TODO: Need to migrate the Github Embeds.
Patching Traefik on k3s cluster
We want to find the instance of where traefik is running. Running sudo kubectl get all -o wide --all-namespaces
should display all your containers, look for traefik.
Patch
sudo kubectl patch svc traefik -n kube-system -p '{"spec":{"externalTrafficPolicy":"Cluster"}}'`
std output should be service/traefik patched
Helm Charts
helm repo add traefik https://helm.traefik.io/traefik
Sucess: std output should be
"traefik" has been added to your repositories
helm repo update
Traefik Middleware for Kubernetes
Middleware kind should be isolated for performance and security reasons.
Auth - Kind: Middleware
Example:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: longhorn-auth
namespace: longhorn-system
spec:
basicAuth:
secret: authsecret
Auth - Kind: Ingress
Calling the longhorn-auth
in the Ingress
via annotations
:
Example:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: longhorn-ing-traefik
namespace: longhorn-system
annotations:
externalTrafficPolicy: Local
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-longhorn-auth@kubernetescrd
ingress.kubernetes.io/whitelist-x-forwarded-for: 'true'
spec:
rules:
- host: 'x.kbve.com'
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: longhorn-service-provider
port:
number: 8000
In our PoC above, we see that the middleware is referenced as:
traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-longhorn-auth@kubernetescrd
Its important to note the namespace of the middleware, longhorn-system
, before calling the middleware’s name. This is to let the crd know where the middleware is located.
According to the notes on Traefik & Kubernetes
we first need to install the Resource Definitions and RBAC into kubectl
by running the following commands:
# Install Traefik Resource Definitions:
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.8/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
# Install RBAC for Traefik:
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.8/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
After this installation, we’ll have a set of Custom Resource Definitions which should have the following benefits:
name
and namespace
to refer to another Kubernetes resource.See the list of CRDs in the dedicated routing section.
The biggest thing we need from this is the ability to add the BasicAuth plugin.
This plugin (which is what we tried to reference before with the auth@file
line) uses an htpasswd password to block incoming traffic to the pod.
This will require setting up an IngressRoute (which is a specific Kubernetes resource added by the Traefik Resource Definitions) with settings to specify what the middlewares are. Find more info on the Traefik Middlewares Here
These are notes on integrating Cloudflare
with Traefik
, including automating some of the actions so that you may not have to repeat them.
Access the API Tokens directly from Cloudflare Profile
Common environmental variable names and their purpose:
CF_API_EMAIL
- The Cloudflare account holder’s email.CF_API_KEY
- The Cloudflare API key.CF_DNS_API_TOKEN
- The API token with DNS:Edit
permission.CF_ZONE_API_TOKEN
- The API token with Zone:Read
permission.