Traefik v2.2 and Kubernetes Ingress

Since Version 2 Traefik supports Kubernetes Ingress and acts as a Kubernetes Ingress controller. This is an alternative to the Traefik specific ingressRoute objects. With v2.2. you can now use plain Kubernetes Ingress Objects together with annotations. Of course you can still use IngressRoute objects if you need them for specific requirements.

I tested this feature within Kubernetes 1.17.3. In this blog post I want to point out the important parts of the configuration. Please note that I provide a details setup for Traefik running within a self managed Kubernetes cluster in my open source project Imixs-Cloud.

The Traefik Deployment Object

In the deployment object for traefik first you need add the ‘kubernetesingress’ provider:

      - args:
        - --api
        ....
        - --providers.kubernetescrd=true
        - --providers.kubernetesingress=true
        ....

This is how my complete deployment configuration looks like.

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: traefik
    release: traefik
  name: traefik
  namespace: kube-system

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
      release: traefik
  template:
    metadata:
      labels:
        app: traefik
        release: traefik
    spec:
      containers:
      - args:

        - --api
        - --api.insecure
        #- --api.insecure=false
        - --api.dashboard=true
        - --accesslog
        - --global.checknewversion=true
        - --entryPoints.traefik.address=:8100
        - --entryPoints.web.address=:80
        - --entryPoints.websecure.address=:443

        # permanent redirecting of all requests on http (80) to https (443)
        - --entrypoints.web.http.redirections.entryPoint.to=websecure
        - --entrypoints.websecure.http.tls.certResolver=default

        # Let's Encrypt Configurtion:
        # Please note that this is the staging Let's Encrypt server configuration.
        # Once you get things working, you should remove that following line.
        - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/dire
        - --certificatesresolvers.default.acme.email={YOUR-E-MAIL}
        - --certificatesresolvers.default.acme.storage=acme.json
        - --certificatesresolvers.default.acme.tlschallenge

        - --ping=true
        - --providers.kubernetescrd=true
        - --providers.kubernetesingress=true
       
        - --log.level=INFO
        image: traefik:2.2
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /ping
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 2
        name: traefik
        ports:
        - containerPort: 8100
          name: admin
          protocol: TCP
        - containerPort: 80
          name: web
          protocol: TCP
        - containerPort: 443
          name: websecure
          protocol: TCP
        readinessProbe:
          failureThreshold: 1
          httpGet:
            path: /ping
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 2
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: traefik
      serviceAccountName: traefik
      terminationGracePeriodSeconds: 60

Permanent HTTP->HTTPS Redirect

In the example configuration above I have configured a permanent redirect from HTTP to HTTPS. So you do not need a extra middleware object.

...
        - --entrypoints.web.http.redirections.entryPoint.to=websecure
        - --entrypoints.websecure.http.tls.certResolver=default
....

The Redirect scheme can be controlled from the Traefik.io web Dashboard in the section Middlewares:

Setup a Ingress Object

Now you can setup the Kubernetes Ingress object using the new annotations provided by Traefik V2.2.:

kind: Ingress
apiVersion: networking.k8s.io/v1beta1
metadata:
  name: myingress
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web, websecure
spec:
  rules:
  - host: example.foo.com
    http:
      paths:
      - path: /
        backend:
          serviceName: whoami
          servicePort: 80

Your new Ingress Network will automatically be redirectef from HTTP to HTTPS due to the Let’s Encrypt configuration. Note, that both entrypoints (web and websecure) are defined in your Ingress.

You will find more information about how to setup Traefik for Kubernetes in the Imixs-Cloud Project site on Github.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.