Kubernetes and Treafik v2

2020-10-06

TechDevOps

6 minutes read (About 839 words)

Overview

It has been a while since my last blog post about using Traefik as a Kubernetes Ingress Controller. It was Traefik v1.x with a simple term Frontends-Backends. Now, Traefik v2 was rewritten and reorganized. The frontends and backends have been replaced with the combination of routers, services, and middleware. As a result, there is a bunch of new config syntax changes. And of course, we have new features…such as:

Kubernetes CRD & IngressRoute
TCP Support
Cross Provider Support

In this blog post, I am gonna take notes for the deployment of the new Traefik version into Kubernetes. If you are looking for a migration guideline from v1 to v2, you can check out their official docs.

Config & Deployment

Traefik’s helm charts are available but I am gonna list down YAML files that needed for a deployment here. It is an easy method to show the config with YAML contents and we can keep track with the version system. You can find them on my Github repository as well.

Put everything in the same folder, then we can deploy easily with a single command

1	$ kubectl apply -f .

However, before you apply, take notes:

I use default namespace, change it if you want
I use DaemonSet instead of Deployment, change it if you want
I use entrypoints.web.http.redirections.entryPoint.to=websecure to force a redirection from http to https globally without middleware configs. Remove it if you don’t want
I use tls-ndk-name as my TLS secret. Please change it.
The dashboard is secured with a basic authentication. You can generate a base64-encoded of htpasswd with command htpasswd -nb user password | openssl base64
I don’t use Ingress, I use IngressRoute. Yes, it is a new kind in Traefik v2.

YAML files

rbac.yaml

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller

rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: default

resource-crd-definition.yml

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced

---
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: traefikservices.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TraefikService
    plural: traefikservices
    singular: traefikservice
  scope: Namespaced

service-account.yml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller

deployment.yml

kind: DaemonSet
apiVersion: apps/v1
metadata:
  name: traefik
  labels:
    app: traefik

spec:
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      containers:
        - name: traefik
          image: traefik:v2.3
          args:
            - --accesslog=true
            - --api
            - --api.insecure
            - --entrypoints.web.address=:80
            - --entrypoints.websecure.address=:443
            - --providers.kubernetescrd
            - --configfile=/config/traefik.toml
            - --entrypoints.web.http.redirections.entryPoint.to=websecure
          ports:
            - name: web
              containerPort: 80
            - name: admin
              containerPort: 8080
            - name: websecure
              containerPort: 443

service.yml

apiVersion: v1
kind: Service
metadata:
  name: traefik
spec:
  type: LoadBalancer
  selector:
    app: traefik
  ports:
    - protocol: TCP
      port: 80
      name: web
      targetPort: 80
    - protocol: TCP
      port: 443
      name: websecure
      targetPort: 443
    - protocol: TCP
      port: 8080
      name: admin
      targetPort: 8080

dashboard.yml

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-dashboard-auth
spec:
  basicAuth:
    secret: traefik-dashboard-auth
---
apiVersion: v1
kind: Secret
metadata:
  name: traefik-dashboard-auth
  namespace: default

data:
  users: dXNlcjokYXByMSR6ZWRCRGVrdCQ1ZTJnaW4vL2RjRXVlZGVyTEo2bWkxCgo=
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`dashboard.domain.ltd`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
      kind: Rule
      services:
      - name: api@internal
        kind: TraefikService
      middlewares:
        - name: traefik-dashboard-auth
  tls:
    secretName: tls-ndk-name

Screenshot

Traefik v2 comes with new Dashboard interface :-).

Traefik v2 dashboard