Traefik - Ingress Controller

Kubernetes has an ingress controller to help you manage your layer 7 HTTP traffic. It has concepts around hostnames, TLS and maps back to your services within k8s. On Google Kubernetes Engine (GKE) when an ingress is specified, it will spin up an external HTTP Google Cloud Load Balancer. What about a GKE private cluster? It doesn’t hae access to an external L7 HTTP or L4 TCP Network Load Balancer. In this case, for the time being you may want to opt for an ingress controller such as nginx, haproxy, or traefik in this post.

Traefik can function as an ingress controller, but it can also be a standalone proxy, docker proxy, etc. It supports quite a few providers. Normally you configure it with a traefik.toml configuration file, but there are other methods depending on your provider. While you can use a traefik.toml within k8s, ideally you’ll want to leverage annotations to manage your entrypoints. These are defined in your ingress and service definitions.

By default traefik will open up 80 for http traffic and 8080 for it’s dashboard, metrics and api. So what if you wanted TLS or define other configurations such as logging. Without the config file, you need to define them as arguments in your deployment or daemonset manifests.

Once you have TLS configured, each TLS secret in kubernetes is loaded in the namespace where you define your ingress. Traefik has a default TLS certificate that it falls back to if your certificate doesn’t match the host that is being defined.

apiVersion: extensions/v1beta1
kind: Ingress
    app: httpbin
  name: httpbin-ingress
  annotations: traefik https
  - secretName: httpbin-tls
  - host:
      - path: /
          serviceName: httpbin
          servicePort: http

In the example above, the host is, if my service isn’t listing on this fully qualified domain name and I try to access my ingress, it will return the traefik default certificate.

You can add your tls by hand or by using kubectl

kubectl create secret tls httpbin-tls --key=tls.key --cert=tls.crt
Ensure that you are using tls.key and tls.crt as the ingress is specifically looking for those entries.

This post is based on this example.

comments powered by Disqus