Traefik 2.0 with Kubernetes

Traefik 2.0 is here !

Traefik is a reverse proxy load balancer (and more), it can learn the routes to respond to by discovering them in multiple providers, Docker, Kubernetes …

Traefik v1.x is very stable, v2.x is fresh new tech, with breaking changes and unfinished documentation, so test it first.

From Traefik’s documentation:

• Providers discover the services that live on your infrastructure (their IP, health, …)
• Entrypoints listen for incoming traffic (ports, …)
• Routers analyze the requests (host, path, headers, SSL, …)
• Services forward the request to your services (load balancing, …)
• Middlewares may update the request or make decisions based on the request (authentication, rate limiting, headers, …)

Kubernetes

In Traefik v1, Kubernetes ingress were used to discover the routes:

apiVersion: extensions/v1beta1
kind: Ingress

In Traefik v2, a custom resource definition is needed to provide IngressRouter.
With Kubernetes the providers is called Kubernetes-crd

The CRD can be found here

It provides, Middleware, IngressRoute, IngressRouteTCP & TLSOption.

We need a service account, same as before, and then deploy Traefik itself, the good thing with Traefik v2 is you don’t need a traefik config file anymore, since you can do almost anything with the IngressRoute annotations.

Here is a complete gist which will install the CRD, the needed service account and deploy one Traefik 2.0 pod.

kubectl apply -f https://gist.github.com/akhenakh/56f922f39f7b8b212e3f878f91a00b10

Now the real changes, the way you declare a route:

Middleware

First in v1, we used to redirect http to https as follow using the traefik.toml config:

    defaultEntryPoints = ["http","https"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      compress = true
        [entryPoints.http.redirect]
          regex = "^http://(.*)"
          replacement = "https://$1"
          permanent = true

In v2 we need to create a middleware, expressed like this for Kubernetes

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: https-only
spec:
  redirectScheme:
    scheme: https

Note: Middlewares can be chained using the Chain middleware!

Route

In v1 we used to describe a route as follow:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: caddy-git
  labels:
    app: "caddy-git"
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
    - host: blog.nobugware.com
      http:
        paths:
        - path: /
          backend:
            serviceName: caddy-git
            servicePort: http

In v2:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: blog-ingress
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`blog.nobugware.com`)
      kind: Rule
      services:
        - name: caddy-git
          port: 80
  tls:
    certResolver: default
 ---
 apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: blog-ingress80
  namespace: default
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`blog.nobugware.com`)
      middlewares:
        - name: https-only
      kind: Rule
      services:
        - name: caddy-git
          port: 80

Conclusion

There are way more to explore, like traffic mirroring and canary updates.
This is a really promising new beginning for Traefik !

If you are are interested in advanced configuration example read my second post about Traefik 2.