There is no reference to create TraefikService (servers load balancing type)

lungosta · April 9, 2021, 7:17pm

The documentation about TraefikService says that servers load balancing is supported but there is no documentation in the reference section (Kubernetes CRD - Traefik) about how to use it.

I'm trying to create a TraefikService that points to a web service and then attach the TraefikService to my ingressroute but the following configuration is not working fine, this is what I´m trying to achieve:

mydomain -> Entrypoint (websecure) -> Route -> Middleware -> TraefikService (web service)

apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: dev-soap-rest-tsv
namespace: devops
spec:
loadBalancer:
servers:
- url: "http://1.1.1.1:80"
- url: "http://1.1.1.1:80"

groenator · April 14, 2021, 9:43am

I found this on github.com;
traefik_body_converter/with_namespaces.yml at 63d56cdb256cbccdd0e840a9b559cc87f81692c1 · linshenqi/traefik_body_converter · GitHub

Not sure how much would help. Let me know if it works for you.

lungosta · April 20, 2021, 4:42pm

Thanks for your reply @groenator , after a deep research I was able to make it work through a external name service, now I have a different issue, perhaps you can light me.

The following configuration is working properly over http but for our production environment I need to make it work over https.

I tried adding a https scheme to the TaefikService but it's not working, the other requirement that I have for production is that I need a root CA to establish the communication with the web service so I tried to force the root CA with a serverstransport which is not working either:

HTTP CONFIGURATION:

###########################################################################
# MIDDLEWARE
###########################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-core-service-soap-rest-chain
  namespace: devops
spec:
  chain:
    middlewares:
    - name: dev-core-service-soap-rest-replacepathregex
    - name: dev-soap-rest-bodysize
    - name: dev-soap-rest-security-headers
    - name: dev-soap-rest-retry
    - name: dev-soap-rest-cors
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-core-service-soap-rest-replacepathregex
  namespace: devops
spec:
  replacePathRegex:
    regex: /core-service(/|$)(.*)
    replacement: /$2     
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-soap-rest-bodysize
  namespace: devops
spec:
  buffering:
    maxRequestBodyBytes: 20971520
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-soap-rest-security-headers
  namespace: devops
spec:
  headers:
    frameDeny: true
    sslRedirect: true
    stsSeconds: 31536000
    stsIncludeSubdomains: true
    contentTypeNosniff: true
    browserXssFilter: true
    customResponseHeaders:
      Server: ""
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-soap-rest-retry
  namespace: devops
spec:
  retry:
    attempts: 3
    initialInterval: 1000ms 
---
###########################################################################
# CORE SERVICE EXTERNAL SERVICES
###########################################################################
apiVersion: v1
kind: Service
metadata:
  name: dev-core-service-soap-rest-esvc-1
  namespace: devops
spec:
  externalName: 1.1.1.1
  type: ExternalName
  ports:
    - port: 7801
---
apiVersion: v1
kind: Service
metadata:
  name: dev-core-service-soap-rest-esvc-2
  namespace: devops
spec:
  externalName: 1.1.1.2
  type: ExternalName
  ports:
    - port: 7802
---
###########################################################################
# CORE SERVICE TRAEFIK SERVICE
###########################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: dev-core-service-soap-rest-tsvc
  namespace: devops
spec:
  weighted:
    services:
      - name: dev-core-service-soap-rest-esvc-1
        weight: 1
        port: 7801
      - name: dev-core-service-soap-rest-esvc-2
        weight: 1
        port: 7802
---     
###########################################################################
#  CORE SERVICE INGRESS ROUTE
###########################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: dev-core-service-soap-rest-ingress-route-tls
  namespace: devops
annotations:
  kubernetes.io/ingress.class: dev-traefik 
spec:
  entryPoints:
    - web
    - websecure
  routes:
  - kind: Rule
    match: Host(`example.com`) && PathPrefix(`/core-service`)
    middlewares:
    - name: dev-core-service-soap-rest-chain    
    services:
    - name: dev-core-service-soap-rest-tsvc
      kind: TraefikService
      namespace: devops
      port: 7802
  tls:
    secretName: dev-traefik-tls
---

TRAEFIK SERVICE USING HTTPS SCHEME:

apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: prod-core-service-soap-rest-tsvc
  namespace: devops
spec:
  weighted:
    services:
      - name: prod-core-service-soap-rest-esvc
        weight: 1
        port: 7843
        scheme: https
      - name: prod-core-service-soap-rest-esvc
        weight: 1
        port: 7843
        scheme: https
---

SERVERSTRANSPORT FOR ROOT CA:

###########################################################################
# CORE SERVICE SERVERS TRANSPORT
###########################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: bus-server-transport
  namespace: devops
spec:
  insecureSkipVerify: true
  rootCAsSecrets:
    - ./ROOT-CA.crt
  forwardingTimeouts:
    dialTimeout: 30s
    responseHeaderTimeout: 30s
    idleConnTimeout: 30s
---

groenator · April 21, 2021, 9:54am

If you are trying to force HTTPS you can set up the settings in the traefik configuration file. I tried using the middleware too but it didn't work at all.

Eventually, I did this:

#Configure web, websecure entrypoints
    [entryPoints]
      [entryPoints.web]
        address = ":80"
      [entryPoints.web.http.redirections.entryPoint]
        to = "websecure"
        scheme = "https"
      [entryPoints.websecure]
        address = ":443"

Now, all my HTTP traffic is redirected to HTTPS.

Let me know if this is what you are looking for?

groenator · April 21, 2021, 9:57am

Interesting setup on how you are forwarding traffic to an external IP. I did something like what you did, but I didn't use TraefikService, I used a K8s endpoint configuration. It works fine. I will try using your configuration, I am curious to see what is the difference.

Thanks for sharing.

lungosta · May 6, 2021, 12:57am

hi @groenator I was OOO that's why took me so long to reply back... let me reformulate the whole thing so you can have a better understanding of what I'm trying to achieve.

The following configuration is working properly to establish communication with a web service over HTTP (client -> traefik edge router -> HTTP web service (ExternalName service)) in this scenario I choose to use the service of type ExternalName as my backend because it was the easiest way to achieve it and it's working really good

###################################################################################
# MIDDLEWARE
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-core-service-soap-rest-chain
  namespace: devops
spec:
  chain:
    middlewares:
    - name: dev-core-service-soap-rest-replacepathregex
    - name: dev-soap-rest-bodysize
    - name: dev-soap-rest-security-headers
    - name: dev-soap-rest-retry
    - name: dev-soap-rest-cors
--- 
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-core-service-soap-rest-replacepathregex
  namespace: devops
spec:
  replacePathRegex:
    regex: /core-service(/|$)(.*)
    replacement: /$2     
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-soap-rest-bodysize
  namespace: devops
spec:
  buffering:
    maxRequestBodyBytes: 20971520
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-soap-rest-security-headers
  namespace: devops
spec:
  headers:
    frameDeny: true
    sslRedirect: true
    stsSeconds: 31536000
    stsIncludeSubdomains: true
    contentTypeNosniff: true
    browserXssFilter: true
    customResponseHeaders:
      Server: ""
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-soap-rest-retry
  namespace: devops
spec:
  retry:
    attempts: 3
    initialInterval: 1000ms 
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-soap-rest-cors
  namespace: devops  
spec:
  headers:
    accessControlAllowMethods:
      - "PUT"    
      - "GET"
      - "POST"      
      - "OPTIONS"
      - "DELETE"
      - "HEAD"      
      - "TRACE"
      - "PATCH"
    accessControlAllowHeaders:
      - "*"       
    accessControlAllowOriginList:
      - "*"
    accessControlMaxAge: 300
    addVaryHeader: true
---
#################################################################################
# CORE SERVICE EXTERNAL SERVICES
#################################################################################
apiVersion: v1
kind: Service
metadata:
  name: dev-core-service-soap-rest-esvc-1
  namespace: devops
spec:
  externalName: 1.1.1.1
  type: ExternalName
  ports:
    - port: 7801
---
apiVersion: v1
kind: Service
metadata:
  name: dev-core-service-soap-rest-esvc-2
  namespace: devops
spec:
  externalName: 1.1.1.1
  type: ExternalName
  ports:
    - port: 7802
---
#################################################################################
# CORE SERVICE TRAEFIK SERVICE
#################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: dev-core-service-soap-rest-tsvc
  namespace: devops
spec:
  weighted:
    services:
      - name: dev-core-service-soap-rest-esvc-1
        weight: 1
        port: 7801
      - name: dev-core-service-soap-rest-esvc-2
        weight: 1
        port: 7802
---     
#################################################################################
#  CORE SERVICE INGRESS ROUTE
#################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: dev-core-service-soap-rest-ingress-route-tls
  namespace: devops
annotations:
  kubernetes.io/ingress.class: dev-traefik 
spec:
  entryPoints:
    - web
    - websecure
  routes:
  - kind: Rule
    match: Host(`example.com`) && PathPrefix(`/core-service`)
    middlewares:
    - name: dev-core-service-soap-rest-chain    
    services:
    - name: dev-core-service-soap-rest-tsvc
      kind: TraefikService
      namespace: devops
      port: 7801
  tls:
    secretName: dev-traefik-tls

My requirement for the production environment is a little bit different because I need to establish the communication with the web service over HTTPS and additionally pass the root CA certificate (client -> traefik edge router -> HTTPS/TLS web service (ExternalName service)) what I was trying to say with "force HTTPS" is create a kubernetes service of type ExternalName that can be used over HTTPS but checking the documentation about this kind of service it just map a service to a DNS name so it doesn't care about protocols, the workaround that I found for this was to specify scheme: https and port: 7843 in the TraefikService and IngressRoute resources, in this way I was able to see the ExternalName service as HTTPS in the traefik dashboard, it seems to be the proper workaround to "force HTTPS" in the ExternalName service. This is how these resources looks right now

###################################################################################
# CORE SERVICE EXTERNAL SERVICES
###################################################################################
apiVersion: v1
kind: Service
metadata:
  name: prod-core-service-soap-rest-esvc
  namespace: devops
spec:
  externalName: example.com
  type: ExternalName
  ports:
    - port: 7843 
---
###################################################################################
#  CORE SERVICE INGRESS ROUTE
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: prod-core-service-soap-rest-ingress-route-tls
  namespace: devops
annotations:
  kubernetes.io/ingress.class: prod-traefik
spec:
  entryPoints:
    - web
    - websecure
  routes:
  - kind: Rule
    match: Host(`example.com`) && PathPrefix(`/core-service`)
    middlewares:
    - name: prod-core-service-soap-rest-chain    
    services:
    - name: prod-core-service-soap-rest-tsvc
      namespace: devops
      kind: TraefikService
      port: 7843
      scheme: https
      serversTransport: bus-server-transport
  tls:
    secretname: prod-traefik-tls 
---

The other requirement of the root CA, I'm trying to achieve it with a ServersTransport resource which supposed to pass the CA root certificate to the backend service but I'm not sure if I'm using correctly, the documentation says that you can use the file path for the rootCAsSecrets: but not sure about it.

###################################################################################
# CORE SERVICE SERVERS TRANSPORT
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: bus-server-transport
  namespace: devops
spec:
  insecureSkipVerify: true
  rootCAsSecrets:
    - ROOT-CA.crt
  forwardingTimeouts:
    dialTimeout: 30s
    responseHeaderTimeout: 30s
    idleConnTimeout: 30s
---

So far I haven't been able to make neither of these configurations to work, I would appreciate any guide that you can provide to make it work.

Here is the whole piece of code that I'm using right now:

###################################################################################
# MIDDLEWARE
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: prod-core-service-soap-rest-chain
  namespace: devops
spec:
  chain:
    middlewares:
    - name: prod-core-service-soap-rest-replacepathregex
    - name: prod-soap-rest-bodysize
    - name: prod-soap-rest-security-headers
    - name: prod-soap-rest-retry
    - name: prod-soap-rest-cors
--- 
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: prod-core-service-soap-rest-replacepathregex
  namespace: devops
spec:
  replacePathRegex:
    regex: /core-service(/|$)(.*)
    replacement: /$2     
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: prod-soap-rest-bodysize
  namespace: devops
spec:
  buffering:
    maxRequestBodyBytes: 20971520
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: prod-soap-rest-security-headers
  namespace: devops
spec:
  headers:
    frameDeny: true
    sslRedirect: true
    stsSeconds: 31536000
    stsIncludeSubdomains: true
    contentTypeNosniff: true
    browserXssFilter: true
    customResponseHeaders:
      Server: ""
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: prod-soap-rest-retry
  namespace: devops
spec:
  retry:
    attempts: 3
    initialInterval: 1000ms 
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: prod-soap-rest-cors
  namespace: devops  
spec:
  headers:
    accessControlAllowMethods:
      - "PUT"    
      - "GET"
      - "POST"      
      - "OPTIONS"
      - "DELETE"
      - "HEAD"      
      - "TRACE"
      - "PATCH"
    accessControlAllowHeaders:
      - "*"       
    accessControlAllowOriginList:
      - "*"
    accessControlMaxAge: 300
    addVaryHeader: true
---   
###################################################################################
# CORE SERVICE EXTERNAL SERVICES
###################################################################################
apiVersion: v1
kind: Service
metadata:
  name: prod-core-service-soap-rest-esvc
  namespace: devops
spec:
  externalName: example.com
  type: ExternalName
  ports:
    - port: 7843 
---
###################################################################################
# CORE SERVICE TRAEFIK SERVICE
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: prod-core-service-soap-rest-tsvc
  namespace: devops
spec:
  weighted:
    services:
      - name: prod-core-service-soap-rest-esvc
        weight: 1
        port: 7843
        scheme: https
      - name: prod-core-service-soap-rest-esvc
        weight: 1
        port: 7843
        scheme: https
---
###################################################################################
# CORE SERVICE SERVERS TRANSPORT
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: bus-server-transport
  namespace: devops
spec:
  insecureSkipVerify: true
  rootCAsSecrets:
    - ROOT-CA.crt
  forwardingTimeouts:
    dialTimeout: 30s
    responseHeaderTimeout: 30s
    idleConnTimeout: 30s
---        
###################################################################################
#  CORE SERVICE INGRESS ROUTE
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: prod-core-service-soap-rest-ingress-route-tls
  namespace: devops
annotations:
  kubernetes.io/ingress.class: prod-traefik
spec:
  entryPoints:
    - web
    - websecure
  routes:
  - kind: Rule
    match: Host(`example.com`) && PathPrefix(`/core-service`)
    middlewares:
    - name: prod-core-service-soap-rest-chain    
    services:
    - name: prod-core-service-soap-rest-tsvc
      namespace: devops
      kind: TraefikService
      port: 7843
      scheme: https
      serversTransport: bus-server-transport
  tls:
    secretname: prod-traefik-tls

lungosta · June 9, 2021, 12:08am

hi @~~groenator~~ ~~just~~ ~~wondering~~ if ~~you~~ ~~are~~ ~~able~~ to ~~have~~ a ~~look~~ at my ~~issue~~?

Topic		Replies	Views
Traefik v2.1.1 kubernetesService and http service deploys 2 services weighted and loadbalancer Traefik v2 kubernetes-crd	1	526	January 20, 2021
Missing servers field in TraefikService Traefik v2 kubernetes-crd	0	330	September 22, 2020
Using helm deployed traefik v2 to load balance external services Traefik v2 kubernetes-crd	3	1056	June 1, 2021
Kubernetes translation for http service server Traefik v2 kubernetes-crd	0	125	February 26, 2024
How to configure Traefik Sticy Session in Kubernetes Traefik v2 docker , kubernetes-crd , kubernetes-ingress	0	549	August 26, 2021

There is no reference to create TraefikService (servers load balancing type)

Related Topics