Documentation
Kubernetes
Creating Traefik Ingresses

Creating Traefik Ingresses

Overview

This article outlines how to set up an ingressoute or ingressroutetcp with traefik.

Setting up an ingressroute

In most cases, we will be creating a normal HTTP ingress with traefik. To do this, we require the following information:

  • service name (kubernetes service)
  • FQDN that traefik should route

For the kubernetes service, it should be of type ClusterIP, as we already have a load balancer running for Traefik.

We will create a custom manifest for the ingress

ingress.yaml

---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: LOGICAL_NAME
  namespace: SERVICE_NAMESPACE
  labels:
    ingressclass: traefik-internal
    #ingressclass: traefik-external (if this should be publicly available, use this instead of internal)
spec:
  entryPoints:
    - web # this means port 80, for SSL use websecure
  routes:
    - match: Host(`FQDN_OF_NEW_SERVICE`)
      kind: Rule
      services:
        - name: SERVICE_NAME
          port: SERVICE_PORT #this is an integer, not a string
  • LOGICAL_NAME should be the display name when running kubectl get ingressroutes.traefik.io so it can be easily identified
  • SERVICE_NAMESPACE should be the namespace that the service you are connecting to is located in. This does not have to be the same namespace as the traefik router.
  • FQDN_OF_NEW_SERVICE needs to be the fully qualified domain name that you are attempting to route on. NOTE this is in backticks, NOT single quotes. This is required for traefik parsing.
  • SERVICE_NAME is the name of the kubernetes service you are connecting to.
  • SERVICE_PORT is the port number the service is listening on. This needs to be an integer, NOT a string

Setting up an ingressrouteTCP

Adding an ingressrouteTCP is more complex than a regular ingressroute, as it will require reconfiguring traefik itself in addition to adding the ingress route.

In the oci-k8s-devops repository, there is a traefik folder. Find the traefik_internal_values.yaml for this environment, and add the following:

additionalArguments:
  ...
  - "--entrypoints.SERVICE_IDENTIFIER.address=:PORT_NUMBER/tcp"

ports:
  ...
  SERVICE_IDENTIFIER:
    port: PORT_NUMBER
    protocol: TCP
    expose: true
    ...
  • SERVICE_IDENTIFIER is the logical name of the service/protocol. For example, with rabbitmq, this service would be ampq. For redis, it would be redis.
  • PORT_NUMBER is the integer port number you are trying to expose

Save the file, and upgrade the helm install.

helm upgrade traefik-internal traefik/traefik --values traefik_internal_values.yaml

Now that the traefik router has been reconfigured, we will create a new manifest

---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
  name: LOGICAL_NAME
  namespace: SERVICE_NAMESPACE
  labels:
    ingressclass: traefik-internal
    # ingressclass: traefik-external (use this if you are exposing a publicly available endpoint)
spec:
  entryPoints:
    - SERVICE_IDENTIFIER
  routes:
    - match: ClientIP(`10.0.0.0/8`)
      # - match: ClientIP(`0.0.0.0/0`) (Use this instead if this is supposed to be publicly accessible)
      services:
        - name: SERVICE_NAME
          port: SERVICE_PORT
  • LOGICAL_NAME should be the display name when running kubectl get ingressroutes.traefik.io so it can be easily identified
  • SERVICE_NAMESPACE should be the namespace that the service you are connecting to is located in. This does not have to be the same namespace as the traefik router.
  • SERVICE_IDENTIFIER is the value provided for SERVICE_IDENTIFIER during the configuration of the traefik router above
  • SERVICE_NAME is the name of the kubernetes service you are connecting to.
  • SERVICE_PORT is the port number the service is listening on. This needs to be an integer, NOT a string
Implementing ChartMuseum in K8SHow to Add nfs-storage-provisoner to Kubernetes