Traefik

• Traefik is a cloud-hybrid reverse proxy and load balancer that makes deploying, configuring and integrating infrastructure components easy and automatic.

Install

• Docker Compose
  • There should be an acme.json file that you create and pass through the docker with the permission of chmod 600.
  • Furthermore, there are two more files that you will have to configure and pass through before launching the traefik container. We provided them in the #config section below.
  • This is a docker compose for traefik.

Config

• Traefik.yml Example
  • This the primary config for our traefik.yml
• Config.yml Router Example
  • This the router config for our reverse proxy. Written by Techo Tim originaly and modified by our team.

Kubernetes

• Patching Traefik on k3s cluster

  • We want to find the instance of where traefik is running. Running sudo kubectl get all -o wide --all-namespaces should display all your containers, look for traefik.

  • Patch

    • sudo kubectl patch svc traefik -n kube-system -p '{"spec":{"externalTrafficPolicy":"Cluster"}}'`

  • std output should be service/traefik patched

• Helm Charts

  • helm repo add traefik https://helm.traefik.io/traefik

    • Sucess: std output should be

      • "traefik" has been added to your repositories

  • helm repo update

• Traefik Middleware for Kubernetes

  • Middleware kind should be isolated for performance and security reasons.
    • Auth - Kind: Middleware

      • Example:

        • apiVersion: traefik.containo.us/v1alpha1
          kind: Middleware
          metadata:
            name: longhorn-auth
            namespace: longhorn-system
          spec:
            basicAuth:
              secret: authsecret

          • The middleware should be saved as a yaml / yml file and applied using kubectl.
    • Auth - Kind: Ingress
      • Calling the longhorn-auth in the Ingress via annotations:

        • Example:

          •           
              apiVersion: networking.k8s.io/v1
              kind: Ingress
              metadata:
                name: longhorn-ing-traefik
                namespace: longhorn-system
                annotations:
                  externalTrafficPolicy: Local 
                  kubernetes.io/ingress.class: traefik
                  traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-longhorn-auth@kubernetescrd
                  ingress.kubernetes.io/whitelist-x-forwarded-for: "true"
                  
              spec:
                rules:
                - host: "x.kbve.com"
                  http:
                    paths:
                    - path: /
                      pathType: Prefix
                      backend:
                        service:
                          name: longhorn-service-provider
                          port:
                            number: 8000
            
            

          • In our PoC above, we see that the middleware is referenced as:

                traefik.ingress.kubernetes.io/router.middlewares: longhorn-system-longhorn-auth@kubernetescrd

            Its important to note the namespace of the middleware, longhorn-system , before calling the middleware’s name. This is to let the crd know where the middleware is located.

Notes

According to the notes on Traefik & Kubernetes we first need to install the Resource Definitions and RBAC into kubectl by running the following commands:

# Install Traefik Resource Definitions:
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.8/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml

# Install RBAC for Traefik:
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.8/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml

After this installation, we’ll have a set of Custom Resource Definitions which should have the following benefits:

• The usage of name and namespace to refer to another Kubernetes resource.
• The usage of secret for sensitive data (TLS certificates and credentials).
• The structure of the configuration.
• The requirement to declare all the definitions.

See the list of CRDs in the dedicated routing section.

The biggest thing we need from this is the ability to add the BasicAuth plugin. This plugin (which is what we tried to reference before with the auth@file line) uses an htpasswd password to block incoming traffic to the pod.

This will require setting up an IngressRoute (which is a specific Kubernetes resource added by the Traefik Resource Definitions) with settings to specify what the middlewares are. Find more info on the Traefik Middlewares Here

Cloudflare

These are notes on integrating Cloudflare with Traefik, including automating some of the actions so that you may not have to repeat them.

Acme Docs

Official Docs

Access the API Tokens directly from Cloudflare Profile

Common environmental variable names and their purpose:

• CF_API_EMAIL - The Cloudflare account holder’s email.
• CF_API_KEY - The Cloudflare API key.
• CF_DNS_API_TOKEN - The API token with DNS:Edit permission.
• CF_ZONE_API_TOKEN - The API token with Zone:Read permission.