The source code and default configuration of the Building Block is available in our code.sysEleven.de. For information on release notes and new features please follow the link: Release notes ingress-nginx
The Ingress Controller which is used by e.g. by Kubernetes for reverse proxy and load balancing capabilities.
Traefik is a leading modern open source reverse proxy and ingress controller that makes deploying services and APIs easy.
Here you can find the official website of Traefik.
Proceed with the following prerequisite description to use the Traefik Building Block out of the box.
A recommended resource overview is listed in the table below.
CPU / vCPU | Memory |
---|---|
0.9m | 450MiB |
No further activities need to be carried out in advance.
Add the directory syseleven-traefik
to your control repository as well as the .gitlab-ci.yml
to the directory with the following content:
include:
- project: syseleven/building-blocks/helmfiles/traefik
file: JobDevelopment.yaml
ref: 0.5.0
- project: syseleven/building-blocks/helmfiles/traefik
file: JobStaging.yaml
ref: 0.5.0
- project: syseleven/building-blocks/helmfiles/traefik
file: JobProduction.yaml
ref: 0.5.0
Remove environments you are not using by removing their include.
No configuration is required.
This section contains usage examples for the Traefik Building Block.
This example shows how to configure an ingress resource to be used with Traefik.
It assumes you work in the namespace <namespace>
where there already is a service
called <servicename>
that you want to expose via this ingress controller
under the domain example-ingress-traefik.<customerdomain>.de
.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress-traefik
namespace: <namespace>
spec:
# Configure Traefik as the ingress controller responsible for this resource
ingressClassName: traefik
rules:
- host: example-ingress-traefik.<customerdomain>.de
http:
paths:
- backend:
service:
name: <servicename>
port:
number: 80
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- example-ingress-traefik.<customerdomain>.de
secretName: example-ingress-traefik.<customerdomain>.de-tls
To make the following Ingress resource fully available, other Building Blocks besides the traefik
must be installed:
The following Ingress resource will create an ingress for the domain:
testdomain-cert.<customerdomain>.de
.
Due to the spec.tls section in the configuration, a certificate is generated for the domain.
The building block traefik
creates a load balancer that binds an external IP address.
See kubectl get svc -n syseleven-traefik
a DNS A record pointing to the IP address of the load balancer is created for the ingress resource described here.
Create a namespace for the example:
kubectl create ns example-ingress
Create an http service:
kubectl apply -n example-ingress -f https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml
This creates an application including a service httpbin
in the namespace example-ingress
.
The service endpoint should be available outside the cluster with its own domain name using https.
The ingress must exist in the same namespace as the Service object.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: test-ingress
namespace: example-ingress
annotations:
# Use ClusterIssuer "letsencrypt-production" from the cert-manager Building Block
cert-manager.io/cluster-issuer: letsencrypt-production
labels:
# Use acme/solver "dns01" defined in ClusterIssuer "letsencrypt-production"
cert-manager.io/solver: dns01
spec:
# Use ingress controller "traefik"
ingressClassName: traefik
rules:
- host: testdomain-cert.<customerdomain>.de
http:
paths:
- backend:
service:
name: httpbin
port:
number: 8000
pathType: ImplementationSpecific
tls:
- hosts:
- testdomain-cert.<customerdomain>.de
# Store the certificate generated by cert-manager Building Block as secret named testdomain-cert-secret
secretName: testdomain-cert-secret
Check the generated certificate:
kubectl describe certificate -n example-ingress testdomain-cert-secret
or
kubectl get -n example-ingress secret testdomain-cert-secret -o jsonpath='{.data.tls\.crt}'| base64 -d -| openssl x509 -dates -subject -noout
Check the generated DNS configuration:
Providing the DNS record can take a few minutes. Please check regularly with the following command:
dig @ns01.cloud.syseleven.net testdomain-cert.<customerdomain>.de
Check access to internal HTTPBIN service:
curl https://testdomain-cert.<customerdomain>.de/get
To remove the example again it is sufficient to delete the namespace.
kubectl delete ns example-ingress
This ingress conroller by default uses the Proxy Protocol
to preserve the client IP address of the requests. Note that in the current configuration
Traefik will accept both requests using the Proxy Protocol and those not using it.
This especially comes in handy when requests originate from inside your cluster,
as they skip the hop over the ingress controller's loadbalancer
which would set the proxy protocol header.
All default configuration regarding the proxy protocol are the following.
If you do not whish to use the protocol simply change those settings in your values file.
service:
annotations:
loadbalancer.openstack.org/proxy-protocol: "true"
ports:
web:
proxyProtocol:
insecure: true
websecure:
proxyProtocol:
insecure: true
Please find more infos on release notes and new features Release notes Traefik