Istio - Traefik help

Aur0nd · February 26, 2024, 12:49pm

Hi there!!!

I've been trying for a little while to make Istio mTLS and Traefik to work but without any luck.

Essentially I've got Traefik to manage the ingress and Istio for the Mesh, but once I enable the mTLS I'm getting 404 Gateway.

Any help is so much appreciated!

putharekulu · May 20, 2024, 11:08am

Hi, Were you able to figure out how to make mTLS work for Traefik and Istio?
In permissive mode all works fine for me, When in strict mode I get NR filter_chain_not_found in istio logs... I believe this is because traefik is sending traffic on IP:port instead of service:port and istio couldn't find any routes to route the traffic. Any suggestions on what can be done to make this work?

palashbasik · June 17, 2024, 12:31pm

I am facing same problem.
Any updates?
Were you able to figure out?

Aur0nd · June 17, 2024, 12:55pm

Unfortunately I don't think it's possible, @putharekulu correctly pointed the limitation.

I ended up using the Traefik Mesh which obviously is not near as good.

palashbasik · June 17, 2024, 12:57pm

Sad. I'll move on to linkerd.

putharekulu · June 18, 2024, 2:58pm

I tried this Using Traefik Ingress Controller with Istio Service Mesh and worked for me to route traffic from traefik to Istio. But I have some other limitations with this approach so we are planning to move on to use Istio Gateway instead of traefik for routing external requests.

Aur0nd · June 18, 2024, 3:43pm

You can use Traefik ingress & Istio mesh in permissive mode, but you can't have that working with mTLS Enforced

nicomengin · September 24, 2024, 9:40am

Hello there,

@putharekulu @Aur0nd do you know that since Traefik v2.10, you can set the option nativeLB on your Services? It allows Traefik to target the service instead of the pods.

Moreover, the next Traefik version v3.2 brings a global option to enable this behavior.

From my understanding of the limitation you've described, these options should solve the issue.
WDYT?

krobbo · October 1, 2024, 5:46pm

Hey there,

We are testing traefik with istio currently, and will eventually run into the above issue.

It sounds like the preferred approach would be once on Traefik 3.2 to set the global option so as traffic goes to the k8s cluster IP versus straight to the backends?

Are there any examples for configuring traefik for L7 & using istio for services on the mesh?

Thank you

nicomengin · October 1, 2024, 6:48pm

Hello @krobbo,

You can find a recent tutorial to start with Istio and Traefik here.

It sounds like the preferred approach would be once on Traefik 3.2 to set the global option so as traffic goes to the k8s cluster IP versus straight to the backends?

Indeed, setting the option to the provider level is relevant in this context.

krobbo · October 1, 2024, 7:42pm

Thats fantastic, thank you @nicomengin

Topic		Replies	Views
Http2 with http and tcp routers Traefik v2 tcp	2	892	December 28, 2023
Traefik Proxy 2.4 Adds Advanced mTLS, Kubernetes Service APIs & More Blog	0	439	January 20, 2021
[Bounty Offer] Need to get Traefik V2 working on DigitalOcean k8s Traefik v2 docker , kubernetes-crd	4	612	November 6, 2019
Route TCP request to my service via traefik2 Traefik v2 kubernetes-ingress , tcp	0	320	June 29, 2023
Http/3 doesn't seem to work for me in Kubernetes Traefik v2 kubernetes-ingress	0	624	March 4, 2023

Istio - Traefik help

Related topics