Traefik

Overview

The source code and default configuration of the Building Block is available in our code.sysEleven.de. For information on release notes and new features please follow the link: Release notes ingress-nginx

Traefik

The Ingress Controller which is used by e.g. by Kubernetes for reverse proxy and load balancing capabilities.

Traefik is a leading modern open source reverse proxy and ingress controller that makes deploying services and APIs easy.

Here you can find the official website of Traefik.

Prerequisites on Traefik

Proceed with the following prerequisite description to use the Traefik Building Block out of the box.

A recommended resource overview is listed in the table below.

CPU / vCPU Memory
0.9m 450MiB

No further activities need to be carried out in advance.

Adding the Building Block

Add the directory syseleven-traefik to your control repository as well as the .gitlab-ci.yml to the directory with the following content:

include:
  - project: syseleven/building-blocks/helmfiles/traefik
    file: JobDevelopment.yaml
    ref: 0.5.0
  - project: syseleven/building-blocks/helmfiles/traefik
    file: JobStaging.yaml
    ref: 0.5.0
  - project: syseleven/building-blocks/helmfiles/traefik
    file: JobProduction.yaml
    ref: 0.5.0

Remove environments you are not using by removing their include.

Required configuration

No configuration is required.

Example configurations

This section contains usage examples for the Traefik Building Block.

Simple example ingress

This example shows how to configure an ingress resource to be used with Traefik.
It assumes you work in the namespace <namespace> where there already is a service
called <servicename> that you want to expose via this ingress controller
under the domain example-ingress-traefik.<customerdomain>.de.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress-traefik
  namespace: <namespace>
spec:
  # Configure Traefik as the ingress controller responsible for this resource
  ingressClassName: traefik
  rules:
    - host: example-ingress-traefik.<customerdomain>.de
      http:
        paths:
          - backend:
              service:
                name: <servicename>
                port:
                  number: 80
            path: /
            pathType: ImplementationSpecific
  tls:
    - hosts:
        - example-ingress-traefik.<customerdomain>.de
      secretName: example-ingress-traefik.<customerdomain>.de-tls

Integrated example ingress

To make the following Ingress resource fully available, other Building Blocks besides the traefik must be installed:

  • external-dns
  • cert-manager
  • Use SysEleven DNSaaS to configure your DNS records

The following Ingress resource will create an ingress for the domain:
testdomain-cert.<customerdomain>.de.
Due to the spec.tls section in the configuration, a certificate is generated for the domain.
The building block traefik creates a load balancer that binds an external IP address.
See kubectl get svc -n syseleven-traefik
a DNS A record pointing to the IP address of the load balancer is created for the ingress resource described here.

Prepare

Create a namespace for the example:

kubectl create ns example-ingress

Create an http service:

kubectl apply -n example-ingress -f https://raw.githubusercontent.com/istio/istio/master/samples/httpbin/httpbin.yaml

This creates an application including a service httpbin in the namespace example-ingress.

Create the ingress resource

The service endpoint should be available outside the cluster with its own domain name using https.
The ingress must exist in the same namespace as the Service object.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: test-ingress
  namespace: example-ingress
  annotations:
    # Use ClusterIssuer "letsencrypt-production" from the cert-manager Building Block
    cert-manager.io/cluster-issuer: letsencrypt-production
  labels:
    # Use acme/solver "dns01" defined in ClusterIssuer "letsencrypt-production"
    cert-manager.io/solver: dns01
spec:
  # Use ingress controller "traefik"
  ingressClassName: traefik
  rules:
  - host: testdomain-cert.<customerdomain>.de
    http:
      paths:
      - backend:
          service:
            name: httpbin
            port:
              number: 8000
        pathType: ImplementationSpecific
  tls:
    - hosts:
        - testdomain-cert.<customerdomain>.de
      # Store the certificate generated by cert-manager Building Block as secret named testdomain-cert-secret
      secretName: testdomain-cert-secret

Check the generated certificate:
kubectl describe certificate -n example-ingress testdomain-cert-secret
or
kubectl get -n example-ingress secret testdomain-cert-secret -o jsonpath='{.data.tls\.crt}'| base64 -d -| openssl x509 -dates -subject -noout

Check the generated DNS configuration:
Providing the DNS record can take a few minutes. Please check regularly with the following command:
dig @ns01.cloud.syseleven.net testdomain-cert.<customerdomain>.de

Check access to internal HTTPBIN service:
curl https://testdomain-cert.<customerdomain>.de/get

Cleanup

To remove the example again it is sufficient to delete the namespace.
kubectl delete ns example-ingress

Proxy Protocol

This ingress conroller by default uses the Proxy Protocol
to preserve the client IP address of the requests. Note that in the current configuration
Traefik will accept both requests using the Proxy Protocol and those not using it.
This especially comes in handy when requests originate from inside your cluster,
as they skip the hop over the ingress controller's loadbalancer
which would set the proxy protocol header.

All default configuration regarding the proxy protocol are the following.
If you do not whish to use the protocol simply change those settings in your values file.

service:
  annotations:
    loadbalancer.openstack.org/proxy-protocol: "true"

ports:
  web:
    proxyProtocol:
      insecure: true
  websecure:
    proxyProtocol:
      insecure: true

Monitoring

Additional alertrules

  • None

Additional Grafana dashboards

  • None

Scale Setup

  • Choose between kind Deployment(default and recommended) or kind DaemonSet
  • Replicas - you can statically configure the amount of replicas you need (when using the Deployment kind)
  • Autoscale replicas - you can configure the horizontal pod autoscaler to autoscale the traefik Deployment. See values.yaml for possible options.
  • Requirements/Limits for CPU/Memory can be adjusted. We recommend not setting CPU limits so as not to throttle the Ingress controller and slow down the entire application.

Release-Notes

Please find more infos on release notes and new features Release notes Traefik