I'm having a hard time routing TCP traffic to a Pod with Traefik.
This pod I'm trying to proxy is named "realtime" and namespaced under "default"
According to the doc provided by traefik, I have created the following
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: realtime-tcp-route
namespace: default
spec:
routes:
- match: HostSNI(`subdomain.hostname.com`)
services:
- name: realtime
port: 3002
According to the traefik dashboard, something is wrong: the service "default-realtime-tcp-ingress-542127811efa012038fd#kubernetescrd" does not exist, what am I doing wrong ?
Thanks
Related
Currently I use Traefik IngressRoute to expose the Traefik dashboard. I am using this configuration:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: my-namespace
spec:
routes:
- match: Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
kind: Rule
services:
- name: api#internal
kind: TraefikService
middlewares:
- name: traefik-dashboard-https-redirect
- name: traefik-dashboard-basic-auth
tls:
certResolver: le
and it works fine.
However I would like to expose it with a native Kubernetes Ingress. I can't find any resource which shows how to access api#internal from an Ingress. Is it even possible?
It is not possible to reference api#internal from an Ingress.
There is a workaround I think, which could be:
expose the api as insecure, it exposes the dashboard by default on an entrypoint called traefik on port 8080.
update the entrypoint manually in the static conf: entrypoints.traefik.address=<what-you-want>
create a service pointing to the traefik entrypoint (port 8080 by default).
create an ingress pointing to the service
I am following this guide.
Ingress requests are getting logged. Egress traffic control is working as expected, except I am unable to log egress HTTP requests. What is missing?
apiVersion: networking.istio.io/v1beta1
kind: Sidecar
metadata:
name: myapp
spec:
workloadSelector:
labels:
app: myapp
outboundTrafficPolicy:
mode: REGISTRY_ONLY
egress:
- hosts:
- default/*.example.com
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: example
spec:
location: MESH_EXTERNAL
resolution: NONE
hosts:
- '*.example.com'
ports:
- name: https
protocol: TLS
number: 443
apiVersion: telemetry.istio.io/v1alpha1
kind: Telemetry
metadata:
name: mesh-default
namespace: istio-system
spec:
accessLogging:
- providers:
- name: envoy
Kubernetes 1.22.2 Istio 1.11.4
For ingress traffic logging I am using EnvoyFilter to set log format and it is working without any additional configuration. In the egress case, I had to set accessLogFile: /dev/stdout.
apiVersion: install.istio.io/v1alpha1
kind: IstioOperator
metadata:
name: config
namespace: istio-system
spec:
profile: default
meshConfig:
accessLogFile: /dev/stdout
AFAIK istio collects only ingress HTTP logs by default.
In the istio documentation there is an old article (from 2018) describing how to enable egress traffic HTTP logs.
Please keep in mind that some of the information may be outdated, however I believe this is the part that you are missing.
I am trying to create a tcp service like this in kubernetes cluster followed by official docs:
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
name: app-mysql
spec:
tcp:
services:
my-service:
loadBalancer:
servers:
- address: '<private-ip-server-1>:<private-port-server-1>'
- address: '<private-ip-server-2>:<private-port-server-2>'
and I only see the traefik service in lens, in the traefik dashboard found nothing:
What should I do to create a TCP Service in traefik 2.2.1?
Assuming you'd like to talk to TCP services running in Kubernetes. For TCP you don't need really need a TraefikService, you can just use an IngressRouteTCP resource.
You can see in the docs that the IngressRouteTCP can talk directly to a K8s service.
Similarly to the example you can have something like this:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteUDP
metadata:
name: my-ingress-udp-route
namespace: default
spec:
entryPoints:
- myentrypoint
routes:
- match: HostSNI(`mysql.example.com`)
services:
- name: app-mysql 👈 K8s Service
port: 3306
Notes:
TraefikService can be used for in regular IngressRoute resources, and not supported in TCP/UDP case today)
Not sure how you plan to load balance a MySQL service though, as this typically happens at the application level or you need a particular proxy that handles your reads/writes and data consistency)
✌️
I am trying to configure https with traefik(v2.1.6) in kubernetes cluster(v1.15.2) by following this documentation.
My traefik deployment YAML looks like this:
And this is my IngressRoute config:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-route
namespace: kube-system
spec:
entryPoints:
- websecure
tls:
certresolver: ali
routes:
- match: Host(`traefik.example.com`)
kind: Rule
services:
- name: traefik
port: 8080
When I access the website, it gives me following message: not secure.
What should I do to make it work?
Since this certificate is from acme staging its root ca not present in browsers. You need to add it to your systems trust store.
I really like the kubernetes Ingress schematics. I currently run ingress-nginx controllers to route traffic into my kubernetes pods.
I would like to use this to also route traffic to 'normal' machines: ie vm's or physical nodes that are not part of my kubernetes infrastructure. Is this possible? How?
In Kubernetes you can define an externalName service in which you define a FQND to an external server.
kind: Service
apiVersion: v1
metadata:
name: my-service
namespace: prod
spec:
type: ExternalName
externalName: my.database.example.com
Then you can use my-service in your nginx rule.
You can create static service and corresponding endpoints for external services which are not k8s and then use k8s service in ingress to route traffic.
Also you see ingress doc to enable custom upstream check
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#custom-nginx-upstream-checks
In below example just change port/IP according to your need
apiVersion: v1
kind: Service
metadata:
labels:
product: external-service
name: external-service
spec:
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP
---
apiVersion: v1
kind: Endpoints
metadata:
labels:
product: external-service
name: external-service
subsets:
- addresses:
- ip: x.x.x.x
- ip: x.x.x.x
- ip: x.x.x.x
ports:
- name: http
port: 80
protocol: TCP
I don't think it's possible, since ingress-nginx get pods info through watch namespace, service, endpoints, ingress resources, then redirect traffic to pods, without these resources specific to kubernetes, ingress-nginx has no way to find the ips that need loadbalance. And ingress-nginx doesn't has health-check method defined, it's up to the kubernetes builtin mechanic to check the health of the running pods.