Установка и Настройка Ingress Traefik
Step 1 – Install Traefik Ingress Controller
In this guide, we will install the Traefik Ingress Controller using Helm. Begin by installing Helm as below
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 chmod 700 get_helm.sh sudo ./get_helm.sh
Check your version of helm to confirm it was successfully installed.
$ helm version version.BuildInfo{Version:"v3.15.0", GitCommit:"50f003e5ee8704ec937a756c646870227d7c8b58", GitTreeState:"clean", GoVersion:"go1.18.8"}
Add the Traefik Ingress helm repository in your workstation by running the commands below.
helm repo add traefik https://helm.traefik.io/traefik
Update helm charts with the commands given below.
$ helm repo update Hang tight while we grab the latest from your chart repositories... ...Successfully got an update from the "traefik" chart repository ...Successfully got an update from the "metrics-server" chart repository ...Successfully got an update from the "nfs-subdir-external-provisioner" chart repository ...Successfully got an update from the "kubevious" chart repository ...Successfully got an update from the "stable" chart repository Update Complete. ⎈Happy Helming!⎈
Create a namespace called traefik
kubectl create ns traefik
Install the Traefik Ingress Controller using the helm chart on traefik namespace.
helm install traefik traefik/traefik --namespace traefik
Sample output of successful command execution:
NAME: traefik LAST DEPLOYED: Wed Mar 8 17:33:01 2023 NAMESPACE: traefik STATUS: deployed REVISION: 1 TEST SUITE: None NOTES: Traefik Proxy v2.9.8 has been deployed successfully on traefik namespace !
You can customize the install with a values file. There are some EXAMPLES provided. Complete documentation on all available parameters is in the default file.
Example:
helm upgrade --install traefik \
--namespace traefik \
--set dashboard.enabled=true \
--set rbac.enabled=true \
--set nodeSelector.node-type=master \
--set="additionalArguments={--api.dashboard=true,--log.level=INFO,--providers.kubernetesingress.ingressclass=traefik-internal,--serversTransport.insecureSkipVerify=true}" \
traefik/traefik \
--version <version>Verify the installation by checking all resources in the namespace.
$ kubectl get all -n traefik NAME READY STATUS RESTARTS AGE pod/traefik-6c77767cfd-pjkt7 1/1 Running 0 5m6s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/traefik LoadBalancer 10.233.26.243 192.168.1.34 80:32715/TCP,443:30295/TCP 5m7s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/traefik 1/1 1 1 5m7s NAME DESIRED CURRENT READY AGE replicaset.apps/traefik-6c77767cfd 1 1 1 5m7s
From the above output, we have a LoadBalancer service with a pending external IP Address. This will be configured later in the guide.
View the Traefik CRDs with the command;
$ kubectl get crd -n traefik | grep traefik ingressroutes.traefik.containo.us 2023-03-08T14:32:55Z ingressroutetcps.traefik.containo.us 2023-03-08T14:32:55Z ingressrouteudps.traefik.containo.us 2023-03-08T14:32:55Z middlewares.traefik.containo.us 2023-03-08T14:32:55Z middlewaretcps.traefik.containo.us 2023-03-08T14:32:55Z serverstransports.traefik.containo.us 2023-03-08T14:32:55Z tlsoptions.traefik.containo.us 2023-03-08T14:32:55Z tlsstores.traefik.containo.us 2023-03-08T14:32:55Z traefikservices.traefik.containo.us 2023-03-08T14:32:55Z
Step 2 – Expose Traefik Dashboard
Check Traefik service to check its Load balancer IP address.
$ kubectl get svc -l app.kubernetes.io/name=traefik -n traefik NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE traefik LoadBalancer 10.233.26.243 192.168.1.34 80:32715/TCP,443:30295/TCP 3h43m
We can confirm our load balancer IP address is 192.168.1.34. You can map this in your /etc/hosts file.
$ sudo vim /etc/hosts traefik.computingforgeeks.com 192.168.1.34
Confirm you can ping the IP address using domain name.
$ ping -c 2 traefik.home.cloudlabske.io PING traefik.home.cloudlabske.io (192.168.1.34): 56 data bytes 64 bytes from 192.168.1.34: icmp_seq=0 ttl=64 time=8.333 ms 64 bytes from 192.168.1.34: icmp_seq=1 ttl=64 time=3.596 ms --- traefik.home.cloudlabske.io ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 3.596/5.965/8.333/2.369 ms
This HelmChart does not expose the Traefik dashboard by default, for security concerns. Thus, there are multiple ways to expose the dashboard. For instance, the dashboard access could be achieved through a port-forward, Nodeport or via Ingress.
Expose using Port forwarding (Recommended way)
You can gain access to the dashboard through port-forward. To achieve this run the following commands in your workstation where kubectl is configured.
kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000
You can then access the dashboard on http://127.0.0.1:9000/dashboard/
Expose using Load balancer port
Create a new file with ports exposed for Traefik service.
vim traefik-dashboard-service.yml
This will be used to patch the service. Here we’re adding new entry for port 9000
spec:
ports:
- name: web
port: 80
protocol: TCP
targetPort: web
- name: websecure
port: 443
protocol: TCP
targetPort: websecure
- name: traefik
port: 9000
protocol: TCP
targetPort: traefikApply the manifest with --patch option while providing the file path.
$ kubectl -n traefik patch svc/traefik --patch "$(cat traefik-dashboard-service.yml)" service/traefik patched
Confirm the service is updated with new port 9000 where the dashboard will be exposed. You can choose any other port as you prefer.
$ kubectl get svc traefik NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE traefik LoadBalancer 10.233.26.243 192.168.1.34 80:32715/TCP,443:30295/TCP,9000:30811/TCP 4h3m
From the output we can confirm our Load Balancer IP address to be 192.168.1.34. You can access Traefik web dashboard on this IP directly or via domain name mapped to the IP address in your /etc/hosts file or actual DNS server.
192.168.1.34 traefik.computingforgeeks.com
Now that your cluster has an IP address/domain name, you can easily access the Traefik Dashboard and web services. But currently, the service is not available since we do not have any Ingress created.
# curl http://traefik.computingforgeeks.com 404 page not found
Now proceed and access the Traefik Dashboard using the http://LB_IP:9000/dashboard/
Or the URL http://domain_name:9000/dashboard/ (do not forget to include the slash at the end of the URL)
Step 3 – Protect Traefik Dashboard with basic Auth (Recommended)
Create the custom middlewares used by the IngressRoute dashboard. We can start by downloading the default values file.
wget https://raw.githubusercontent.com/traefik/traefik-helm-chart/master/traefik/values.yaml -O traefik-values.yaml
Edit around line 144 and customize. Alternatively create a new custom values file.
vim custom-traefik-values.yaml
Add the contents given below while setting your own username and password.
# Create an IngressRoute for the dashboard
ingressRoute:
dashboard:
enabled: true
# Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class)
annotations: {}
# Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels)
labels: {}
# The router match rule used for the dashboard ingressRoute
matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
# Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure).
# By default, it's using traefik entrypoint, which is not exposed.
# /!\ Do not expose your dashboard without any protection over the internet /!\
entryPoints: ["traefik"]
# Additional ingressRoute middlewares (e.g. for authentication)
middlewares:
- name: traefik-dashboard-auth
# Create the custom middlewares used by the IngressRoute dashboard (can also be created in another way).
# /!\ Yes, you need to replace "changeme" password with a better one. /!\
extraObjects:
- apiVersion: v1
kind: Secret
metadata:
name: traefik-dashboard-auth-secret
type: kubernetes.io/basic-auth
stringData:
username: admin
password: StrongAdminPassw0rd
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: traefik-dashboard-auth
spec:
basicAuth:
secret: traefik-dashboard-auth-secretUpgrade Traefik helm deployment.
$ helm upgrade --values custom-traefik-values.yaml traefik traefik/traefik --namespace traefik Release "traefik" has been upgraded. Happy Helming! NAME: traefik LAST DEPLOYED: Fri June 14 12:10:43 2024 NAMESPACE: traefik STATUS: deployed REVISION: 2 TEST SUITE: None NOTES: Traefik Proxy v3.0.2 has been deployed successfully on traefik namespace !
Reload Traefik dashboard to confirm if password authentication is required.
Provide set username and password to gain access.
Step 4 – Test Traefik Ingress on Kubernetes
Let’s create a sample application to test the functionality of Traefik Ingress on Kubernetes.
vim whoami.yaml
Add the lines below to the file – this defines the deployment of whoami application
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: whoami
name: whoami
spec:
replicas: 1
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- image: traefik/whoami:latest
name: whoami
ports:
- containerPort: 80Apply the manifest with kubectl command
kubectl create -f whoami.yaml
Within few seconds the pod should be running, you can check with the commands below.
$ kubectl get pods NAME READY STATUS RESTARTS AGE traefik-6c77767cfd-pjkt7 1/1 Running 0 18h whoami-6ff6dcfdc8-q8rcc 1/1 Running 0 11s
Create a service entry file for whoami service
$ vim whoami-service.yaml
---
apiVersion: v1
kind: Service
metadata:
name: whoami-svc
spec:
type: ClusterIP
selector:
app: whoami
ports:
- port: 80Create the object on Kubernetes by applying the manifest.
kubectl create -f whoami-service.yaml
Confirm service creation was successful.
$ kubectl get svc whoami-svc NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE whoami-svc ClusterIP 10.233.0.100 <none> 80/TCP 2m11s
Now, this application is still not accessible until you create an Ingress to expose the service.
vim whoami-ingress.yaml
Add the below lines and replace the host with the domain name added in /etc/hosts for the external IP address:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: whoami-http
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: traefik.computingforgeeks.com
http:
paths:
- path: /whoami
pathType: Prefix
backend:
service:
name: whoami-svc
port:
number: 80Create ingress object on kubernetes
kubectl apply -f app-ingress.yaml
View the created Ingress:
$ kubectl get ingress NAME CLASS HOSTS ADDRESS PORTS AGE whoami-http traefik traefik.computingforgeeks.com 80 57s
Now access the deployment using the URL http://domain_name/whoami
This confirms Traefik to be working as expected in our Kubernetes cluster.