Traefik

A cloud native application proxy that utilizes a modern HTTP reverse-proxy and load balancer.

Traefik


  • Traefik is a cloud-hybrid reverse proxy and load balancer that makes deploying, configuring and integrating infrastructure components easy and automatic.

Install

  • Docker Compose
    • There should be an acme.json file that you create and pass through the docker with the permission of chmod 600.
    • Furthermore, there are two more files that you will have to configure and pass through before launching the traefik container. We provided them in the #config section below.
    • This is a docker compose for traefik.

Config

  • Traefik.yml Example
    • This the primary config for our traefik.yml
  • Config.yml Router Example
    • This the router config for our reverse proxy. Written by Techo Tim originaly and modified by our team.

Kubernetes

  • Patching Traefik on k3s cluster

    • We want to find the instance of where traefik is running. Running sudo kubectl get all -o wide --all-namespaces should display all your containers, look for traefik.

    • Patch

      • sudo kubectl patch svc traefik -n kube-system -p '{"spec":{"externalTrafficPolicy":"Cluster"}}'`
    • std output should be service/traefik patched

  • Helm Charts

    • helm repo add traefik https://helm.traefik.io/traefik
      • Sucess: std output should be
        • "traefik" has been added to your repositories
    • helm repo update
  • Traefik Middleware for Kubernetes

    • Middleware kind should be isolated for performance and security reasons.
      • Auth - Kind: Middleware
        • Example:
          • apiVersion: traefik.containo.us/v1alpha1
            kind: Middleware
            metadata:
              name: longhorn-auth
              namespace: longhorn-system
            spec:
              basicAuth:
                secret: authsecret
            • The middleware should be saved as a yaml / yml file and applied using kubectl.
      • Auth - Kind: Ingress
        • Calling the longhorn-auth in the Ingress via annotations:
          • Example:
            •           
                apiVersion: networking.k8s.io/v1
                kind: Ingress
                metadata:
                  name: longhorn-ing-traefik
                  namespace: longhorn-system
                  annotations:
                    externalTrafficPolicy: Local 
                    kubernetes.io/ingress.class: traefik
                    traefik.ingress.kubernetes.io/router.middlewares: [email protected]
                    ingress.kubernetes.io/whitelist-x-forwarded-for: "true"
                    
                spec:
                  rules:
                  - host: "x.kbve.com"
                    http:
                      paths:
                      - path: /
                        pathType: Prefix
                        backend:
                          service:
                            name: longhorn-service-provider
                            port:
                              number: 8000
              
              
            • In our PoC above, we see that the middleware is referenced as:
                  traefik.ingress.kubernetes.io/router.middlewares: [email protected]
              Its important to note the namespace of the middleware, longhorn-system , before calling the middleware’s name. This is to let the crd know where the middleware is located.

WIP Notes 2022-10-01 01:15:20

According to the notes on Traefik & Kubernetes we first need to install the Resource Definitions and RBAC into kubectl by running the following commands:

# Install Traefik Resource Definitions:
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.8/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml

# Install RBAC for Traefik:
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.8/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml

After this installation, we’ll have a set of Custom Resource Definitions which should have the following benefits:

  • The usage of name and namespace to refer to another Kubernetes resource.
  • The usage of secret for sensitive data (TLS certificates and credentials).
  • The structure of the configuration.
  • The requirement to declare all the definitions.

See the list of CRDs in the dedicated routing section.

The biggest thing we need from this is the ability to add the BasicAuth plugin. This plugin (which is what we tried to reference before with the [email protected] line) uses an htpasswd password to block incoming traffic to the pod.

This will require setting up an IngressRoute (which is a specific Kubernetes resource added by the Traefik Resource Definitions) with settings to specify what the middlewares are. Find more info on the Traefik Middlewares Here