Skip to content

Traefik

Information

Section titled “Information”

Traefik is a cloud-hybrid reverse proxy and load balancer that makes deploying, configuring and integrating infrastructure components easy and automatic.

Docker

Section titled “Docker”

Docker Compose - There should be an acme.json file that you create and pass through the docker with the permission of chmod 600. - Furthermore, there are two more files that you will have to configure and pass through before launching the traefik container. We provided them in the #config section below.

Kubernetes

Section titled “Kubernetes”

  • Patching Traefik on k3s cluster

    • We want to find the instance of where traefik is running. Running sudo kubectl get all -o wide --all-namespaces should display all your containers, look for traefik.

    • Patch

      • Terminal window
        sudo kubectl patch svc traefik -n kube-system -p '{"spec":{"externalTrafficPolicy":"Cluster"}}'`

    • std output should be service/traefik patched

  • Helm Charts

    • Terminal window
      helm repo add traefik https://helm.traefik.io/traefik

      • Sucess: std output should be

        • Terminal window
          "traefik" has been added to your repositories
    • Terminal window
      helm repo update

  • Traefik Middleware for Kubernetes

    • Middleware kind should be isolated for performance and security reasons.

      • Auth - Kind: Middleware

        • Example:

          • apiVersion: traefik.containo.us/v1alpha1
            kind: Middleware
            metadata:
                name: longhorn-auth
                namespace: longhorn-system
            spec:
                basicAuth:
                    secret: authsecret
            • The middleware should be saved as a yaml / yml file and applied using kubectl.

      • Auth - Kind: Ingress

        • Calling the longhorn-auth in the Ingress via annotations:

          • Example:

            • apiVersion: networking.k8s.io/v1
              kind: Ingress
              metadata:
                  name: longhorn-ing-traefik
                  namespace: longhorn-system
                  annotations:
                      externalTrafficPolicy: Local
                      kubernetes.io/ingress.class: traefik
                      traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-longhorn-auth@kubernetescrd
                      ingress.kubernetes.io/whitelist-x-forwarded-for: 'true'
              

              spec:
                  rules:
                      - host: 'x.kbve.com'
                        http:
                            paths:
                                - path: /
                                  pathType: Prefix
                                  backend:
                                      service:
                                          name: longhorn-service-provider
                                          port:
                                              number: 8000

            • In our PoC above, we see that the middleware is referenced as:

              traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-longhorn-auth@kubernetescrd

              Its important to note the namespace of the middleware, longhorn-system , before calling the middleware’s name. This is to let the crd know where the middleware is located.

Config

Section titled “Config”

TODO: Need to migrate the Github Embeds.

Notes

Section titled “Notes”

According to the notes on Traefik & Kubernetes we first need to install the Resource Definitions and RBAC into kubectl by running the following commands:

Terminal window
# Install Traefik Resource Definitions:
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.8/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml


# Install RBAC for Traefik:
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.8/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml

After this installation, we’ll have a set of Custom Resource Definitions which should have the following benefits:

  • The usage of name and namespace to refer to another Kubernetes resource.
  • The usage of secret for sensitive data (TLS certificates and credentials).
  • The structure of the configuration.
  • The requirement to declare all the definitions.

See the list of CRDs in the dedicated routing section.

The biggest thing we need from this is the ability to add the BasicAuth plugin. This plugin (which is what we tried to reference before with the auth@file line) uses an htpasswd password to block incoming traffic to the pod.

This will require setting up an IngressRoute (which is a specific Kubernetes resource added by the Traefik Resource Definitions) with settings to specify what the middlewares are. Find more info on the Traefik Middlewares Here

Cloudflare

Section titled “Cloudflare”

These are notes on integrating Cloudflare with Traefik, including automating some of the actions so that you may not have to repeat them.

Acme Docs

Section titled “Acme Docs”

Official Docs

Access the API Tokens directly from Cloudflare Profile

Common environmental variable names and their purpose:

  • CF_API_EMAIL - The Cloudflare account holder’s email.
  • CF_API_KEY - The Cloudflare API key.
  • CF_DNS_API_TOKEN - The API token with DNS:Edit permission.
  • CF_ZONE_API_TOKEN - The API token with Zone:Read permission.