Configuring Typha
- Operator
- Manifest
Typha configuration cannot be modified when Calico Enterprise is installed via the operator.
Configuration for Typha is read from one of two possible locations, in order, as follows.
-
Environment variables, prefixed with
TYPHA_. -
The Typha configuration file. The path to this file defaults to
/etc/calico/typha.cfgbut can be overridden using the-cor--config-fileoptions on the command line.
The value of any configuration parameter is the value read from the first location containing a value. For example, if an environment variable contains a value, it takes precedence.
If not set in any of these locations, most configuration parameters have defaults, and it should be rare to have to explicitly set them.
The full list of parameters which can be set is as follows.
General configuration
| Configuration parameter | Environment variable | Description | Schema |
|---|---|---|---|
DatastoreType | TYPHA_DATASTORETYPE | The datastore that Typha should read endpoints and policy information from. [Default: etcdv3] | etcdv3, kubernetes |
HealthEnabled | TYPHA_HEALTHENABLED | When enabled, exposes Typha health information via an http endpoint. | boolean |
HealthPort | TYPHA_HEALTHPORT | The port that Typha will serve health information over. [Default: 9098] | int |
HealthHost | TYPHA_HEALTHHOST | The address that Typha will bind its health endpoint to. [Default: localhost] | string |
LogFilePath | TYPHA_LOGFILEPATH | The full path to the Typha log. Set to none to disable file logging. [Default: /var/log/calico/typha.log] | string |
LogSeverityFile | TYPHA_LOGSEVERITYFILE | The log severity above which logs are sent to the log file. [Default: Info] | Debug, Info, Warning, Error, Fatal |
LogSeverityScreen | TYPHA_LOGSEVERITYSCREEN | The log severity above which logs are sent to the stdout. [Default: Info] | Debug, Info, Warning, Error, Fatal |
LogSeveritySys | TYPHA_LOGSEVERITYSYS | The log severity above which logs are sent to the syslog. Set to "" for no logging to syslog. [Default: Info] | Debug, Info, Warning, Error, Fatal |
PrometheusGoMetricsEnabled | TYPHA_PROMETHEUSGOMETRICSENABLED | Set to false to disable Go runtime metrics collection, which the Prometheus client does by default. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] | boolean |
PrometheusMetricsEnabled | TYPHA_PROMETHEUSMETRICSENABLED | Set to true to enable the Prometheus metrics server in Typha. [Default: false] | boolean |
PrometheusMetricsHost | TYPHA_PROMETHEUSMETRICSHOST | TCP network address that the Prometheus metrics server should bind to. [Default: ""] | string |
PrometheusMetricsPort | TYPHA_PROMETHEUSMETRICSPORT | TCP port that the Prometheus metrics server should bind to. [Default: 9091] | int |
PrometheusProcessMetricsEnabled | TYPHA_PROMETHEUSPROCESSMETRICSENABLED | Set to false to disable process metrics collection, which the Prometheus client does by default. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] | boolean |
ServerHandshakeTimeoutSecs | TYPHA_SERVERHANDSHAKETIMEOUTSECS | Maximum time that Typha server should wait for the client TLS handshake to be performed. | int |
ShutdownTimeoutSecs | TYPHA_SHUTDOWNTIMEOUTSECS | Maximum time that Typha should take to do a graceful shut down. In Kubernetes, this should match Typha's terminationGracePeriodSeconds. | int |
ShutdownConnectionDropIntervalMaxSecs | TYPHA_SHUTDOWNCONNECTIONDROPINTERVALMAXSECS | Maximum time between terminating two connections when doing a graceful shutdown. Prevents very slow shut downs if ShutdownTimeoutSecs is large but Typha only has a small number of clients. | int |
By default, if the health endpoint is enabled Typha listens on localhost. However, if Typha is used in
Kubernetes, the kubelet will do health checks using the pod IP. To work around this discrepancy, the Typha image
supports a health-check CLI command that fetches the health endpoint:
calico-typha check (readiness|liveness) --port=<port>. If you modify the health port, you will need to add the
--port=<port> argument to the liveness and readiness probe commands in the manifest.
Kubernetes API datastore configuration
The Kubernetes API datastore driver reads its configuration from Kubernetes-provided environment variables.
Calico Enterprise specific configuration
| Setting | Environment variable | Default | Meaning |
|---|---|---|---|
PrometheusMetricsCertFile | TYPHA_PROMETHEUSMETRICSCERTFILE | None | Certificate for encrypting Typha Prometheus metrics. |
PrometheusMetricsKeyFile | TYPHA_PROMETHEUSMETRICSKEYFILE | None | Private key for encrypting Typha Prometheus metrics. |
PrometheusMetricsCAFile | TYPHA_PROMETHEUSMETRICSCAFILE | None | Trusted CA file for clients attempting to read Typha Prometheus metrics. |
When the PrometheusMetrics...File parameters are set, Typha's
Prometheus port is TLS-secured such that only a validated client can
read Prometheus metrics, and the data is encrypted in transit. A
valid client must then connect over HTTPS and present a certificate
that is signed by one of the trusted CAs in the
PrometheusMetricsCAFile setting.
Environment variables
| Environment | Description | Schema |
|---|---|---|
| USE_POD_CIDR | Use the Kubernetes Node.Spec.PodCIDR field. This field is required when using the Kubernetes API datastore with host-local IPAM. [Default: false] | boolean |
Felix-Typha TLS configuration
| Configuration parameter | Environment variable | Description | Schema |
|---|---|---|---|
CAFile | TYPHA_CAFILE | Path to the file containing the root certificate of the CA that issued the Felix client certificate. Configures Typha to trust the CA that signed the Felix client certificate. The file may contain multiple root certificates, causing Typha to trust each of the CAs included. Example: /etc/typha/ca.pem | string |
ClientCN | TYPHA_CLIENTCN | If set, the Common Name that Felix's certificate must have. If you have enabled TLS on the communications from Felix to Typha, you must set a value here or in ClientURISAN. You can set values in both, as well, such as to facilitate a migration from using one to the other. If either matches, the communication succeeds. [Default: none] | string |
ClientURISAN | TYPHA_CLIENTURISAN | If set, a URI SAN that Felix's certificate must have. We recommend populating this with a SPIFFE string that identifies Felix. All Felix instances should use the same SPIFFE ID. If you have enabled TLS on the communications from Felix to Typha, you must set a value here or in ClientCN. You can set values in both, as well, such as to facilitate a migration from using one to the other. If either matches, the communication succeeds. [Default: none] | string |
ServerCertFile | TYPHA_SERVERCERTFILE | Path to the file containing the server certificate issued to Typha. Typha presents this to Felix clients during the TLS handshake. Example: /etc/typha/cert.pem | string |
ServerKeyFile | TYPHA_SERVERKEYFILE | Path to the file containing the private key matching the Typha server certificate. Example: /etc/typha/key.pem (optional) | string |
For more information on how to use and set these variables, refer to Connections from Node to Typha (Kubernetes).