading the entire request, including    (default "0s")
                                                  the body. If zero, no timeout is set
    --respondingtimeouts.writetimeout             WriteTimeout is the maximum duration before timing out writes of the response.   (default "0s")
                                                  If zero, no timeout is set
    --rest                                        Enable Rest backend with default settings                                        (default "true")
    --rest.entrypoint                             EntryPoint                                                                       (default "traefik")
    --retry                                       Enable retry sending request if network error                                    (default "true")
    --retry.attempts                              Number of attempts                                                               (default "0")
    --rootcas                                     Add cert file for self-signed certificate
    --sendanonymoususage                          send periodically anonymous usage statistics                                     (default "false")
    --servicefabric                               Enable Service Fabric backend with default settings                              (default "false")
    --servicefabric.apiversion                    Service Fabric API version
    --servicefabric.appinsightsbatchsize          Number of trace lines per batch, optional                                        (default "0")
    --servicefabric.appinsightsclientname         The client name, Identifies the cloud instance
    --servicefabric.appinsightsinterval           The interval for sending data to Application Insights, optional                  (default "0s")
    --servicefabric.appinsightskey                Application Insights Instrumentation Key
    --servicefabric.clustermanagementurl          Service Fabric API endpoint
    --servicefabric.constraints                   Filter services by constraint, matching with Traefik tags.                       (default "[]")
    --servicefabric.debugloggeneratedtemplate     Enable debug logging of generated configuration template.                        (default "false")
    --servicefabric.filename                      Override default configuration template. For advanced users :)
    --servicefabric.refreshseconds                Polling interval (in seconds)                                                    (default "0s")
    --servicefabric.templateversion               Template version.                                                                (default "0")
    --servicefabric.tls                           Enable TLS support                                                               (default "false")
    --servicefabric.tls.ca                        TLS CA
    --servicefabric.tls.caoptional                TLS CA.Optional                                                                  (default "false")
    --servicefabric.tls.cert                      TLS cert
    --servicefabric.tls.insecureskipverify        TLS insecure skip verify                                                         (default "false")
    --servicefabric.tls.key                       TLS key
    --servicefabric.trace                         Display additional provider logs (if available).                                 (default "false")
    --servicefabric.watch                         Watch provider                                                                   (default "false")
    --tracing                                     OpenTracing configuration                                                        (default "false")
    --tracing.backend                             Selects the tracking backend ('jaeger','zipkin', 'datadog').                     (default "jaeger")
    --tracing.datadog                             Settings for DataDog                                                             (default "false")
    --tracing.datadog.bagageprefixheadername      specifies the header name prefix that will be used to store baggage items in a
                                                  map.
    --tracing.datadog.debug                       Enable DataDog debug.                                                            (default "false")
    --tracing.datadog.globaltag                   Key:Value tag to be set on all the spans.
    --tracing.datadog.localagenthostport          Set datadog-agent's host:port that the reporter will used. Defaults to           (default "localhost:8126")
                                                  localhost:8126
    --tracing.datadog.parentidheadername          Specifies the header name that will be used to store the parent ID.
    --tracing.datadog.prioritysampling            Enable priority sampling. When using distributed tracing, this option must be    (default "false")
                                                  enabled in order to get all the parts of a distributed trace sampled.
    --tracing.datadog.samplingpriorityheadername  Specifies the header name that will be used to store the sampling priority.
    --tracing.datadog.traceidheadername           Specifies the header name that will be used to store the trace ID.
    --tracing.jaeger                              Settings for jaeger                                                              (default "false")
    --tracing.jaeger.localagenthostport           set jaeger-agent's host:port that the reporter will used.                        (default "127.0.0.1:6831")
    --tracing.jaeger.samplingparam                set the sampling parameter.                                                      (default "1")
    --tracing.jaeger.samplingserverurl            set the sampling server url.                                                     (default "http://localhost:5778/sampling")
    --tracing.jaeger.samplingtype                 set the sampling type.                                                           (default "const")
    --tracing.jaeger.tracecontextheadername       set the header to use for the trace-id.                                          (default "uber-trace-id")
    --tracing.servicename                         Set the name for this service                                                    (default "traefik")
    --tracing.spannamelimit                       Set the maximum character limit for Span names (default 0 = no limit)            (default "0")
    --tracing.zipkin                              Settings for zipkin                                                              (default "false")
    --tracing.zipkin.debug                        Enable Zipkin debug.                                                             (default "false")
    --tracing.zipkin.httpendpoint                 HTTP Endpoint to report traces to.                                               (default "http://localhost:9411/api/v1/spans")
    --tracing.zipkin.id128bit                     Use ZipKin 128 bit root span IDs.                                                (default "true")
    --tracing.zipkin.samespan                     Use ZipKin SameSpan RPC style traces.                                            (default "false")
    --traefiklog                                  Traefik log settings                                                             (default "false")
    --traefiklog.filepath                         Traefik log file path. Stdout is used when omitted or empty
    --traefiklog.format                           Traefik log format: json | common                                                (default "common")
    --traefiklogsfile                             (Deprecated) Traefik logs file. Overrides stdout
    --verbose                                     Enable verbose logs                                                              (default "false")
    --web                                         (Deprecated) Enable Web backend with default settings                            (default "false")
    --web.address                                 (Deprecated) Web administration port                                             (default ":8080")
    --web.certfile                                (Deprecated) SSL certificate
    --web.keyfile                                 (Deprecated) SSL certificate
    --web.metrics                                 (Deprecated) Enable a metrics exporter                                           (default "false")
    --web.metrics.datadog                         DataDog metrics exporter type                                                    (default "false")
    --web.metrics.datadog.address                 DataDog's address                                                                (default "localhost:8125")
    --web.metrics.datadog.pushinterval            DataDog push interval                                                            (default "10s")
    --web.metrics.influxdb                        InfluxDB metrics exporter type                                                   (default "false")
    --web.metrics.influxdb.address                InfluxDB address                                                                 (default "localhost:8089")
    --web.metrics.influxdb.database               InfluxDB database used when protocol is http
    --web.metrics.influxdb.protocol               InfluxDB address protocol (udp or http)                                          (default "udp")
    --web.metrics.influxdb.pushinterval           InfluxDB push interval                                                           (default "10s")
    --web.metrics.influxdb.retentionpolicy        InfluxDB retention policy used when protocol is http
    --web.metrics.prometheus                      Prometheus metrics exporter type                                                 (default "false")
    --web.metrics.prometheus.buckets              Buckets for latency metrics                                                      (default "[0.1 0.3 1.2 5]")
    --web.metrics.prometheus.entrypoint           EntryPoint                                                                       (default "traefik")
    --web.metrics.statsd                          StatsD metrics exporter type                                                     (default "false")
    --web.metrics.statsd.address                  StatsD address                                                                   (default "localhost:8125")
    --web.metrics.statsd.pushinterval             StatsD push interval                                                             (default "10s")
    --web.path                                    (Deprecated) Root path for dashboard and API
    --web.readonly                                (Deprecated) Enable read only API                                                (default "false")
    --web.statistics                              (Deprecated) Enable more detailed statistics                                     (default "false")
    --web.statistics.recenterrors                 Number of recent errors logged                                                   (default "10")
    --zookeeper                                   Enable Zookeeper backend with default settings                                   (default "false")
    --zookeeper.constraints                       Filter services by constraint, matching with Traefik tags.                       (default "[]")
    --zookeeper.debugloggeneratedtemplate         Enable debug logging of generated configuration template.                        (default "false")
    --zookeeper.endpoint                          Comma separated server endpoints                                                 (default "127.0.0.1:2181")
    --zookeeper.filename                          Override default configuration template. For advanced users :)
    --zookeeper.password                          KV Password
    --zookeeper.prefix                            Prefix used for KV store                                                         (default "traefik")
    --zookeeper.templateversion                   Template version.                                                                (default "0")
    --zookeeper.tls                               Enable TLS support                                                               (default "false")
    --zookeeper.tls.ca                            TLS CA
    --zookeeper.tls.caoptional                    TLS CA.Optional                                                                  (default "false")
    --zookeeper.tls.cert                          TLS cert
    --zookeeper.tls.insecureskipverify            TLS insecure skip verify                                                         (default "false")
    --zookeeper.tls.key                           TLS key
    --zookeeper.trace                             Display additional provider logs (if available).                                 (default "false")
    --zookeeper.username                          KV Username
    --zookeeper.watch                             Watch provider                                                                   (default "true")
-h, --help                                        Print Help (this message) and exit
API and Metrics

The flags --api and --metrics have an extended usage in TraefikEE:

  • --api makes the cluster API enabled on all the control nodes
  • --metrics makes the metrics section enabled in the cluster API/dashboard These metrics contain information about all the cluster nodes

Backup a cluster (backup)

This command generates a backup of the state of a TraefikEE cluster.

Usage:

traefikee backup
traefikee backup --statedir='/var/run/traefikee_state'
traefikee backup --archivepath='/mnt/backup/traefikee.backup' --archivetype='zip'

Flags:

    --archivepath      Path of the archive to create                                             (default "traefikee-backup")
    --archivetype      Type of the archive to create                                             (default "tar")
    --controlapisocket Path to the TraefikEE Control API socket                                  (default "/var/run/traefikeectl.sock")
    --debug            Enable verbose logging                                                    (default "false")
    --force            Force new backup, canceling already running backup and starting a new one (default "false")
-h, --help             Print Help (this message) and exit

Show Cluster Nodes (list-nodes)

This command provides a listing of all the TraefikEE cluster nodes.

Usage:

traefikee list-nodes

Flags:

    --details         Display additional information on the nodes (default "false")
-s, --traefikeesocket Path to the TraefikEE socket                (default "/var/run/traefikee.sock")
-h, --help            Print Help (this message) and exit

Set Environment Variables (env)

This command prints the environment variables of the node, including the TraefikEE tokens.

Usage:

traefikee env

Flags:

-s, --traefikeesocket Path to the TraefikEE socket       (default "/var/run/traefikee.sock")
-h, --help            Print Help (this message) and exit

Remove Node From Cluster (rm-node)

This command removes one or more nodes from the TraefikEE cluster.

Usage:

traefikee rm-node --node=AAAA
traefikee rm-node --down

Flags:

-d, --down            Set whether or not all down nodes should be removed (default "false")
-n, --node            ID of the node to remove
-s, --traefikeesocket Path to the TraefikEE socket                        (default "/var/run/traefikee.sock")
-h, --help            Print Help (this message) and exit

Update the TraefikEE License (update-license)

This command updates the TraefikEE license, without reloading the cluster.

Usage:

traefikee update-license --licensekey=XXXX

Flags:

    --licensekey The new license key for TraefikEE to use
-s, --traefikeesock Path to the TraefikEE socket             (default "/var/run/traefikee.sock")
-h, --help          Print Help (this message) and exit

Show version (version)

This command shows the TraefikEE version.

Usage:

traefikee version

Flags:

-h, --help Print Help (this message) and exit

Check Data Node availability (healthcheck-node)

This command checks the health status of the data nodes by calling the TraefikEE ping entrypoint. Its exit status is 0 if Traefik is healthy and 1 if it is unhealthy.

This can be used with Docker HEALTHCHECK instruction or any other health check orchestration mechanism like Kubernetes liveness probe and Swarm healthcheck.

Usage:

traefikee healthcheck-node

Flags:

-h, --help Print Help (this message) and exit
Where to use it?

This command should only be used on data nodes. On the control nodes, it will always exit in error.

List ACME Accounts (acme-list-accounts)

This command lists the ACME accounts available in your cluster. It also displays which is the current ACME account used.

traefikee acme-list-accounts --controlapisocket="/var/traefikeectl.sock"

Flags:

    --controlapisocket Path to the TraefikEE Control API socket (default "/var/run/traefikeectl.sock")
-h, --help             Print Help (this message) and exi

Use an ACME account

This command sets the ACME account to use for ACME operations. It is referenced by the account name defined when creating or importing an account.

One time operation

You can only run this command once per installed cluster.

Usage:

traefikee acme-use-account --name=my-account

Flags:

    --controlapisocket Path to the TraefikEE control API socket (default "/var/run/traefikeectl.sock")
    --name             Name of the ACME account to use
-h, --help             Print Help (this message) and exit

Add ACME Account (acme-add-account)

This command enables to add a new account to the TraefiKEE ACME account pool. It can be used to create a new account or to import an existing one.

Usage:

# Create a new account
traefikee acme-add-account \
  --name=acme-account \
  [email protected] \
  --caserver=https://ca.server.com

# Import an existing account
traefikee acme-add-account \
  --name=acme-account \
  [email protected] \
  --caserver=https://ca.server.com \
  --privatekey=./key.pem \
  --uri=https://ca.server.com/id

Flags:

    --backupaccount    JSON file from a TraefikEE Backup containing the account data
    --caserver         CAServer to register with                                                       (default "https://acme-v02.api.letsencrypt.org/directory")
    --controlapisocket Path to the TraefikEE control API socket                                        (default "/var/run/traefikeectl.sock")
    --email            Email of the ACME account
    --keytype          Type of the private key                                                         (default "RSA4096")
    --name             Name of the ACME account
    --privatekey       Filepath or content containing private key in PEM or base64 encoded PEM content
                       format (for existing account)
    --uri              Registration URI (for existing account)
    --use              Set this account as the current ACME account for this cluster (irreversible)    (default "false")
-h, --help             Print Help (this message) and exi

Add ACME Certificate (acme-add-certificate)

This command enables to add a new certificate to the TraefiKEE ACME certificate pool. It can be used to create a new certificate or to import an existing one.

Usage:

# Import a certificate from a backup file
traefikee acme-add-certificate \
  --backupcert="/path/to/cert.json" \
  --accountname="myaccount"

# Import a certificate from PEM encoded files
traefikee acme-add-certificate \
  --certfile="/path/to/cert.pem" \
  --keyfile="/path/to/key.pem" \
  --accountname="myaccount"

Flags:

    --accountname      ACME Account to link to the certificate
    --backupcert       JSON file from a TraefikEE Backup containing the certificate data
    --certfile         PEM-encoded certificate to be imported
    --controlapisocket Path to the TraefikEE control API socket                          (default "/var/run/traefikeectl.sock")
    --keyfile          PEM-encoded certificate key to be imported
-h, --help             Print Help (this message) and exi

List ACME Certificates (acme-list-certificates)

This command enables to list ACME certificates available in your cluster.

Usage:

traefikee acme-list-certificates

# The option `--notrunc` prevents the output of this command from being truncated.
traefikee acme-list-certificates --notrunc

Flags:

    --controlapisocket Path to the TraefikEE Control API socket (default "/var/run/traefikeectl.sock")
    --notrunc          Do not truncate output                   (default "false")
-h, --help             Print Help (this message) and exit

Support Dump (support-dump)

This command generates a dump file with information about the TrafikEE cluster

Usage:

traefikee support-dump

# The option `--outputpath` specify the full path for the output file.
traefikee support-dump --outputpath=/tmp/dump.tar.gz

# The option `--clustername` specify the TraefikEE cluster name.
traefikee support-dump --clustername="mycluster"

Flags:

    --clustername      Name of the cluster                      (default "traefikee")
    --controlapisocket Path to the TraefikEE Control API socket (default "/var/run/traefikeectl.sock")
    --outputpath       Output path for the dump file            (default "traefikee-support-dump")
-h, --help             Print Help (this message) and exi