The following configuration is working properly to establish communication with a web service over HTTP (client -> traefik edge router -> HTTP web service (ExternalName service)) in this scenario I chose the service of type ExternalName as my backend because it was the easiest way to achieve it and it's working really good.
###################################################################################
# MIDDLEWARE
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: dev-core-service-soap-rest-chain
namespace: devops
spec:
chain:
middlewares:
- name: dev-core-service-soap-rest-replacepathregex
- name: dev-soap-rest-bodysize
- name: dev-soap-rest-security-headers
- name: dev-soap-rest-retry
- name: dev-soap-rest-cors
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: dev-core-service-soap-rest-replacepathregex
namespace: devops
spec:
replacePathRegex:
regex: /core-service(/|$)(.*)
replacement: /$2
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: dev-soap-rest-bodysize
namespace: devops
spec:
buffering:
maxRequestBodyBytes: 20971520
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: dev-soap-rest-security-headers
namespace: devops
spec:
headers:
frameDeny: true
sslRedirect: true
stsSeconds: 31536000
stsIncludeSubdomains: true
contentTypeNosniff: true
browserXssFilter: true
customResponseHeaders:
Server: ""
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: dev-soap-rest-retry
namespace: devops
spec:
retry:
attempts: 3
initialInterval: 1000ms
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: dev-soap-rest-cors
namespace: devops
spec:
headers:
accessControlAllowMethods:
- "PUT"
- "GET"
- "POST"
- "OPTIONS"
- "DELETE"
- "HEAD"
- "TRACE"
- "PATCH"
accessControlAllowHeaders:
- "*"
accessControlAllowOriginList:
- "*"
accessControlMaxAge: 300
addVaryHeader: true
---
#################################################################################
# CORE SERVICE EXTERNAL SERVICES
#################################################################################
apiVersion: v1
kind: Service
metadata:
name: dev-core-service-soap-rest-esvc-1
namespace: devops
spec:
externalName: 1.1.1.1
type: ExternalName
ports:
- port: 7801
---
apiVersion: v1
kind: Service
metadata:
name: dev-core-service-soap-rest-esvc-2
namespace: devops
spec:
externalName: 1.1.1.1
type: ExternalName
ports:
- port: 7802
---
#################################################################################
# CORE SERVICE TRAEFIK SERVICE
#################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: dev-core-service-soap-rest-tsvc
namespace: devops
spec:
weighted:
services:
- name: dev-core-service-soap-rest-esvc-1
weight: 1
port: 7801
- name: dev-core-service-soap-rest-esvc-2
weight: 1
port: 7802
---
#################################################################################
# CORE SERVICE INGRESS ROUTE
#################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: dev-core-service-soap-rest-ingress-route-tls
namespace: devops
annotations:
kubernetes.io/ingress.class: dev-traefik
spec:
entryPoints:
- web
- websecure
routes:
- kind: Rule
match: Host(`example.com`) && PathPrefix(`/core-service`)
middlewares:
- name: dev-core-service-soap-rest-chain
services:
- name: dev-core-service-soap-rest-tsvc
kind: TraefikService
namespace: devops
port: 7801
tls:
secretName: dev-traefik-tls
My requirement for the production environment is a little bit different because I need to establish the communication with the web service over HTTPS and for that I need to pass the root CA certificate (client -> traefik edge router -> HTTPS/TLS web service (ExternalName service)) the reason why I chose the Kubernetes service of type ExternalName is because I can map a service to a DNS name, this works great as long as you are using HTTP but when you need it over HTTPS this works differently, as a workaround I found that you can "force HTTPS" using scheme: https
and port: 7843
in the TraefikService
and IngressRoute
resources, in this way I was able to see the ExternalName service as HTTPS in the traefik dashboard, it seems to be the proper workaround to "force HTTPS" in the ExternalName service. This is how these resources looks right now:
###################################################################################
# CORE SERVICE EXTERNAL SERVICES
###################################################################################
apiVersion: v1
kind: Service
metadata:
name: prod-core-service-soap-rest-esvc
namespace: devops
spec:
externalName: example.com
type: ExternalName
ports:
- port: 7843
---
###################################################################################
# CORE SERVICE INGRESS ROUTE
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: prod-core-service-soap-rest-ingress-route-tls
namespace: devops
annotations:
kubernetes.io/ingress.class: prod-traefik
spec:
entryPoints:
- web
- websecure
routes:
- kind: Rule
match: Host(`example.com`) && PathPrefix(`/core-service`)
middlewares:
- name: prod-core-service-soap-rest-chain
services:
- name: prod-core-service-soap-rest-tsvc
namespace: devops
kind: TraefikService
port: 7843
scheme: https
serversTransport: bus-server-transport
tls:
secretname: prod-traefik-tls
---
As you can see in the code below I'm trying to pass the certificate to the backend service with a ServersTransport
resource which supposed to pass the CA root certificate to the backend service but I'm not sure if I'm using correctly, the documentation says that you can use the file path for the rootCAsSecrets:
but not sure about it.
###################################################################################
# CORE SERVICE SERVERS TRANSPORT
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: bus-server-transport
namespace: devops
spec:
insecureSkipVerify: true
rootCAsSecrets:
- ROOT-CA.crt
forwardingTimeouts:
dialTimeout: 30s
responseHeaderTimeout: 30s
idleConnTimeout: 30s
---
So far I haven't been able to make it work, I would appreciate any guide that you can provide to make it work.
Here is the whole piece of code that I'm using right now:
###################################################################################
# MIDDLEWARE
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: prod-core-service-soap-rest-chain
namespace: devops
spec:
chain:
middlewares:
- name: prod-core-service-soap-rest-replacepathregex
- name: prod-soap-rest-bodysize
- name: prod-soap-rest-security-headers
- name: prod-soap-rest-retry
- name: prod-soap-rest-cors
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: prod-core-service-soap-rest-replacepathregex
namespace: devops
spec:
replacePathRegex:
regex: /core-service(/|$)(.*)
replacement: /$2
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: prod-soap-rest-bodysize
namespace: devops
spec:
buffering:
maxRequestBodyBytes: 20971520
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: prod-soap-rest-security-headers
namespace: devops
spec:
headers:
frameDeny: true
sslRedirect: true
stsSeconds: 31536000
stsIncludeSubdomains: true
contentTypeNosniff: true
browserXssFilter: true
customResponseHeaders:
Server: ""
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: prod-soap-rest-retry
namespace: devops
spec:
retry:
attempts: 3
initialInterval: 1000ms
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: prod-soap-rest-cors
namespace: devops
spec:
headers:
accessControlAllowMethods:
- "PUT"
- "GET"
- "POST"
- "OPTIONS"
- "DELETE"
- "HEAD"
- "TRACE"
- "PATCH"
accessControlAllowHeaders:
- "*"
accessControlAllowOriginList:
- "*"
accessControlMaxAge: 300
addVaryHeader: true
---
###################################################################################
# CORE SERVICE EXTERNAL SERVICES
###################################################################################
apiVersion: v1
kind: Service
metadata:
name: prod-core-service-soap-rest-esvc
namespace: devops
spec:
externalName: example.com
type: ExternalName
ports:
- port: 7843
---
###################################################################################
# CORE SERVICE TRAEFIK SERVICE
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: prod-core-service-soap-rest-tsvc
namespace: devops
spec:
weighted:
services:
- name: prod-core-service-soap-rest-esvc
weight: 1
port: 7843
scheme: https
- name: prod-core-service-soap-rest-esvc
weight: 1
port: 7843
scheme: https
---
###################################################################################
# CORE SERVICE SERVERS TRANSPORT
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: bus-server-transport
namespace: devops
spec:
insecureSkipVerify: true
rootCAsSecrets:
- ROOT-CA.crt
forwardingTimeouts:
dialTimeout: 30s
responseHeaderTimeout: 30s
idleConnTimeout: 30s
---
###################################################################################
# CORE SERVICE INGRESS ROUTE
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: prod-core-service-soap-rest-ingress-route-tls
namespace: devops
annotations:
kubernetes.io/ingress.class: prod-traefik
spec:
entryPoints:
- web
- websecure
routes:
- kind: Rule
match: Host(`example.com`) && PathPrefix(`/core-service`)
middlewares:
- name: prod-core-service-soap-rest-chain
services:
- name: prod-core-service-soap-rest-tsvc
namespace: devops
kind: TraefikService
port: 7843
scheme: https
serversTransport: bus-server-transport
tls:
secretname: prod-traefik-tls