Traefik v2.2 and Kubernetes Ingress

Since Version 2 Traefik supports Kubernetes Ingress and acts as a Kubernetes Ingress controller. This is an alternative to the Traefik specific ingressRoute objects. With v2.2. you can now use plain Kubernetes Ingress Objects together with annotations. Of course you can still use IngressRoute objects if you need them for specific requirements.

I tested this feature within Kubernetes 1.17.3. In this blog post I want to point out the important parts of the configuration. Please note that I provide a details setup for Traefik running within a self managed Kubernetes cluster in my open source project Imixs-Cloud.

The Traefik Deployment Object

In the deployment object for traefik first you need add the ‘kubernetesingress’ provider:

      - args:
        - --api
        ....
        - --providers.kubernetescrd=true
        - --providers.kubernetesingress=true
        ....

This is how my complete deployment configuration looks like.

apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: traefik
    release: traefik
  name: traefik
  namespace: kube-system

spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
      release: traefik
  template:
    metadata:
      labels:
        app: traefik
        release: traefik
    spec:
      containers:
      - args:

        - --api
        - --api.insecure
        #- --api.insecure=false
        - --api.dashboard=true
        - --accesslog
        - --global.checknewversion=true
        - --entryPoints.traefik.address=:8100
        - --entryPoints.web.address=:80
        - --entryPoints.websecure.address=:443

        # permanent redirecting of all requests on http (80) to https (443)
        - --entrypoints.web.http.redirections.entryPoint.to=websecure
        - --entrypoints.websecure.http.tls.certResolver=default

        # Let's Encrypt Configurtion:
        # Please note that this is the staging Let's Encrypt server configuration.
        # Once you get things working, you should remove that following line.
        - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/dire
        - --certificatesresolvers.default.acme.email={YOUR-E-MAIL}
        - --certificatesresolvers.default.acme.storage=acme.json
        - --certificatesresolvers.default.acme.tlschallenge

        - --ping=true
        - --providers.kubernetescrd=true
        - --providers.kubernetesingress=true
       
        - --log.level=INFO
        image: traefik:2.2
        imagePullPolicy: IfNotPresent
        livenessProbe:
          failureThreshold: 3
          httpGet:
            path: /ping
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 2
        name: traefik
        ports:
        - containerPort: 8100
          name: admin
          protocol: TCP
        - containerPort: 80
          name: web
          protocol: TCP
        - containerPort: 443
          name: websecure
          protocol: TCP
        readinessProbe:
          failureThreshold: 1
          httpGet:
            path: /ping
            port: 8100
            scheme: HTTP
          initialDelaySeconds: 10
          periodSeconds: 10
          successThreshold: 1
          timeoutSeconds: 2
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: traefik
      serviceAccountName: traefik
      terminationGracePeriodSeconds: 60

Permanent HTTP->HTTPS Redirect

In the example configuration above I have configured a permanent redirect from HTTP to HTTPS. So you do not need a extra middleware object.

...
        - --entrypoints.web.http.redirections.entryPoint.to=websecure
        - --entrypoints.websecure.http.tls.certResolver=default
....

The Redirect scheme can be controlled from the Traefik.io web Dashboard in the section Middlewares:

Setup a Ingress Object

Now you can setup the Kubernetes Ingress object using the new annotations provided by Traefik V2.2.:

kind: Ingress
apiVersion: networking.k8s.io/v1beta1
metadata:
  name: myingress
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web, websecure
spec:
  rules:
  - host: example.foo.com
    http:
      paths:
      - path: /
        backend:
          serviceName: whoami
          servicePort: 80

Your new Ingress Network will automatically be redirectef from HTTP to HTTPS due to the Let’s Encrypt configuration. Note, that both entrypoints (web and websecure) are defined in your Ingress.

You will find more information about how to setup Traefik for Kubernetes in the Imixs-Cloud Project site on Github.

2 Replies to “Traefik v2.2 and Kubernetes Ingress”

  1. Hello Ralph and thanks for your Traefik tutorials.

    I wanted to deploy Traefik to my current infra. I have Kibana deployed in the namespace es. I get 404 using the configs below:


    apiVersion: traefik.containo.us/v1alpha1
    kind: Middleware
    metadata:
    name: basic-auth
    namespace: es
    spec:
    basicAuth:
    secret: authsecret


    apiVersion: v1
    kind: Secret
    metadata:
    name: authsecret
    namespace: es

    #———— Paste your own password file content here (default user/password=admin/adminadmin)————–
    data:
    users: |2
    YWRtaW46JGFwcjEkWXdmLkF6Um0kc3owTkpQMi55cy56V2svek43aENtLwoKdXNl
    cjokYXByMSRaU2VKQW1pOSRVV1AvcDdsQy9KSzdrbXBIMXdGL28uCgo=

    kind: Ingress
    apiVersion: networking.k8s.io/v1beta1
    metadata:
    name: kibana
    namespace: es
    annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web, websecure
    traefik.ingress.kubernetes.io/router.middlewares: es-basic-auth@kubernetescrd
    spec:
    rules:
    – host: dashboard.guardark.abc
    http:
    paths:
    – path: /
    backend:
    serviceName: kibana
    servicePort: 9192

    When I comment this line “traefik.ingress.kubernetes.io/router.middlewares: es-basic-auth@kubernetescrd”, it works.

    could you please help?

    Regards

  2. If you have 404 this is more a topic to your application (kibana) or with your service configuration and not necessarily of Traefik. You can take a look into the traefik log file. But I guess you will not see a problem there. You can also use the traefik web ui to see if traefik indicates any configuration errors and if traefik is listing you new kibana service.
    It may also be helpful if you first try the connection with plan HTTP and do the HTTPS stuff in a second stage. Because the HTTPS topic is tricky.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.