Wiki source code of Установка и Настройка Ingress Traefik
Last modified by Сергей Коршунов on 2024/07/11 11:22
Show last authors
| author | version | line-number | content |
|---|---|---|---|
| 1 | == Step 1 – Install Traefik Ingress Controller == | ||
| 2 | |||
| 3 | In this guide, we will install the Traefik Ingress Controller using Helm. Begin by installing **Helm** as below | ||
| 4 | |||
| 5 | {{{curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | ||
| 6 | chmod 700 get_helm.sh | ||
| 7 | sudo ./get_helm.sh}}} | ||
| 8 | |||
| 9 | Check your version of helm to confirm it was successfully installed. | ||
| 10 | |||
| 11 | {{{$ helm version | ||
| 12 | version.BuildInfo{Version:"v3.15.0", GitCommit:"50f003e5ee8704ec937a756c646870227d7c8b58", GitTreeState:"clean", GoVersion:"go1.18.8"}}}} | ||
| 13 | |||
| 14 | Add the [[Traefik Ingress helm repository>>url:https://github.com/traefik/traefik-helm-chart]] in your workstation by running the commands below. | ||
| 15 | |||
| 16 | {{{helm repo add traefik https://helm.traefik.io/traefik}}} | ||
| 17 | |||
| 18 | Update helm charts with the commands given below. | ||
| 19 | |||
| 20 | {{{$ helm repo update | ||
| 21 | |||
| 22 | Hang tight while we grab the latest from your chart repositories... | ||
| 23 | ...Successfully got an update from the "traefik" chart repository | ||
| 24 | ...Successfully got an update from the "metrics-server" chart repository | ||
| 25 | ...Successfully got an update from the "nfs-subdir-external-provisioner" chart repository | ||
| 26 | ...Successfully got an update from the "kubevious" chart repository | ||
| 27 | ...Successfully got an update from the "stable" chart repository | ||
| 28 | Update Complete. ⎈Happy Helming!⎈}}} | ||
| 29 | |||
| 30 | Create a namespace called traefik | ||
| 31 | |||
| 32 | {{{kubectl create ns traefik}}} | ||
| 33 | |||
| 34 | Install the Traefik Ingress Controller using the helm chart on **//traefik//** namespace. | ||
| 35 | |||
| 36 | {{{helm install traefik traefik/traefik --namespace traefik}}} | ||
| 37 | |||
| 38 | Sample output of successful command execution: | ||
| 39 | |||
| 40 | {{{NAME: traefik | ||
| 41 | LAST DEPLOYED: Wed Mar 8 17:33:01 2023 | ||
| 42 | NAMESPACE: traefik | ||
| 43 | STATUS: deployed | ||
| 44 | REVISION: 1 | ||
| 45 | TEST SUITE: None | ||
| 46 | NOTES: | ||
| 47 | Traefik Proxy v2.9.8 has been deployed successfully | ||
| 48 | on traefik namespace !}}} | ||
| 49 | |||
| 50 | You can customize the install with a values file. There are some [[EXAMPLES>>url:https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md]] provided. Complete documentation on all available parameters is in the [[default file>>url:https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml]]. | ||
| 51 | |||
| 52 | Example: | ||
| 53 | |||
| 54 | {{{helm upgrade --install traefik \ | ||
| 55 | --namespace traefik \ | ||
| 56 | --set dashboard.enabled=true \ | ||
| 57 | --set rbac.enabled=true \ | ||
| 58 | --set nodeSelector.node-type=master \ | ||
| 59 | --set="additionalArguments={--api.dashboard=true,--log.level=INFO,--providers.kubernetesingress.ingressclass=traefik-internal,--serversTransport.insecureSkipVerify=true}" \ | ||
| 60 | traefik/traefik \ | ||
| 61 | --version <version>}}} | ||
| 62 | |||
| 63 | Verify the installation by checking all resources in the namespace. | ||
| 64 | |||
| 65 | {{{$ kubectl get all -n traefik | ||
| 66 | NAME READY STATUS RESTARTS AGE | ||
| 67 | pod/traefik-6c77767cfd-pjkt7 1/1 Running 0 5m6s | ||
| 68 | |||
| 69 | NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE | ||
| 70 | service/traefik LoadBalancer 10.233.26.243 192.168.1.34 80:32715/TCP,443:30295/TCP 5m7s | ||
| 71 | |||
| 72 | NAME READY UP-TO-DATE AVAILABLE AGE | ||
| 73 | deployment.apps/traefik 1/1 1 1 5m7s | ||
| 74 | |||
| 75 | NAME DESIRED CURRENT READY AGE | ||
| 76 | replicaset.apps/traefik-6c77767cfd 1 1 1 5m7s}}} | ||
| 77 | |||
| 78 | From the above output, we have a **LoadBalancer** service with a //pending// external IP Address. This will be configured later in the guide. | ||
| 79 | |||
| 80 | View the Traefik CRDs with the command; | ||
| 81 | |||
| 82 | {{{$ kubectl get crd -n traefik | grep traefik | ||
| 83 | ingressroutes.traefik.containo.us 2023-03-08T14:32:55Z | ||
| 84 | ingressroutetcps.traefik.containo.us 2023-03-08T14:32:55Z | ||
| 85 | ingressrouteudps.traefik.containo.us 2023-03-08T14:32:55Z | ||
| 86 | middlewares.traefik.containo.us 2023-03-08T14:32:55Z | ||
| 87 | middlewaretcps.traefik.containo.us 2023-03-08T14:32:55Z | ||
| 88 | serverstransports.traefik.containo.us 2023-03-08T14:32:55Z | ||
| 89 | tlsoptions.traefik.containo.us 2023-03-08T14:32:55Z | ||
| 90 | tlsstores.traefik.containo.us 2023-03-08T14:32:55Z | ||
| 91 | traefikservices.traefik.containo.us 2023-03-08T14:32:55Z}}} | ||
| 92 | |||
| 93 | == Step 2 – Expose Traefik Dashboard == | ||
| 94 | |||
| 95 | Check Traefik service to check its Load balancer IP address. | ||
| 96 | |||
| 97 | {{{$ kubectl get svc -l app.kubernetes.io/name=traefik -n traefik | ||
| 98 | NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE | ||
| 99 | traefik LoadBalancer 10.233.26.243 192.168.1.34 80:32715/TCP,443:30295/TCP 3h43m}}} | ||
| 100 | |||
| 101 | We can confirm our load balancer IP address is 192.168.1.34. You can map this in your /etc/hosts file. | ||
| 102 | |||
| 103 | {{{$ sudo vim /etc/hosts | ||
| 104 | traefik.computingforgeeks.com 192.168.1.34}}} | ||
| 105 | |||
| 106 | Confirm you can ping the IP address using domain name. | ||
| 107 | |||
| 108 | {{{$ ping -c 2 traefik.home.cloudlabske.io | ||
| 109 | PING traefik.home.cloudlabske.io (192.168.1.34): 56 data bytes | ||
| 110 | 64 bytes from 192.168.1.34: icmp_seq=0 ttl=64 time=8.333 ms | ||
| 111 | 64 bytes from 192.168.1.34: icmp_seq=1 ttl=64 time=3.596 ms | ||
| 112 | |||
| 113 | --- traefik.home.cloudlabske.io ping statistics --- | ||
| 114 | 2 packets transmitted, 2 packets received, 0.0% packet loss | ||
| 115 | round-trip min/avg/max/stddev = 3.596/5.965/8.333/2.369 ms}}} | ||
| 116 | |||
| 117 | This HelmChart does not expose the Traefik dashboard by default, for security concerns. Thus, there are multiple ways to expose the dashboard. For instance, the dashboard access could be achieved through a port-forward, Nodeport or via Ingress. | ||
| 118 | |||
| 119 | === Expose using Port forwarding (Recommended way) === | ||
| 120 | |||
| 121 | You can gain access to the dashboard through **//port-forward//. **To achieve this run the following commands in your workstation where kubectl is configured. | ||
| 122 | |||
| 123 | {{{kubectl port-forward $(kubectl get pods --selector "app.kubernetes.io/name=traefik" --output=name) 9000:9000}}} | ||
| 124 | |||
| 125 | You can then access the dashboard on **//http:~/~/127.0.0.1:9000/dashboard///** | ||
| 126 | |||
| 127 | === Expose using Load balancer port === | ||
| 128 | |||
| 129 | Create a new file with ports exposed for Traefik service. | ||
| 130 | |||
| 131 | {{{vim traefik-dashboard-service.yml}}} | ||
| 132 | |||
| 133 | This will be used to patch the service. Here we’re adding new entry for port **9000** | ||
| 134 | |||
| 135 | {{{spec: | ||
| 136 | ports: | ||
| 137 | - name: web | ||
| 138 | port: 80 | ||
| 139 | protocol: TCP | ||
| 140 | targetPort: web | ||
| 141 | - name: websecure | ||
| 142 | port: 443 | ||
| 143 | protocol: TCP | ||
| 144 | targetPort: websecure | ||
| 145 | - name: traefik | ||
| 146 | port: 9000 | ||
| 147 | protocol: TCP | ||
| 148 | targetPort: traefik}}} | ||
| 149 | |||
| 150 | Apply the manifest with ~-~-patch option while providing the file path. | ||
| 151 | |||
| 152 | {{{$ kubectl -n traefik patch svc/traefik --patch "$(cat traefik-dashboard-service.yml)" | ||
| 153 | service/traefik patched}}} | ||
| 154 | |||
| 155 | Confirm the service is updated with new port **9000 **where the dashboard will be exposed. You can choose any other port as you prefer. | ||
| 156 | |||
| 157 | {{{$ kubectl get svc traefik | ||
| 158 | NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE | ||
| 159 | traefik LoadBalancer 10.233.26.243 192.168.1.34 80:32715/TCP,443:30295/TCP,9000:30811/TCP 4h3m}}} | ||
| 160 | |||
| 161 | From the output we can confirm our Load Balancer IP address to be **//192.168.1.34//**. You can access Traefik web dashboard on this IP directly or via domain name mapped to the IP address in your /etc/hosts file or actual DNS server. | ||
| 162 | |||
| 163 | {{{192.168.1.34 traefik.computingforgeeks.com}}} | ||
| 164 | |||
| 165 | Now that your cluster has an IP address/domain name, you can easily access the Traefik Dashboard and web services. But currently, the service is not available since we do not have any Ingress created. | ||
| 166 | |||
| 167 | {{{# curl http://traefik.computingforgeeks.com | ||
| 168 | 404 page not found}}} | ||
| 169 | |||
| 170 | Now proceed and access the Traefik Dashboard using the **//http:~/~/LB_IP:9000/dashboard///** | ||
| 171 | |||
| 172 | |||
| 173 | |||
| 174 | Or the URL [[http:~~/~~/domain_name:9000/dashboard/>>url:https://computingforgeeks.com/]] (do not forget to include the slash at the end of the URL) | ||
| 175 | |||
| 176 | |||
| 177 | |||
| 178 | == Step 3 – Protect Traefik Dashboard with basic Auth (//Recommended//) == | ||
| 179 | |||
| 180 | Create the custom middlewares used by the IngressRoute dashboard. We can start by downloading the default **values **file. | ||
| 181 | |||
| 182 | {{{wget https://raw.githubusercontent.com/traefik/traefik-helm-chart/master/traefik/values.yaml -O traefik-values.yaml}}} | ||
| 183 | |||
| 184 | Edit around line **144** and customize. Alternatively create a new custom values file. | ||
| 185 | |||
| 186 | {{{vim custom-traefik-values.yaml}}} | ||
| 187 | |||
| 188 | Add the contents given below while setting your own username and password. | ||
| 189 | |||
| 190 | {{{# Create an IngressRoute for the dashboard | ||
| 191 | ingressRoute: | ||
| 192 | dashboard: | ||
| 193 | enabled: true | ||
| 194 | # Additional ingressRoute annotations (e.g. for kubernetes.io/ingress.class) | ||
| 195 | annotations: {} | ||
| 196 | # Additional ingressRoute labels (e.g. for filtering IngressRoute by custom labels) | ||
| 197 | labels: {} | ||
| 198 | # The router match rule used for the dashboard ingressRoute | ||
| 199 | matchRule: PathPrefix(`/dashboard`) || PathPrefix(`/api`) | ||
| 200 | # Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure). | ||
| 201 | # By default, it's using traefik entrypoint, which is not exposed. | ||
| 202 | # /!\ Do not expose your dashboard without any protection over the internet /!\ | ||
| 203 | entryPoints: ["traefik"] | ||
| 204 | # Additional ingressRoute middlewares (e.g. for authentication) | ||
| 205 | middlewares: | ||
| 206 | - name: traefik-dashboard-auth | ||
| 207 | |||
| 208 | # Create the custom middlewares used by the IngressRoute dashboard (can also be created in another way). | ||
| 209 | # /!\ Yes, you need to replace "changeme" password with a better one. /!\ | ||
| 210 | extraObjects: | ||
| 211 | - apiVersion: v1 | ||
| 212 | kind: Secret | ||
| 213 | metadata: | ||
| 214 | name: traefik-dashboard-auth-secret | ||
| 215 | type: kubernetes.io/basic-auth | ||
| 216 | stringData: | ||
| 217 | username: admin | ||
| 218 | password: StrongAdminPassw0rd | ||
| 219 | |||
| 220 | - apiVersion: traefik.io/v1alpha1 | ||
| 221 | kind: Middleware | ||
| 222 | metadata: | ||
| 223 | name: traefik-dashboard-auth | ||
| 224 | spec: | ||
| 225 | basicAuth: | ||
| 226 | secret: traefik-dashboard-auth-secret}}} | ||
| 227 | |||
| 228 | Upgrade Traefik helm deployment. | ||
| 229 | |||
| 230 | {{{$ helm upgrade --values custom-traefik-values.yaml traefik traefik/traefik --namespace traefik | ||
| 231 | Release "traefik" has been upgraded. Happy Helming! | ||
| 232 | NAME: traefik | ||
| 233 | LAST DEPLOYED: Fri June 14 12:10:43 2024 | ||
| 234 | NAMESPACE: traefik | ||
| 235 | STATUS: deployed | ||
| 236 | REVISION: 2 | ||
| 237 | TEST SUITE: None | ||
| 238 | NOTES: | ||
| 239 | Traefik Proxy v3.0.2 has been deployed successfully | ||
| 240 | on traefik namespace !}}} | ||
| 241 | |||
| 242 | Reload Traefik dashboard to confirm if password authentication is required. | ||
| 243 | |||
| 244 | |||
| 245 | |||
| 246 | Provide set username and password to gain access. | ||
| 247 | |||
| 248 | == Step 4 – Test Traefik Ingress on Kubernetes == | ||
| 249 | |||
| 250 | Let’s create a sample application to test the functionality of Traefik Ingress on Kubernetes. | ||
| 251 | |||
| 252 | {{{vim whoami.yaml}}} | ||
| 253 | |||
| 254 | Add the lines below to the file – this defines the deployment of **//whoami//** application | ||
| 255 | |||
| 256 | {{{--- | ||
| 257 | apiVersion: apps/v1 | ||
| 258 | kind: Deployment | ||
| 259 | metadata: | ||
| 260 | labels: | ||
| 261 | app: whoami | ||
| 262 | name: whoami | ||
| 263 | spec: | ||
| 264 | replicas: 1 | ||
| 265 | selector: | ||
| 266 | matchLabels: | ||
| 267 | app: whoami | ||
| 268 | template: | ||
| 269 | metadata: | ||
| 270 | labels: | ||
| 271 | app: whoami | ||
| 272 | spec: | ||
| 273 | containers: | ||
| 274 | - image: traefik/whoami:latest | ||
| 275 | name: whoami | ||
| 276 | ports: | ||
| 277 | - containerPort: 80}}} | ||
| 278 | |||
| 279 | Apply the manifest with kubectl command | ||
| 280 | |||
| 281 | {{{kubectl create -f whoami.yaml}}} | ||
| 282 | |||
| 283 | Within few seconds the pod should be running, you can check with the commands below. | ||
| 284 | |||
| 285 | {{{$ kubectl get pods | ||
| 286 | NAME READY STATUS RESTARTS AGE | ||
| 287 | traefik-6c77767cfd-pjkt7 1/1 Running 0 18h | ||
| 288 | whoami-6ff6dcfdc8-q8rcc 1/1 Running 0 11s}}} | ||
| 289 | |||
| 290 | Create a service entry file for **//whoami//** service | ||
| 291 | |||
| 292 | {{{$ vim whoami-service.yaml | ||
| 293 | --- | ||
| 294 | apiVersion: v1 | ||
| 295 | kind: Service | ||
| 296 | metadata: | ||
| 297 | name: whoami-svc | ||
| 298 | spec: | ||
| 299 | type: ClusterIP | ||
| 300 | selector: | ||
| 301 | app: whoami | ||
| 302 | ports: | ||
| 303 | - port: 80}}} | ||
| 304 | |||
| 305 | Create the object on Kubernetes by applying the manifest. | ||
| 306 | |||
| 307 | {{{kubectl create -f whoami-service.yaml}}} | ||
| 308 | |||
| 309 | Confirm service creation was successful. | ||
| 310 | |||
| 311 | {{{$ kubectl get svc whoami-svc | ||
| 312 | NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE | ||
| 313 | whoami-svc ClusterIP 10.233.0.100 <none> 80/TCP 2m11s}}} | ||
| 314 | |||
| 315 | Now, this application is still not accessible until you create an Ingress to expose the service. | ||
| 316 | |||
| 317 | {{{vim whoami-ingress.yaml}}} | ||
| 318 | |||
| 319 | Add the below lines and replace the **host** with the domain name added in** /etc/hosts** for the external IP address: | ||
| 320 | |||
| 321 | {{{apiVersion: networking.k8s.io/v1 | ||
| 322 | kind: Ingress | ||
| 323 | metadata: | ||
| 324 | name: whoami-http | ||
| 325 | annotations: | ||
| 326 | traefik.ingress.kubernetes.io/router.entrypoints: web | ||
| 327 | spec: | ||
| 328 | rules: | ||
| 329 | - host: traefik.computingforgeeks.com | ||
| 330 | http: | ||
| 331 | paths: | ||
| 332 | - path: /whoami | ||
| 333 | pathType: Prefix | ||
| 334 | backend: | ||
| 335 | service: | ||
| 336 | name: whoami-svc | ||
| 337 | port: | ||
| 338 | number: 80}}} | ||
| 339 | |||
| 340 | Create ingress object on kubernetes | ||
| 341 | |||
| 342 | {{{kubectl apply -f app-ingress.yaml}}} | ||
| 343 | |||
| 344 | View the created Ingress: | ||
| 345 | |||
| 346 | {{{$ kubectl get ingress | ||
| 347 | NAME CLASS HOSTS ADDRESS PORTS AGE | ||
| 348 | whoami-http traefik traefik.computingforgeeks.com 80 57s}}} | ||
| 349 | |||
| 350 | Now access the deployment using the URL[[ http:~~/~~/domain_name/whoami>>url:http://domain_name/whoami]] | ||
| 351 | |||
| 352 | |||
| 353 | |||
| 354 | This confirms Traefik to be working as expected in our Kubernetes cluster. |