我的书签
添加书签
移除书签Traefik & CRD & Let’s Encrypt
Traefik with an IngressRoute Custom Resource Definition for Kubernetes, and TLS Through Let’s Encrypt.
This document is intended to be a fully working example demonstrating how to set up Traefik in Kubernetes, with the dynamic configuration coming from the IngressRoute Custom Resource, and TLS setup with Let’s Encrypt. However, for the sake of simplicity, we’re using k3s docker image for the Kubernetes cluster setup.
Please note that for this setup, given that we’re going to use ACME’s TLS-ALPN-01 challenge, the host you’ll be running it on must be able to receive connections from the outside on port 443. And of course its internet facing IP address must match the domain name you intend to use.
In the following, the Kubernetes resources defined in YAML configuration files can be applied to the setup in two different ways:
- the first, and usual way, is simply with the
kubectl applycommand. - the second, which can be used for this tutorial, is to directly place the files in the directory used by the k3s docker image for such inputs (
/var/lib/rancher/k3s/server/manifests).
Kubectl Version
With the rancher/k3s version used in this guide (0.8.0), the kubectl version needs to be >= 1.11.
k3s Docker-compose Configuration
Our starting point is the docker-compose configuration file, to start the k3s cluster. You can start it with:
docker-compose -f k3s.yml up
server:image: rancher/k3s:v1.17.2-k3s1command: server --disable-agent --no-deploy traefikenvironment:- K3S_CLUSTER_SECRET=somethingtotallyrandom- K3S_KUBECONFIG_OUTPUT=/output/kubeconfig.yaml- K3S_KUBECONFIG_MODE=666volumes:# k3s will generate a kubeconfig.yaml in this directory. This volume is mounted# on your host, so you can then 'export KUBECONFIG=/somewhere/on/your/host/out/kubeconfig.yaml',# in order for your kubectl commands to work.- /somewhere/on/your/host/out:/output# This directory is where you put all the (yaml) configuration files of# the Kubernetes resources.- /somewhere/on/your/host/in:/var/lib/rancher/k3s/server/manifestsports:- 6443:6443node:image: rancher/k3s:v1.17.2-k3s1privileged: truelinks:- serverenvironment:- K3S_URL=https://server:6443- K3S_CLUSTER_SECRET=somethingtotallyrandomvolumes:# this is where you would place a alternative traefik image (saved as a .tar file with# 'docker save'), if you want to use it, instead of the traefik:v2.5 image.- /sowewhere/on/your/host/custom-image:/var/lib/rancher/k3s/agent/images
Cluster Resources
Let’s now have a look (in the order they should be applied, if using kubectl apply) at all the required resources for the full setup.
IngressRoute Definition
First, the definition of the IngressRoute and the Middleware kinds. Also note the RBAC authorization resources; they’ll be referenced through the serviceAccountName of the deployment, later on.
---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: ingressroutes.traefik.containo.usspec:group: traefik.containo.usnames:kind: IngressRoutelistKind: IngressRouteListplural: ingressroutessingular: ingressroutescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: IngressRoute is an Ingress CRD specification.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: IngressRouteSpec is a specification for a IngressRouteSpecresource.properties:entryPoints:items:type: stringtype: arrayroutes:items:description: Route contains the set of routes.properties:kind:enum:- Ruletype: stringmatch:type: stringmiddlewares:items:description: MiddlewareRef is a ref to the Middleware resources.properties:name:type: stringnamespace:type: stringrequired:- nametype: objecttype: arraypriority:type: integerservices:items:description: Service defines an upstream to proxy traffic.properties:kind:enum:- Service- TraefikServicetype: stringname:description: Name is a reference to a Kubernetes Serviceobject (for a load-balancer of servers), or to a TraefikServiceobject (service load-balancer, mirroring, etc). Thedifferentiation between the two is specified in theKind field.type: stringnamespace:type: stringpassHostHeader:type: booleanport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding holds configuration forthe forward of the response.properties:flushInterval:type: stringtype: objectscheme:type: stringserversTransport:type: stringsticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configurationbased on cookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objectstrategy:type: stringweight:description: Weight should only be specified when Namereferences a TraefikService object (and to be precise,one that embeds a Weighted Round Robin).type: integerrequired:- nametype: objecttype: arrayrequired:- kind- matchtype: objecttype: arraytls:description: "TLS contains the TLS certificates configuration of theroutes. To enable Let's Encrypt, use an empty TLS struct, e.g. inYAML: \n \t tls: {} # inline format \n \t tls: \t secretName:# block format"properties:certResolver:type: stringdomains:items:description: Domain holds a domain name with SANs.properties:main:type: stringsans:items:type: stringtype: arraytype: objecttype: arrayoptions:description: Options is a reference to a TLSOption, that specifiesthe parameters of the TLS connection.properties:name:type: stringnamespace:type: stringrequired:- nametype: objectsecretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringstore:description: Store is a reference to a TLSStore, that specifiesthe parameters of the TLS store.properties:name:type: stringnamespace:type: stringrequired:- nametype: objecttype: objectrequired:- routestype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: ingressroutetcps.traefik.containo.usspec:group: traefik.containo.usnames:kind: IngressRouteTCPlistKind: IngressRouteTCPListplural: ingressroutetcpssingular: ingressroutetcpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: IngressRouteTCP is an Ingress CRD specification.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: IngressRouteTCPSpec is a specification for a IngressRouteTCPSpecresource.properties:entryPoints:items:type: stringtype: arrayroutes:items:description: RouteTCP contains the set of routes.properties:match:type: stringmiddlewares:description: Middlewares contains references to MiddlewareTCPresources.items:description: ObjectReference is a generic reference to a Traefikresource.properties:name:type: stringnamespace:type: stringrequired:- nametype: objecttype: arrayservices:items:description: ServiceTCP defines an upstream to proxy traffic.properties:name:type: stringnamespace:type: stringport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueproxyProtocol:description: ProxyProtocol holds the ProxyProtocol configuration.properties:version:type: integertype: objectterminationDelay:type: integerweight:type: integerrequired:- name- porttype: objecttype: arrayrequired:- matchtype: objecttype: arraytls:description: "TLSTCP contains the TLS certificates configuration ofthe routes. To enable Let's Encrypt, use an empty TLS struct, e.g.in YAML: \n \t tls: {} # inline format \n \t tls: \t secretName:# block format"properties:certResolver:type: stringdomains:items:description: Domain holds a domain name with SANs.properties:main:type: stringsans:items:type: stringtype: arraytype: objecttype: arrayoptions:description: Options is a reference to a TLSOption, that specifiesthe parameters of the TLS connection.properties:name:type: stringnamespace:type: stringrequired:- nametype: objectpassthrough:type: booleansecretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringstore:description: Store is a reference to a TLSStore, that specifiesthe parameters of the TLS store.properties:name:type: stringnamespace:type: stringrequired:- nametype: objecttype: objectrequired:- routestype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: ingressrouteudps.traefik.containo.usspec:group: traefik.containo.usnames:kind: IngressRouteUDPlistKind: IngressRouteUDPListplural: ingressrouteudpssingular: ingressrouteudpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: IngressRouteUDP is an Ingress CRD specification.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: IngressRouteUDPSpec is a specification for a IngressRouteUDPSpecresource.properties:entryPoints:items:type: stringtype: arrayroutes:items:description: RouteUDP contains the set of routes.properties:services:items:description: ServiceUDP defines an upstream to proxy traffic.properties:name:type: stringnamespace:type: stringport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueweight:type: integerrequired:- name- porttype: objecttype: arraytype: objecttype: arrayrequired:- routestype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: middlewares.traefik.containo.usspec:group: traefik.containo.usnames:kind: MiddlewarelistKind: MiddlewareListplural: middlewaressingular: middlewarescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: Middleware is a specification for a Middleware resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: MiddlewareSpec holds the Middleware configuration.properties:addPrefix:description: AddPrefix holds the AddPrefix configuration.properties:prefix:type: stringtype: objectbasicAuth:description: BasicAuth holds the HTTP basic authentication configuration.properties:headerField:type: stringrealm:type: stringremoveHeader:type: booleansecret:type: stringtype: objectbuffering:description: Buffering holds the request/response buffering configuration.properties:maxRequestBodyBytes:format: int64type: integermaxResponseBodyBytes:format: int64type: integermemRequestBodyBytes:format: int64type: integermemResponseBodyBytes:format: int64type: integerretryExpression:type: stringtype: objectchain:description: Chain holds a chain of middlewares.properties:middlewares:items:description: MiddlewareRef is a ref to the Middleware resources.properties:name:type: stringnamespace:type: stringrequired:- nametype: objecttype: arraytype: objectcircuitBreaker:description: CircuitBreaker holds the circuit breaker configuration.properties:expression:type: stringtype: objectcompress:description: Compress holds the compress configuration.properties:excludedContentTypes:items:type: stringtype: arraytype: objectcontentType:description: ContentType middleware - or rather its unique `autoDetect`option - specifies whether to let the `Content-Type` header, ifit has not been set by the backend, be automatically set to a valuederived from the contents of the response. As a proxy, the defaultbehavior should be to leave the header alone, regardless of whatthe backend did with it. However, the historic default was to alwaysauto-detect and set the header if it was nil, and it is going tobe kept that way in order to support users currently relying onit. This middleware exists to enable the correct behavior untilat least the default one can be changed in a future version.properties:autoDetect:type: booleantype: objectdigestAuth:description: DigestAuth holds the Digest HTTP authentication configuration.properties:headerField:type: stringrealm:type: stringremoveHeader:type: booleansecret:type: stringtype: objecterrors:description: ErrorPage holds the custom error page configuration.properties:query:type: stringservice:description: Service defines an upstream to proxy traffic.properties:kind:enum:- Service- TraefikServicetype: stringname:description: Name is a reference to a Kubernetes Service object(for a load-balancer of servers), or to a TraefikServiceobject (service load-balancer, mirroring, etc). The differentiationbetween the two is specified in the Kind field.type: stringnamespace:type: stringpassHostHeader:type: booleanport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding holds configuration for theforward of the response.properties:flushInterval:type: stringtype: objectscheme:type: stringserversTransport:type: stringsticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configuration basedon cookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objectstrategy:type: stringweight:description: Weight should only be specified when Name referencesa TraefikService object (and to be precise, one that embedsa Weighted Round Robin).type: integerrequired:- nametype: objectstatus:items:type: stringtype: arraytype: objectforwardAuth:description: ForwardAuth holds the http forward authentication configuration.properties:address:type: stringauthRequestHeaders:items:type: stringtype: arrayauthResponseHeaders:items:type: stringtype: arrayauthResponseHeadersRegex:type: stringtls:description: ClientTLS holds TLS specific configurations as client.properties:caOptional:type: booleancaSecret:type: stringcertSecret:type: stringinsecureSkipVerify:type: booleantype: objecttrustForwardHeader:type: booleantype: objectheaders:description: Headers holds the custom header configuration.properties:accessControlAllowCredentials:description: AccessControlAllowCredentials is only valid if true.false is ignored.type: booleanaccessControlAllowHeaders:description: AccessControlAllowHeaders must be used in responseto a preflight request with Access-Control-Request-Headers set.items:type: stringtype: arrayaccessControlAllowMethods:description: AccessControlAllowMethods must be used in responseto a preflight request with Access-Control-Request-Method set.items:type: stringtype: arrayaccessControlAllowOriginList:description: AccessControlAllowOriginList is a list of allowableorigins. Can also be a wildcard origin "*".items:type: stringtype: arrayaccessControlAllowOriginListRegex:description: AccessControlAllowOriginListRegex is a list of allowableorigins written following the Regular Expression syntax (https://golang.org/pkg/regexp/).items:type: stringtype: arrayaccessControlExposeHeaders:description: AccessControlExposeHeaders sets valid headers forthe response.items:type: stringtype: arrayaccessControlMaxAge:description: AccessControlMaxAge sets the time that a preflightrequest may be cached.format: int64type: integeraddVaryHeader:description: AddVaryHeader controls if the Vary header is automaticallyadded/updated when the AccessControlAllowOriginList is set.type: booleanallowedHosts:items:type: stringtype: arraybrowserXssFilter:type: booleancontentSecurityPolicy:type: stringcontentTypeNosniff:type: booleancustomBrowserXSSValue:type: stringcustomFrameOptionsValue:type: stringcustomRequestHeaders:additionalProperties:type: stringtype: objectcustomResponseHeaders:additionalProperties:type: stringtype: objectfeaturePolicy:description: 'Deprecated: use PermissionsPolicy instead.'type: stringforceSTSHeader:type: booleanframeDeny:type: booleanhostsProxyHeaders:items:type: stringtype: arrayisDevelopment:type: booleanpermissionsPolicy:type: stringpublicKey:type: stringreferrerPolicy:type: stringsslForceHost:description: 'Deprecated: use RedirectRegex instead.'type: booleansslHost:description: 'Deprecated: use RedirectRegex instead.'type: stringsslProxyHeaders:additionalProperties:type: stringtype: objectsslRedirect:description: 'Deprecated: use EntryPoint redirection or RedirectSchemeinstead.'type: booleansslTemporaryRedirect:description: 'Deprecated: use EntryPoint redirection or RedirectSchemeinstead.'type: booleanstsIncludeSubdomains:type: booleanstsPreload:type: booleanstsSeconds:format: int64type: integertype: objectinFlightReq:description: InFlightReq limits the number of requests being processedand served concurrently.properties:amount:format: int64type: integersourceCriterion:description: SourceCriterion defines what criterion is used togroup requests as originating from a common source. If noneare set, the default is to use the request's remote addressfield. All fields are mutually exclusive.properties:ipStrategy:description: IPStrategy holds the ip strategy configuration.properties:depth:type: integerexcludedIPs:items:type: stringtype: arraytype: objectrequestHeaderName:type: stringrequestHost:type: booleantype: objecttype: objectipWhiteList:description: IPWhiteList holds the ip white list configuration.properties:ipStrategy:description: IPStrategy holds the ip strategy configuration.properties:depth:type: integerexcludedIPs:items:type: stringtype: arraytype: objectsourceRange:items:type: stringtype: arraytype: objectpassTLSClientCert:description: PassTLSClientCert holds the TLS client cert headers configuration.properties:info:description: TLSClientCertificateInfo holds the client TLS certificateinfo configuration.properties:issuer:description: TLSCLientCertificateDNInfo holds the client TLScertificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739properties:commonName:type: booleancountry:type: booleandomainComponent:type: booleanlocality:type: booleanorganization:type: booleanprovince:type: booleanserialNumber:type: booleantype: objectnotAfter:type: booleannotBefore:type: booleansans:type: booleanserialNumber:type: booleansubject:description: TLSCLientCertificateDNInfo holds the client TLScertificate distinguished name info configuration. cf https://tools.ietf.org/html/rfc3739properties:commonName:type: booleancountry:type: booleandomainComponent:type: booleanlocality:type: booleanorganization:type: booleanprovince:type: booleanserialNumber:type: booleantype: objecttype: objectpem:type: booleantype: objectplugin:additionalProperties:x-kubernetes-preserve-unknown-fields: truetype: objectrateLimit:description: RateLimit holds the rate limiting configuration for agiven router.properties:average:format: int64type: integerburst:format: int64type: integerperiod:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: truesourceCriterion:description: SourceCriterion defines what criterion is used togroup requests as originating from a common source. If noneare set, the default is to use the request's remote addressfield. All fields are mutually exclusive.properties:ipStrategy:description: IPStrategy holds the ip strategy configuration.properties:depth:type: integerexcludedIPs:items:type: stringtype: arraytype: objectrequestHeaderName:type: stringrequestHost:type: booleantype: objecttype: objectredirectRegex:description: RedirectRegex holds the redirection configuration.properties:permanent:type: booleanregex:type: stringreplacement:type: stringtype: objectredirectScheme:description: RedirectScheme holds the scheme redirection configuration.properties:permanent:type: booleanport:type: stringscheme:type: stringtype: objectreplacePath:description: ReplacePath holds the ReplacePath configuration.properties:path:type: stringtype: objectreplacePathRegex:description: ReplacePathRegex holds the ReplacePathRegex configuration.properties:regex:type: stringreplacement:type: stringtype: objectretry:description: Retry holds the retry configuration.properties:attempts:type: integerinitialInterval:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: truetype: objectstripPrefix:description: StripPrefix holds the StripPrefix configuration.properties:forceSlash:type: booleanprefixes:items:type: stringtype: arraytype: objectstripPrefixRegex:description: StripPrefixRegex holds the StripPrefixRegex configuration.properties:regex:items:type: stringtype: arraytype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: middlewaretcps.traefik.containo.usspec:group: traefik.containo.usnames:kind: MiddlewareTCPlistKind: MiddlewareTCPListplural: middlewaretcpssingular: middlewaretcpscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: MiddlewareTCP is a specification for a MiddlewareTCP resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: MiddlewareTCPSpec holds the MiddlewareTCP configuration.properties:ipWhiteList:description: TCPIPWhiteList holds the TCP ip white list configuration.properties:sourceRange:items:type: stringtype: arraytype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: serverstransports.traefik.containo.usspec:group: traefik.containo.usnames:kind: ServersTransportlistKind: ServersTransportListplural: serverstransportssingular: serverstransportscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: ServersTransport is a specification for a ServersTransport resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: ServersTransportSpec options to configure communication betweenTraefik and the servers.properties:certificatesSecrets:description: Certificates for mTLS.items:type: stringtype: arraydisableHTTP2:description: Disable HTTP/2 for connections with backend servers.type: booleanforwardingTimeouts:description: Timeouts for requests forwarded to the backend servers.properties:dialTimeout:anyOf:- type: integer- type: stringdescription: The amount of time to wait until a connection toa backend server can be established. If zero, no timeout exists.x-kubernetes-int-or-string: trueidleConnTimeout:anyOf:- type: integer- type: stringdescription: The maximum period for which an idle HTTP keep-aliveconnection will remain open before closing itself.x-kubernetes-int-or-string: trueresponseHeaderTimeout:anyOf:- type: integer- type: stringdescription: The amount of time to wait for a server's responseheaders after fully writing the request (including its body,if any). If zero, no timeout exists.x-kubernetes-int-or-string: truetype: objectinsecureSkipVerify:description: Disable SSL certificate verification.type: booleanmaxIdleConnsPerHost:description: If non-zero, controls the maximum idle (keep-alive) tokeep per-host. If zero, DefaultMaxIdleConnsPerHost is used.type: integerpeerCertURI:description: URI used to match against SAN URI during the peer certificateverification.type: stringrootCAsSecrets:description: Add cert file for self-signed certificate.items:type: stringtype: arrayserverName:description: ServerName used to contact the server.type: stringtype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: tlsoptions.traefik.containo.usspec:group: traefik.containo.usnames:kind: TLSOptionlistKind: TLSOptionListplural: tlsoptionssingular: tlsoptionscope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: TLSOption is a specification for a TLSOption resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: TLSOptionSpec configures TLS for an entry point.properties:alpnProtocols:items:type: stringtype: arraycipherSuites:items:type: stringtype: arrayclientAuth:description: ClientAuth defines the parameters of the client authenticationpart of the TLS connection, if any.properties:clientAuthType:description: ClientAuthType defines the client authenticationtype to apply.enum:- NoClientCert- RequestClientCert- VerifyClientCertIfGiven- RequireAndVerifyClientCerttype: stringsecretNames:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.items:type: stringtype: arraytype: objectcurvePreferences:items:type: stringtype: arraymaxVersion:type: stringminVersion:type: stringpreferServerCipherSuites:type: booleansniStrict:type: booleantype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: tlsstores.traefik.containo.usspec:group: traefik.containo.usnames:kind: TLSStorelistKind: TLSStoreListplural: tlsstoressingular: tlsstorescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: TLSStore is a specification for a TLSStore resource.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: TLSStoreSpec configures a TLSStore resource.properties:defaultCertificate:description: DefaultCertificate holds a secret name for the TLSOptionresource.properties:secretName:description: SecretName is the name of the referenced KubernetesSecret to specify the certificate details.type: stringrequired:- secretNametype: objectrequired:- defaultCertificatetype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---apiVersion: apiextensions.k8s.io/v1kind: CustomResourceDefinitionmetadata:annotations:controller-gen.kubebuilder.io/version: v0.4.1creationTimestamp: nullname: traefikservices.traefik.containo.usspec:group: traefik.containo.usnames:kind: TraefikServicelistKind: TraefikServiceListplural: traefikservicessingular: traefikservicescope: Namespacedversions:- name: v1alpha1schema:openAPIV3Schema:description: TraefikService is the specification for a service (that an IngressRouterefers to) that is usually not a terminal service (i.e. not a pod of servers),as opposed to a Kubernetes Service. That is to say, it usually refers toother (children) services, which themselves can be TraefikServices or Services.properties:apiVersion:description: 'APIVersion defines the versioned schema of this representationof an object. Servers should convert recognized schemas to the latestinternal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'type: stringkind:description: 'Kind is a string value representing the REST resource thisobject represents. Servers may infer this from the endpoint the clientsubmits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'type: stringmetadata:type: objectspec:description: ServiceSpec defines whether a TraefikService is a load-balancerof services or a mirroring service.properties:mirroring:description: Mirroring defines a mirroring service, which is composedof a main load-balancer, and a list of mirrors.properties:kind:enum:- Service- TraefikServicetype: stringmaxBodySize:format: int64type: integermirrors:items:description: MirrorService defines one of the mirrors of a Mirroringservice.properties:kind:enum:- Service- TraefikServicetype: stringname:description: Name is a reference to a Kubernetes Serviceobject (for a load-balancer of servers), or to a TraefikServiceobject (service load-balancer, mirroring, etc). The differentiationbetween the two is specified in the Kind field.type: stringnamespace:type: stringpassHostHeader:type: booleanpercent:type: integerport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding holds configuration forthe forward of the response.properties:flushInterval:type: stringtype: objectscheme:type: stringserversTransport:type: stringsticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configuration basedon cookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objectstrategy:type: stringweight:description: Weight should only be specified when Name referencesa TraefikService object (and to be precise, one that embedsa Weighted Round Robin).type: integerrequired:- nametype: objecttype: arrayname:description: Name is a reference to a Kubernetes Service object(for a load-balancer of servers), or to a TraefikService object(service load-balancer, mirroring, etc). The differentiationbetween the two is specified in the Kind field.type: stringnamespace:type: stringpassHostHeader:type: booleanport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding holds configuration for the forwardof the response.properties:flushInterval:type: stringtype: objectscheme:type: stringserversTransport:type: stringsticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configuration based oncookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objectstrategy:type: stringweight:description: Weight should only be specified when Name referencesa TraefikService object (and to be precise, one that embedsa Weighted Round Robin).type: integerrequired:- nametype: objectweighted:description: WeightedRoundRobin defines a load-balancer of services.properties:services:items:description: Service defines an upstream to proxy traffic.properties:kind:enum:- Service- TraefikServicetype: stringname:description: Name is a reference to a Kubernetes Serviceobject (for a load-balancer of servers), or to a TraefikServiceobject (service load-balancer, mirroring, etc). The differentiationbetween the two is specified in the Kind field.type: stringnamespace:type: stringpassHostHeader:type: booleanport:anyOf:- type: integer- type: stringx-kubernetes-int-or-string: trueresponseForwarding:description: ResponseForwarding holds configuration forthe forward of the response.properties:flushInterval:type: stringtype: objectscheme:type: stringserversTransport:type: stringsticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configuration basedon cookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objectstrategy:type: stringweight:description: Weight should only be specified when Name referencesa TraefikService object (and to be precise, one that embedsa Weighted Round Robin).type: integerrequired:- nametype: objecttype: arraysticky:description: Sticky holds the sticky configuration.properties:cookie:description: Cookie holds the sticky configuration based oncookie.properties:httpOnly:type: booleanname:type: stringsameSite:type: stringsecure:type: booleantype: objecttype: objecttype: objecttype: objectrequired:- metadata- spectype: objectserved: truestorage: truestatus:acceptedNames:kind: ""plural: ""conditions: []storedVersions: []---kind: ClusterRoleapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: traefik-ingress-controllerrules:- apiGroups:- ""resources:- services- endpoints- secretsverbs:- get- list- watch- apiGroups:- extensions- networking.k8s.ioresources:- ingresses- ingressclassesverbs:- get- list- watch- apiGroups:- extensionsresources:- ingresses/statusverbs:- update- apiGroups:- traefik.containo.usresources:- middlewares- middlewaretcps- ingressroutes- traefikservices- ingressroutetcps- ingressrouteudps- tlsoptions- tlsstores- serverstransportsverbs:- get- list- watch---kind: ClusterRoleBindingapiVersion: rbac.authorization.k8s.io/v1beta1metadata:name: traefik-ingress-controllerroleRef:apiGroup: rbac.authorization.k8s.iokind: ClusterRolename: traefik-ingress-controllersubjects:- kind: ServiceAccountname: traefik-ingress-controllernamespace: default
Services
Then, the services. One for Traefik itself, and one for the app it routes for, i.e. in this case our demo HTTP server: whoami.
apiVersion: v1kind: Servicemetadata:name: traefikspec:ports:- protocol: TCPname: webport: 8000- protocol: TCPname: adminport: 8080- protocol: TCPname: websecureport: 4443selector:app: traefik---apiVersion: v1kind: Servicemetadata:name: whoamispec:ports:- protocol: TCPname: webport: 80selector:app: whoami
Deployments
Next, the deployments, i.e. the actual pods behind the services. Again, one pod for Traefik, and one for the whoami app.
apiVersion: v1kind: ServiceAccountmetadata:namespace: defaultname: traefik-ingress-controller---kind: DeploymentapiVersion: apps/v1metadata:namespace: defaultname: traefiklabels:app: traefikspec:replicas: 1selector:matchLabels:app: traefiktemplate:metadata:labels:app: traefikspec:serviceAccountName: traefik-ingress-controllercontainers:- name: traefikimage: traefik:v2.5args:- --api.insecure- --accesslog- --entrypoints.web.Address=:8000- --entrypoints.websecure.Address=:4443- --providers.kubernetescrd- --certificatesresolvers.myresolver.acme.tlschallenge- --certificatesresolvers.myresolver.acme.email=foo@you.com- --certificatesresolvers.myresolver.acme.storage=acme.json# Please note that this is the staging Let's Encrypt server.# Once you get things working, you should remove that whole line altogether.- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directoryports:- name: webcontainerPort: 8000- name: websecurecontainerPort: 4443- name: admincontainerPort: 8080---kind: DeploymentapiVersion: apps/v1metadata:namespace: defaultname: whoamilabels:app: whoamispec:replicas: 2selector:matchLabels:app: whoamitemplate:metadata:labels:app: whoamispec:containers:- name: whoamiimage: traefik/whoamiports:- name: webcontainerPort: 80
Port Forwarding
Now, as an exception to what we said above, please note that you should not let the ingressRoute resources below be applied automatically to your cluster. The reason is, as soon as the ACME provider of Traefik detects we have TLS routers, it will try to generate the certificates for the corresponding domains. And this will not work, because as it is, our Traefik pod is not reachable from the outside, which will make the ACME TLS challenge fail. Therefore, for the whole thing to work, we must delay applying the ingressRoute resources until we have port-forwarding set up properly, which is the next step.
kubectl port-forward --address 0.0.0.0 service/traefik 8000:8000 8080:8080 443:4443 -n default
Also, and this is out of the scope if this guide, please note that because of the privileged ports limitation on Linux, the above command might fail to listen on port 443. In which case you can use tricks such as elevating caps of kubectl with setcaps, or using authbind, or setting up a NAT between your host and the WAN. Look it up.
Traefik Routers
We can now finally apply the actual ingressRoutes, with:
kubectl apply -f 04-ingressroutes.yml
apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: simpleingressroutenamespace: defaultspec:entryPoints:- webroutes:- match: Host(`your.example.com`) && PathPrefix(`/notls`)kind: Ruleservices:- name: whoamiport: 80---apiVersion: traefik.containo.us/v1alpha1kind: IngressRoutemetadata:name: ingressroutetlsnamespace: defaultspec:entryPoints:- websecureroutes:- match: Host(`your.example.com`) && PathPrefix(`/tls`)kind: Ruleservices:- name: whoamiport: 80tls:certResolver: myresolver
Give it a few seconds for the ACME TLS challenge to complete, and you should then be able to access your whoami pod (routed through Traefik), from the outside. Both with or (just for fun, do not do that in production) without TLS:
curl [-k] https://your.example.com/tls
curl http://your.example.com:8000/notls
Note that you’ll have to use -k as long as you’re using the staging server of Let’s Encrypt, since it is not an authorized certificate authority on systems where it hasn’t been manually added.
