Use Traefik as external ingress provider to k8s cluster?

Traefik Traefik v2
1

Hi, I am running a traefik on my server and want it to function as an ingressprovider to my k8s cluster.

My traefik runs in a docker container on the host. My Cluster (using microk8s) is running on the same machine.

My Docker-Compose-File for traefik:

version: "3.3"

services:
  ################################################
  ####        Traefik Proxy Setup           #####
  ###############################################
  traefik:
    image: traefik:v2.2
    restart: always
    container_name: traefik
    ports:
      - "80:80" # <== http
      - "8080:8080" # <== :8080 is where the dashboard runs on
      - "443:443" # <== https
    command:
    #### These are the CLI commands that will configure Traefik and tell it how to work! ####
      ## API Settings - https://docs.traefik.io/operations/api/, endpoints - https://docs.traefik.io/operations/api/#endpoints ##
      - --api.insecure=true # <== Enabling insecure api, NOT RECOMMENDED FOR PRODUCTION
      - --api.dashboard=true # <== Enabling the dashboard to view services, middlewares, routers, etc...
      - --api.debug=true # <== Enabling additional endpoints for debugging and profiling
      ## Log Settings (options: ERROR, DEBUG, PANIC, FATAL, WARN, INFO) - https://docs.traefik.io/observability/logs/ ##
      - --log.level=DEBUG # <== Setting the level of the logs from traefik
      ## Provider Settings - https://docs.traefik.io/providers/docker/#provider-configuration ##
      - --providers.docker=true # <== Enabling docker as the provider for traefik
      - --providers.docker.exposedbydefault=false # <== Don't expose every container to traefik, only expose enabled ones
      ## k8s cluster config
      - --providers.kubernetesingress=true
      - --providers.kubernetesingress.endpoint=https://external-endpoint-url
      - --providers.kubernetesingress.certauthfilepath=/var/snap/microk8s/current/certs/ca.crt
      - --providers.kubernetesingress.namespaces=production,staging
      - --providers.kubernetesingress.ingressendpoint.hostname=host.name
      - --providers.file.filename=/dynamic.yaml # <== Referring to a dynamic configuration file
      - --providers.docker.network=web # <== Operate on the docker network named web
      - --providers.providersThrottleDuration=10s
      ## Entrypoints Settings - https://docs.traefik.io/routing/entrypoints/#configuration ##
      - --entrypoints.http.address=:80 # <== Defining an entrypoint for port :80 named web
      - --entrypoints.https.address=:443 # <== Defining an entrypoint for https on port :443 named web-secured
      ## Certificate Settings (Let's Encrypt) -  https://docs.traefik.io/https/acme/#configuration-examples ##
      - --certificatesresolvers.letsencrypt.acme.tlschallenge=true # <== Enable TLS-ALPN-01 to generate and renew ACME certs
      - --certificatesresolvers.letsencrypt.acme.email=email@adress.name # <== Setting email for certs
      - --certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json # <== Defining acme file to store cert information
    volumes:
      - ./letsencrypt:/letsencrypt # <== Volume for certs (TLS)
      - /var/run/docker.sock:/var/run/docker.sock # <== Volume for docker admin
      - ./dynamic.yaml:/dynamic.yaml # <== Volume for dynamic conf file, **ref: line 27
    networks:
      - web # <== Placing traefik on the network named web, to access containers on this network
    labels:
    #### Labels define the behavior and rules of the traefik proxy for this container ####
      - "traefik.enable=true" # <== Enable traefik on itself to view dashboard and assign subdomain to view it
      - "traefik.http.routers.api.rule=Host(`monitor.weltenbummler.it`)" # <== Setting the domain for the dashboard
      - "traefik.http.routers.api.service=api@internal" # <== Enabling the api to be a service to access

networks:
  web:
    external: true

In my dashboard it shows KubernetesIngress as a provider.
However, I have no clue, if the cluster actually sees it and can use it.

Here is my corresponding ingress.yaml:

kind: Ingress
apiVersion: networking.k8s.io/v1beta1
metadata:
  name: "my"
  namespace: production
  annotations:
    kubernetes.io/ingress.class: "traefik"
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.enable: "true"
    traefik.http.routers.myTestProject.rule: "Host(`my.host.name`)"
    traefik.http.routers.myTestProject.entrypoints: "https"
    traefik.http.routers.myTestProject.tls.certresolver: "letsencrypt"
    traefik.http.routers.myTestProject.middlewares: "myTestProject-headers"
    traefik.http.routers.myTestProject.service: "myTestProject"
    # traefik.http.middlewares.myTestProject-headers.headers.customrequestheaders.X_FORWARDED_PROTO: "https"
    # traefik.http.middlewares.myTestProject-headers.headers.customrequestheaders.X_Forwarded-Ssl: "on"
    # traefik.http.middlewares.myTestProject-headers.headers.customresponseheaders.X_FORWARDED_PROTO: "https"
    # traefik.http.middlewares.myTestProject-headers.headers.customresponseheaders.X_Forwarded-Ssl: "on"
    traefik.http.services.myTestProject.loadbalancer.server.port: "2342"

spec:
  tls:
    - secretName: mySecret
  rules:
    - host: my.host.name
      http:
        paths:
          - path: ""
            backend:
              serviceName: myTestProject
              servicePort: 2342

What am I missing? How can I debug it?

2

I forgot to link the certificate into the traefik container. After carefully inspecting the logs again, I've found the corresponding error message. Sometimes you won't see the correct tree in the woods. :wink:

Now I still need to get RBAC to work.