Not yet, traifik? Just read this article! (book at the end of the text)

Hello, I'm jock.

Some people may not be familiar with traifik, but they should be familiar with Nginx.

For the time being, we regard Traefik as a kind of software similar to Nginx. After reading the whole article, you will have a different understanding of Traefik.

This article mainly takes you to have a comprehensive understanding of Traefik. I will introduce it from the following aspects.

This article is based on traifik 2.5.3.

What is Traefik

Traefik is an open source edge routing gateway, which is easy to use and fully functional. The official [1] introduction is: traefik is an [open source]( https://github.com/traefik/traefik ) _ Edge Router_ that makes publishing your services a fun and easy experience.

Traifik supports a variety of clusters, such as Kubernetes, Docker, Docker Swarm, AWS, Mesos, Marathon, etc; And can handle many clusters at the same time.

image.png

Traifik's core concepts and capabilities

Traefik is an edge router. It will intercept external requests and choose different operation modes according to logical rules. These rules determine how to deal with these requests. Traefik provides automatic discovery capability, which will detect services in real time and automatically update routing rules.

As can be seen from the above figure, the requests will first be connected to the entry points, and then analyze whether these requests match the defined rules. If they match, they will pass through a series of middlewares and then to the corresponding services.

This involves the following important core components.

  • Providers
  • Entrypoints
  • Routers
  • Services
  • Middlewares

Providers

Providers is the basic component through which the configuration discovery of Traefik is realized. It can be a coordinator, container engine, cloud provider or key value storage.

Traefik queries the relevant information of the route through the API of Providers. Once a change is detected, it will dynamically update the route.

Entrypoints

Entrypoints is the network portal of Traefik. It defines the interface to receive requests and whether to listen to TCP or UDP.

Routers

Routers is mainly used to analyze requests and connect them to corresponding services. In this process, routers can also use Middlewares to update requests, such as adding some Headers before sending requests to services.

Services

Services is responsible for configuring how to reach the actual service that will eventually process incoming requests.

Middlewares

Middlewares are used to modify the request or make some judgments according to the request (authentication, rate limiting, headers,...). Middleware is attached to the route. It is a method to adjust the request before the request is sent to your service (or before the service response is sent to the client).

Deploy traifik

There are many ways to deploy traifik. Here, Helm is mainly used for deployment management.

Helm deployment

Environment: kubernetes: 1.22.3 helm: 3.7.1

1. Add traefik helm warehouse
$ helm repo add traefik https://helm.traefik.io/traefik
$ helm repo update
2. Download the traefik package locally for management
$ helm  search repo traefik
NAME            CHART VERSION APP VERSION DESCRIPTION                                  
traefik/traefik 10.6.0        2.5.3       A Traefik based Kubernetes ingress controller
$ helm pull traefik/traefik
3. Deploy traifik

The default value.yaml[2] configuration file has many configurations, which may take some time to sort out, but it can be understood quickly according to the relevant comments.

Here you can customize a configuration file, my-value.yaml, as follows:

service:
  type: NodePort 

ingressRoute:
  dashboard:
    enabled: false
ports:
  traefik:
    port: 9000
    expose: true
  web:
    port: 8000
    expose: true
  websecure:
    port: 8443
    expose: true
persistence:
  enabled: true
  name: data
  accessMode: ReadWriteOnce
  size: 5G
  storageClass: "openebs-hostpath"
  path: /data
additionalArguments:
  - "--serversTransport.insecureSkipVerify=true"
  - "--api.insecure=true"
  - "--api.dashboard=true"

To deploy, the command is as follows:

$ kubectl create ns traefik-ingress
$ helm install traefik -n traefik-ingress -f my-value.yaml .

The default value.yaml[2] configuration file is not used here.

Then you can see the deployment results as follows:

# kubectl get all -n traefik-ingress 
NAME                           READY   STATUS    RESTARTS   AGE
pod/traefik-77ff894bb5-qqszd   1/1     Running   0          6m26s

NAME              TYPE       CLUSTER-IP      EXTERNAL-IP   PORT(S)                                     AGE
service/traefik   NodePort   10.108.170.22   <none>        9000:32271/TCP,80:31728/TCP,443:30358/TCP   6m26s

NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/traefik   1/1     1            1           6m26s

NAME                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/traefik-77ff894bb5   1         1         1       6m26s

Then you can access the Dashboard page through NodePort, as follows:

Using traifik

Create first routing rule

We use the NodePort method to access the Dashboard. Now that Traefik has been deployed, why not use the routing gateway method?

Let's create the first routing gateway to access the Dashboard.

There are many ways for Traefik to create routing rules, such as:

  • Native Ingress writing
  • Use CRD ingresroute mode
  • How to use the gateway API

The first two methods are briefly introduced here. The gateway API methods will be introduced later.

Native Ingress routing rules

The routing rules of the native Ingress are relatively simple, as follows.

# cat traefik-ingress.yaml 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: traefik-dashboard-ingress
  annotations:
    kubernetes.io/ingress.class: traefik  
    traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
  rules:
  - host: traefik-web.coolops.cn 
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: traefik
            port:
              number: 9000

To create a routing rule, the command is as follows:

# kubectl apply -f traefik-ingress.yaml -n traefik-ingress 
ingress.networking.k8s.io/traefik-dashboard-ingress created

Now you can use the domain name http://traefik-web.coolops.cn:31728/dashboard/#/ Accessed (31728 is the mapped port of port 80), as follows:

Configure routing rules in CRD mode

In earlier versions, Traefik only provided kubernetes ingress to configure routing rules. The community believed that developing a custom CRD type could better provide Kubernetes access configuration [3].

The configuration method of ingresroute is also relatively simple, as follows:

# cat traefik-ingressRoute.yaml 
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard-route
spec:
  entryPoints:
  - web
  routes:
  - match: Host(`traefik-web2.coolops.cn`)
    kind: Rule
    services:
      - name: traefik
        port: 9000 

The deployment command is as follows:

# kubectl apply -f traefik-ingressRoute.yaml -n traefik-ingress 
ingressroute.traefik.containo.us/traefik-dashboard-route created

Then you can pass http://traefik-web2.coolops.cn:31728/dashboard/#/ Visited.

Expose HTTP services

First, deploy a simple whoami[4] application. The YAML file is as follows:

---
apiVersion: v1
kind: Pod
metadata:
  name: whoami
  labels:
    app: whoami
spec:
  containers:
    - name: whoami
      image: traefik/whoami:latest
      ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: whoami
spec:
  ports:
    - port: 80
      protocol: TCP
      targetPort: 80
  selector:
    app: whoami
  type: ClusterIP

After successful deployment, create a routing rule so that external users can access it.

# cat ingressroute.yaml 
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-route
spec:
  entryPoints:
  - web
  routes:
  - match: Host(`whoami.coolops.cn`)
    kind: Rule
    services:
      - name: whoami
        port: 80 

After creation, you can access it as follows:

Expose HTTPS services

The whoami application above is accessed through HTTP. If you want to access through HTTPS, how should you configure it?

Traifik supports HTTPS and TLS. For certificates, you can select your own certificate or use Let's Encrypt [5] to automatically generate certificates. These two methods will be introduced here.

Own certificate configuration HTTPS

Now the company will basically purchase more secure certificates by itself, so HTTPS will be used more frequently for its own certificate configuration. This configuration method is mainly introduced here.

1. Apply for or purchase certificates

Here is the free certificate I applied for in Tencent cloud.

Then download the corresponding certificate and upload it to the server.

2. Save the certificate file as Secret
# kubectl create secret tls whoami-tls --cert=1_whoami.coolops.cn_bundle.crt --key=2_whoami.coolops.cn.key
3. Create an ingresroute object so that it can be accessed through TLS
# cat ingressroutetls.yaml 
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-route-tls
spec:
  entryPoints:
  - websecure
  routes:
  - match: Host(`whoami.coolops.cn`)
    kind: Rule
    services:
      - name: whoami
        port: 80 
  tls:
    secretName: whoami-tls

Once created, you can https://whoami.coolops.cn:30358/ Accessed (30358 is the port mapped by 443).

Automatically generate HTTPS certificate

In addition to using its own certificates, traifik also supports Let's Encrypt to automatically generate certificates [6].

To automatically generate a certificate using Let's Encrypt, you need to use ACME. The "certificate parser" needs to be defined in the static configuration, and Traefik is responsible for retrieving the certificate from the ACME server.

Then, each "router" is configured to enable TLS and is associated with a certificate parser through the tls.certresolver configuration option.

Traifik's ACME verification methods mainly include the following three types:

  • tlsChallenge
  • httpChallenge
  • dnsChallenge

If tlsChallenge is used, Let's Encrypt to Traefik 443 port must be reachable. If httpChallenge is used, Let's Encrypt to traifik 80 port must be reachable. If you use dnsChallenge, you need the corresponding providers[7].

However, ports 80 and 443 were not exposed when we deployed Traefik above. To test tlsChallenge and httpChallenge, we must expose them. Let's change my-value.yaml as follows:

service:
  type: NodePort 

ingressRoute:
  dashboard:
    enabled: false
ports:
  traefik:
    port: 9000
    expose: true
  web:
    port: 8000
    hostPort: 80
    expose: true
  websecure:
    port: 8443
    hostPort: 443
    expose: true
persistence:
  enabled: true
  name: data
  accessMode: ReadWriteOnce
  size: 5G
  storageClass: "openebs-hostpath"
  path: /data
additionalArguments:
  - "--serversTransport.insecureSkipVerify=true"
  - "--api.insecure=true"
  - "--api.dashboard=true"

Then update Traefik again. The command is as follows:

helm upgrade traefik -n traefik-ingress -f my-value.yaml .

Now we can access it directly through port 80 or 443.

1,tlsChallenge

As mentioned above, to use tlsChallenge, you must be able to access port 443 of the portal. Now that the portal has been opened, we will modify the my-value.yaml configuration of Traefik, as follows:

......
deployment:
  initContainers:
    - name: volume-permissions
      image: busybox:1.31.1
      command: ["sh", "-c", "chmod -Rv 600 /data/*"]
      volumeMounts:
        - name: data
          mountPath: /data
additionalArguments:
  - "--serversTransport.insecureSkipVerify=true"
  - "--api.insecure=true"
  - "--api.dashboard=true"
  - "--certificatesresolvers.coolops.acme.email=coolops@163.com"
  - "--certificatesresolvers.coolops.acme.storage=/data/acme.json"
  - "--certificatesresolvers.coolops.acme.tlschallenge=true"

PS: here, you need to change the permission of / data directory. The default is 0660. If the permission is too large, it is not allowed.

Then we create an ingress route as follows:

# cat ingressrouteautotls.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-route-auto-tls
spec:
  entryPoints:
  - websecure
  routes:
  - match: Host(`whoami3.coolops.cn`)
    kind: Rule
    services:
      - name: whoami
        port: 80 
  tls:
    certResolver: coolops

This is when we visit https://whoami3.coolops.cn The certificate can be used normally, as follows:

2,httpChallenge

Next, use httpChallenge to test. Modify the my-value.yaml configuration file as follows:

......
deployment:
  initContainers:
    - name: volume-permissions
      image: busybox:1.31.1
      command: ["sh", "-c", "chmod -Rv 600 /data/*"]
      volumeMounts:
        - name: data
          mountPath: /data
additionalArguments:
  - "--serversTransport.insecureSkipVerify=true"
  - "--api.insecure=true"
  - "--api.dashboard=true"
  - "--certificatesresolvers.coolops.acme.email=coolops@163.com"
  - "--certificatesresolvers.coolops.acme.storage=/data/acme.json"
  - "--certificatesresolvers.coolops.acme.httpchallenge=true"
  - "--certificatesresolvers.coolops.acme.httpchallenge.entrypoint=web"

After updating traifik, create an ingressRoute for testing. The YAML file is as follows:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-route-auto-tls-http
spec:
  entryPoints:
  - websecure
  routes:
  - match: Host(`whoami4.coolops.cn`)
    kind: Rule
    services:
      - name: whoami
        port: 80
  tls:
    certResolver: coolops

Then use https://whoami4.coolops.cn , the effect is as follows:

3,dnsChallenge

dnsChallenge is relatively troublesome to use because the corresponding provider needs to be configured, but it can generate wildcard certificates. Here, take alicloud DNS [8] as an example.

The premise of using Alibaba DNS is that your domain name is on Alibaba cloud, otherwise an error will be reported when signing the certificate, as follows:

Unable to obtain ACME certificate for domains \"*.coolops.cn\" : unable to generate a certificate for the domains [*.coolops.cn]: error: one or more domains had a problem:\n[*.coolops.cn] [*.coolops.cn] acme: error presenting token: alicloud: zone coolops.cn. not found in AliDNS for domain coolops.cn\n" providerName=coolops.acme

Three environment variables need to be configured for alicloud DNS verification: ALICLOUD_ACCESS_KEY,ALICLOUD_SECRET_KEY,ALICLOUD_REGION_ID, which respectively corresponds to the key we use when developing Alibaba cloud applications, can be obtained by logging in to the Alibaba cloud background. Because this is relatively private information, we use the Secret object to create:

$ kubectl create secret generic traefik-alidns --from-literal=ALICLOUD_ACCESS_KEY=<aliyun ak> --from-literal=ALICLOUD_SECRET_KEY=<aliyun sk>--from-literal=ALICLOUD_REGION_ID=cn-beijing -n traefik-ingress

Modify my-value.yaml of Traefik as follows:

......
additionalArguments:
  - "--serversTransport.insecureSkipVerify=true"
  - "--api.insecure=true"
  - "--api.dashboard=true"
  - "--certificatesresolvers.coolops.acme.email=coolops@163.com"
  - "--certificatesresolvers.coolops.acme.storage=/data/acme.json"
  - "--certificatesresolvers.coolops.acme.dnschallenge=true"
  - "--certificatesResolvers.coolops.acme.dnsChallenge.provider=alidns"
envFrom:
  - secretRef: 
      name: traefik-alidns

After updating the traifik, create an ingressRoute for testing. The YAML file is as follows (because coolops.cn is not on alicloud, a domain name is changed):

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-route-auto-tls-dns
spec:
  entryPoints:
  - websecure
  routes:
  - match: Host(`whoami6.coolops.cn`)
    kind: Rule
    services:
      - name: whoami
        port: 80 
  tls:
    certResolver: coolops 
    domains:
    - main: "*.coolops.cn"

After accessing the domain name, you can see that the certificate is signed successfully, as follows:

Use of Middleware

When introducing the core concept of Traefik, it was mentioned that after a request matches Rules, it will go through a series of Middleware and then to the specific Services. What is this Middleware?

image.png

Middleware is a new function after Traefik 2.0. Users can choose different middleware to meet the service according to their unreasonable needs, which improves the customization ability.

Traifik has built-in Middleware with many different functions, mainly for HTTP and TCP. HTTP accounts for the majority [9]. Here are some commonly used ones for demonstration.

Force a jump to HTTPS

Forced jump to HTTPS is a frequently configured function. Here is the whoami application not mentioned above as an example.

1. Create an HTTPS ingressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-route-auto-tls
spec:
  entryPoints:
  - websecure
  routes:
  - match: Host(`whoami3.coolops.cn`)
    kind: Rule
    services:
      - name: whoami
        port: 80 
  tls:
    certResolver: coolops
2. Define a middleware that jumps to HTTPS

The built-in middleware of RedirectScheme will be used here. The configuration is as follows:

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect-https-middleware
spec:
  redirectScheme:
    scheme: https
3. Define an HTTP ingressRoute and use Middleware
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami3-route
spec:
  entryPoints:
  - web
  routes:
  - match: Host(`whoami3.coolops.cn`)
    kind: Rule
    services:
      - name: whoami
        port: 80
    middlewares:
    - name: redirect-https-middleware

Then visit http://whoami3.coolops.cn Will be forced to jump to https://whoami3.coolops.cn .

Remove request path prefix

Sometimes there is a need:

  • Only one domain name
  • You can access different applications through this domain name

This requirement is very common. In NGINX, we can configure multiple locations to customize rules, and Traefik can also do so.

However, after customizing different prefixes, because the application itself does not have these prefixes, the request returns 404. At this time, we need to process the requested path, or take whoami application as an example.

1. Create an ingressRoute with a prefix
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami7-route
spec:
  entryPoints:
  - web
  routes:
  - match: Host(`whoami7.coolops.cn`) && PathPrefix('/coolops')
    kind: Rule
    services:
      - name: whoami
        port: 80 

Our current access will return 404 status.

2. Define prefixed Middleware
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: prefix-coolops-url-middleware
spec:
  stripPrefix:
    prefixes:
      - /coolops
3. Modify the above ingressRoute to apply middleware
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami7-route
spec:
  entryPoints:
  - web
  routes:
  - match: Host(`whoami7.coolops.cn`) && PathPrefix('/coolops')
    kind: Rule
    services:
      - name: whoami
        port: 80
    middlewares:
    - name: prefix-coolops-url-middleware

Then you can access it normally.

Add IP whitelist

In our work, we do not want to expose some URLs, such as prometheus, grafana, etc. at this time, we want to meet the requirements through the white list IP, so we can use the ipWhiteList Middleware in Traefik.

1. Middleware for defining whitelist IP
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: ip-white-list-middleware
spec:
  ipWhiteList:
    sourceRange:
      - 127.0.0.1/32
      - 192.168.100.180

Then apply the middleware to the corresponding Rules to complete the whitelist function.

In addition to the above functions, the built-in Middleware in Traefik also supports many other functions, such as current limiting, authentication, etc., which can be viewed by referencing [9].

Expose TCP services

Traefik 2.0 supports TCP exposure. Take Redis as an example.

1. Deploy a Redis service
apiVersion: apps/v1
kind: Deployment
metadata:
  name: redis
spec:
  selector:
    matchLabels:
      app: redis
  template:
    metadata:
      labels:
        app: redis
    spec:
      containers:
      - name: redis
        image: redis:5.0.14
        ports:
        - containerPort: 6379
          protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: redis
spec:
  ports:
  - port: 6379
    targetPort: 6379
  selector:
    app: redis
2. Expose Redis port

The exposed TCP port uses SNI [10], and SNI depends on TLS, so we need to configure the certificate. However, if there is no certificate, we can use the wildcard * for configuration.

(1) . add an entry point for redis

Modify the deployment file my-value.yaml of Traefik and add the following:

ports:
  traefik:
    port: 9000
    expose: true
  web:
    port: 8000
    hostPort: 80
    expose: true
  websecure:
    port: 8443
    hostPort: 443
    expose: true
  redis:
    port: 6379
    containerPort: 6379
    hostPort: 6379
additionalArguments:
  - "--entryPoints.redis.address=:6379"
  - "--serversTransport.insecureSkipVerify=true"
  - "--api.insecure=true"
  - "--api.dashboard=true"
  - "--certificatesresolvers.coolops.acme.email=coolops@163.com"
  - "--certificatesresolvers.coolops.acme.storage=/data/acme.json"
  - "--certificatesresolvers.coolops.acme.httpchallenge=true"
  - "--certificatesresolvers.coolops.acme.httpchallenge.entrypoint=web"

Add -- entryPoints.redis.address=:6379 to the startup parameters to specify the entrypoint.

(2) Create ingressRoute for external exposure
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: redis-traefik-tcp
spec:
  entryPoints:
    - redis
  routes:
  - match: HostSNI(`*`)
    services:
    - name: redis
      port: 6379

Then you can use the client tool to perform Redis operations.

# redis-cli -h redis.coolops.cn 
redis.coolops.cn:6379> set  a b
OK
redis.coolops.cn:6379> get a
"b"
redis.coolops.cn:6379> 

Grayscale Publishing

A more powerful function after traefik 2.0 is gray-scale publishing. Gray-scale publishing is sometimes called Canary publishing, which mainly allows some tested services to participate in the online. After testing, observe whether the symbol is required to go online.

Suppose an application is running V1 and the new V2 version needs to go online. At this time, we need to deploy the V2 version in the cluster, and then realize this function through weighted polling (WRR) provided by Traefik.

1. Deploy appv1 and appv2 applications

appv1.yaml

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: appv1
spec:
  selector:
    matchLabels:
      app: appv1
  template:
    metadata:
      labels:
        use: test
        app: appv1
    spec:
      containers:
      - name: nginx
        image: nginx
        imagePullPolicy: IfNotPresent
        lifecycle:
          postStart:
            exec:
              command:  ["/bin/sh", "-c", "echo Hello v1 > /usr/share/nginx/html/index.html"]
        ports:
        - containerPort: 80
          name: portv1

---

apiVersion: v1
kind: Service
metadata:
  name: appv1
spec:
  selector:
    app: appv1
  ports:
  - name: http
    port: 80
    targetPort: portv1

appv2.yaml

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: appv2
spec:
  selector:
    matchLabels:
      app: appv2
  template:
    metadata:
      labels:
        use: test
        app: appv2
    spec:
      containers:
      - name: nginx
        image: nginx
        imagePullPolicy: IfNotPresent
        lifecycle:
          postStart:
            exec:
              command:  ["/bin/sh", "-c", "echo Hello v2 > /usr/share/nginx/html/index.html"]
        ports:
        - containerPort: 80
          name: portv2

---

apiVersion: v1
kind: Service
metadata:
  name: appv2
spec:
  selector:
    app: appv2
  ports:
  - name: http
    port: 80
    targetPort: portv2
2. Create traifikservice

After traefik 2.1, a CRD resource of traefik service is added. We can directly use this object to configure WRR.

apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: app-wrr
spec:
  weighted:
    services:
      - name: appv1
        weight: 3
        port: 80
        kind: Service
      - name: appv2
        weight: 1
        port: 80
        kind: Service
3. Create ingressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app-ingressroute-canary 
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`app.coolops.cn`)
    kind: Rule
    services:
    - name: app-wrr
      kind: TraefikService

Note: the Service type is not configured here, but the traifikservice.

Then you can access http://app.coolops.cn To verify the results.

After the V2 test is OK, you can switch the flow to v2.

Traffic replication

After Traefik 2.0, the image service [11] is also introduced. It can copy the requested traffic and send it to other services according to rules, and will ignore the response of these requests.

This function is still very useful when doing some pressure measurement or problem recurrence.

Here is still a simple demonstration of the above-mentioned appv1 and appv2.

1. Create a traifikservice and define replication rules
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: app-mirror
spec:
  mirroring:
    name: appv1
    port: 80
    mirrors:
    - name: appv2
      percent: 50
      port: 80

The above definition means that 50% of the requests to appv1 are copied to appv2.

2. Create ingressRoute and demonstrate the effect
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app-ingressroute-mirror
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`mirror.coolops.cn`)
    kind: Rule
    services:
    - name: app-mirror
      kind: TraefikService

Then test, the effect is as follows:

After four requests, appv1 can normally receive four requests, and appv2 can receive two requests. The received response is from appv1, but there is no response from appv2.

Kubernetes Gateway API

We create routing rules using either ingress or ingresroute. In fact, after Traefik 2.4, we support the CRD method provided by kubernets gateway API [12] to create routing rules.

What is the Gateway API?

Gateway API [13] is an open source project managed by SIG-NETWORK community. It is a collection of resources for the Service network model in Kubernetes. These resources (GatewayClass, gateway, HTTPRoute, tcroute, Service) aim to develop Kubernetes Service network through expressive, extensible and role-oriented interfaces. These interfaces are implemented by many suppliers and have been widely supported by the industry.

image.png

  • Gateway class: gateway class is a cluster wide resource defined by the infrastructure provider. This resource represents the gateway class that can be instantiated. Generally, this resource is used to support multiple infrastructure providers. Here, we only need to deploy one.
  • Gateway: the lifecycle of gateway and infrastructure configuration is 1:1. When a user creates a gateway, the gateway class controller provides or configures some load balancing infrastructure.
  • HTTPRoute: HTTPRoute is a gateway API type that specifies the routing behavior of HTTP requests from gateway listeners to API objects (i.e. services).

Using the Gateway API

1. Install CRD for Gateway API

Traifik gateway provider only supports v0.3.0 (v1alpha1)

kubectl kustomize "github.com/kubernetes-sigs/gateway-api/config/crd?ref=v0.3.0" \
| kubectl apply -f -
2. Create rbac and authorize traefik
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: gateway-role
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.x-k8s.io
    resources:
      - gatewayclasses
      - gateways
      - httproutes
      - tcproutes
      - tlsroutes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - networking.x-k8s.io
    resources:
      - gatewayclasses/status
      - gateways/status
      - httproutes/status
      - tcproutes/status
      - tlsroutes/status
    verbs:
      - update

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: gateway-controller

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: gateway-role
subjects:
  - kind: ServiceAccount
    name: traefik
    namespace: traefik-ingress 
2. Traefik enables gateway api support

Modify the my-value.yaml file as follows:

......
additionalArguments:
  - "--entryPoints.redis.address=:6379"
  - "--serversTransport.insecureSkipVerify=true"
  - "--api.insecure=true"
  - "--api.dashboard=true"
  - "--certificatesresolvers.coolops.acme.email=coolops@163.com"
  - "--certificatesresolvers.coolops.acme.storage=/data/acme.json"
  - "--certificatesresolvers.coolops.acme.httpchallenge=true"
  - "--certificatesresolvers.coolops.acme.httpchallenge.entrypoint=web"
  - "--experimental.kubernetesgateway"
  - "--providers.kubernetesgateway"

Update traifik with the following command:

helm upgrade traefik -n traefik-ingress -f my-value.yaml .
4. Expose the traefik dashboard application through the Gateway api
(1) , create GatewayClass
apiVersion: networking.x-k8s.io/v1alpha1
kind: GatewayClass
metadata:
  name: traefik
spec:
  controller: traefik.io/gateway-controller
(2) , create a gateway
apiVersion: networking.x-k8s.io/v1alpha1
kind: Gateway
metadata: 
  name: http-gateway
  namespace: traefik-ingress 
spec: 
  gatewayClassName: traefik
  listeners: 
    - protocol: HTTP
      port: 8000 
      routes: 
        kind: HTTPRoute
        namespaces:
          from: All
        selector:
          matchLabels:
            app: traefik
(3) , create HTTPRoute
apiVersion: networking.x-k8s.io/v1alpha1
kind: HTTPRoute
metadata:
  name: whoami-gateway-api-route 
  namespace: traefik-ingress
  labels:
    app: traefik
spec:
  hostnames:
    - "traefik1.coolops.cn"
  rules:
    - matches:
        - path:
            type: Prefix
            value: /
      forwardTo:
        - serviceName: traefik 
          port: 9000
          weight: 1
(4) Now you can access it directly in the browser

image.png

Only one Gateway class can be created in the cluster, and then the Gateway and HTTPRoute need to be corresponding.

For example, if I want to expose the whoami application under the default namespace here, YAML should be as follows:

apiVersion: networking.x-k8s.io/v1alpha1
kind: Gateway
metadata: 
  name: http-gateway
spec: 
  gatewayClassName: traefik
  listeners: 
    - protocol: HTTP
      port: 8000 
      routes: 
        kind: HTTPRoute
        namespaces:
          from: All
        selector:
          matchLabels:
            app: whoami
---
apiVersion: networking.x-k8s.io/v1alpha1
kind: HTTPRoute
metadata:
  name: whoami-gateway-api-route 
  labels:
    app: whoami 
spec:
  hostnames:
    - "whoami8.coolops.cn"
  rules:
    - matches:
        - path:
            type: Prefix
            value: /
      forwardTo:
        - serviceName: whoami 
          port: 80
          weight: 1

last

Traefik is a powerful edge gateway, which can basically meet the needs of most scenarios. In addition, there are tools such as Mesh, which are easy to use. Interested friends can learn from the official website [14], and are also welcome to communicate.

Finally, ask for attention. If you want to see more original articles, please pay attention to our official account, "operation and development story".

If my article is helpful to you, please also like, read and forward it. Your support will encourage me to output higher quality articles. Thank you very much!

You can also set my official account as "star sign", so that when the official account is updated, you will receive the push message at the first time, so that you will not miss my update.

Official account official account of migrant workers, cloud and native workers. There are not only hard core technology dry cargo, but also our thinking and understanding of technology. Welcome to pay attention to our public number and expect to grow with you!

quote

[1] https://doc.traefik.io/traefik/ [2] https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml [3] https://doc.traefik.io/traefik/providers/kubernetes-crd/ [4] https://github.com/traefik/whoami [5] https://letsencrypt.org/zh-cn/ [6] https://doc.traefik.io/traefik/https/acme/ [7] https://doc.traefik.io/traefik/https/acme/#tlschallenge [8] https://go-acme.github.io/lego/dns/alidns/ [9] https://doc.traefik.io/traefik/middlewares/http/overview/ [10] https://doc.traefik.io/traefik/routing/routers/#configuring-tcp-routers [11] https://doc.traefik.io/traefik/routing/services/#mirroring-service [12] https://doc.traefik.io/traefik/providers/kubernetes-gateway/ [13] https://gateway-api.sigs.k8s.io/ [14] https://traefik.io/

Posted by ryanyoungsma on Fri, 12 Nov 2021 01:12:49 -0800