Configuring Typha

  • Operator
  • Manifest

Typha configuration can not be modified when Calico is installed via the operator.

Configuration for Typha is read from one of two possible locations, in order, as follows.

  1. Environment variables, prefixed with TYPHA_.

  2. The Typha configuration file. The path to this file defaults to /etc/calico/typha.cfg but can be overridden using the -c or --config-file options on the command line.

The value of any configuration parameter is the value read from the first location containing a value. For example, if an environment variable contains a value, it takes precedence.

If not set in any of these locations, most configuration parameters have defaults, and it should be rare to have to explicitly set them.

The full list of parameters which can be set is as follows.

General configuration

Configuration parameterEnvironment variableDescriptionSchema
DatastoreTypeTYPHA_DATASTORETYPEThe datastore that Typha should read endpoints and policy information from. [Default: etcdv3]etcdv3, kubernetes
HealthEnabledTYPHA_HEALTHENABLEDWhen enabled, exposes Typha health information via an http endpoint.boolean
HealthPortTYPHA_HEALTHPORTThe port that Typha will serve health information over. [Default: 9098]int
HealthHostTYPHA_HEALTHHOSTThe address that Typha will bind its health endpoint to. [Default: localhost]string
LogFilePathTYPHA_LOGFILEPATHThe full path to the Typha log. Set to none to disable file logging. [Default: /var/log/calico/typha.log]string
LogSeverityFileTYPHA_LOGSEVERITYFILEThe log severity above which logs are sent to the log file. [Default: Info]Debug, Info, Warning, Error, Fatal
LogSeverityScreenTYPHA_LOGSEVERITYSCREENThe log severity above which logs are sent to the stdout. [Default: Info]Debug, Info, Warning, Error, Fatal
LogSeveritySysTYPHA_LOGSEVERITYSYSThe log severity above which logs are sent to the syslog. Set to “” for no logging to syslog. [Default: Info]Debug, Info, Warning, Error, Fatal
PrometheusGoMetricsEnabledTYPHA_PROMETHEUSGOMETRICSENABLEDSet to false to disable Go runtime metrics collection, which the Prometheus client does by default. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]boolean
PrometheusMetricsEnabledTYPHA_PROMETHEUSMETRICSENABLEDSet to true to enable the Prometheus metrics server in Typha. [Default: false]boolean
PrometheusMetricsHostTYPHA_PROMETHEUSMETRICSHOSTTCP network address that the Prometheus metrics server should bind to. [Default: “”]string
PrometheusMetricsPortTYPHA_PROMETHEUSMETRICSPORTTCP port that the Prometheus metrics server should bind to. [Default: 9091]int
PrometheusProcessMetricsEnabledTYPHA_PROMETHEUSPROCESSMETRICSENABLEDSet to false to disable process metrics collection, which the Prometheus client does by default. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]boolean

Configuring Typha - 图1note

By default, if the health endpoint is enabled Typha listens on localhost. However, if Typha is used in Kubernetes, the kubelet will do health checks using the pod IP. To work around this discrepancy, the Typha image supports a health-check CLI command that fetches the health endpoint: calico-typha check (readiness|liveness) --port=<port>. If you modify the health port, you will need to add the --port=<port> argument to the liveness and readiness probe commands in the manifest.

etcd datastore configuration

Configuration parameterEnvironment variableDescriptionSchema
EtcdCaFileTYPHA_ETCDCAFILEPath to the file containing the root certificate of the certificate authority (CA) that issued the etcd server certificate. Configures Typha to trust the CA that signed the root certificate. The file may contain multiple root certificates, causing Typha to trust each of the CAs included. To disable authentication of the server by Typha, set the value to none. [Default: /etc/ssl/certs/ca-certificates.crt]string
EtcdCertFileTYPHA_ETCDCERTFILEPath to the file containing the client certificate issued to Typha. Enables Typha to participate in mutual TLS authentication and identify itself to the etcd server. Example: /etc/typha/cert.pem (optional)string
EtcdEndpointsTYPHA_ETCDENDPOINTSComma-delimited list of etcd endpoints to connect to. Example: http://127.0.0.1:2379,http://127.0.0.2:2379.<scheme>://<ip-or-fqdn>:<port>
EtcdKeyFileTYPHA_ETCDKEYFILEPath to the file containing the private key matching the Typha client certificate. Enables Typha to participate in mutual TLS authentication and identify itself to the etcd server. Example: /etc/typha/key.pem (optional)string

Kubernetes API datastore configuration

The Kubernetes API datastore driver reads its configuration from Kubernetes-provided environment variables.

Environment variables

EnvironmentDescriptionSchema
USE_POD_CIDRUse the Kubernetes Node.Spec.PodCIDR field. This field is required when using the Kubernetes API datastore with host-local IPAM. [Default: false]boolean

Felix-Typha TLS configuration

Configuration parameterEnvironment variableDescriptionSchema
CAFileTYPHA_CAFILEPath to the file containing the root certificate of the CA that issued the Felix client certificate. Configures Typha to trust the CA that signed the Felix client certificate. The file may contain multiple root certificates, causing Typha to trust each of the CAs included. Example: /etc/typha/ca.pemstring
ClientCNTYPHA_CLIENTCNIf set, the Common Name that Felix’s certificate must have. If you have enabled TLS on the communications from Felix to Typha, you must set a value here or in ClientURISAN. You can set values in both, as well, such as to facilitate a migration from using one to the other. If either matches, the communication succeeds. [Default: none]string
ClientURISANTYPHA_CLIENTURISANIf set, a URI SAN that Felix’s certificate must have. We recommend populating this with a SPIFFE string that identifies Felix. All Felix instances should use the same SPIFFE ID. If you have enabled TLS on the communications from Felix to Typha, you must set a value here or in ClientCN. You can set values in both, as well, such as to facilitate a migration from using one to the other. If either matches, the communication succeeds. [Default: none]string
ServerCertFileTYPHA_SERVERCERTFILEPath to the file containing the server certificate issued to Typha. Typha presents this to Felix clients during the TLS handshake. Example: /etc/typha/cert.pemstring
ServerKeyFileTYPHA_SERVERKEYFILEPath to the file containing the private key matching the Typha server certificate. Example: /etc/typha/key.pem (optional)string

For more information on how to use and set these variables, refer to Connections from Felix to Typha (Kubernetes).