I have an ingressroute configuration:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: demo-rr-camunda-bpm-platform-app-ingress-route1
namespace: bpm
spec:
entryPoints:
- bpm
routes:
- kind: Rule
match: PathPrefix(`/bpm/demo-rr-camunda-bpm-platform-app`)
services:
- kind: Service
name: demo-rr-camunda-bpm-platform-app-service1
port: 5000
tls:
secretName: k8s-code-ru-tls
With this configuration, if two replicas are running, when you try to request a login, the page is displayed from one pod, and the authorization attempt flies to the other pod (and does not work). It is necessary that both the login page and the authorization URL work on the same pod.
If I'm not mistaken, then the solution to this problem is to use Stickiness https://doc.traefik.io/traefik/routing/services/
If so, then I cannot figure out how to apply this code to the existing ingressroute that I described above:
## Dynamic configuration
http:
services:
my-service:
loadBalancer:
sticky:
cookie: {}
you should use kubernetes service which will track your deployment (with 2 replicas) using labels. the service will do the job for you, and Ingressroute will serve the two replicas
Related
I'm configuring Traefik Proxy to run on a GKE cluster to handle proxying to various microservices. I'm doing everything through their CRDs and deployed Traefik to the cluster using a custom deployment. The Traefik dashboard is accessible and working fine, however when I try to setup an IngressRoute for the service itself, it is not accessible and it does not appear in the dashboard. I've tried setting it up with a regular k8s Ingress object and when doing that, it did appear in the dashboard, however I ran into some issues with middleware, and for ease-of-use I'd prefer to go the CRD route. Also, the deployment and service for the microservice seem to be deploying fine, they both appear in the GKE dashboard and are running normally. No ingress is created, however I'm unsure of if a custom CRD IngressRoute is supposed to create one or not.
Some information about the configuration:
I'm using Kustomize to handle overlays and general data
I have a setting through kustomize to apply the namespace users to everything
Below are the config files I'm using, and the CRDs and RBAC are defined by calling
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
kubectl apply -f https://raw.githubusercontent.com/traefik/traefik/v2.9/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
name: users-service
spec:
replicas: 1
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
type: RollingUpdate
template:
metadata:
labels:
app: users-service
spec:
containers:
- name: users-service
image: ${IMAGE}
imagePullPolicy: IfNotPresent
ports:
- name: web
containerPort: ${HTTP_PORT}
readinessProbe:
httpGet:
path: /ready
port: web
initialDelaySeconds: 10
periodSeconds: 2
envFrom:
- secretRef:
name: users-service-env-secrets
service.yml
apiVersion: v1
kind: Service
metadata:
name: users-service
spec:
ports:
- name: web
protocol: TCP
port: 80
targetPort: web
selector:
app: users-service
ingress.yml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: users-stripprefix
spec:
stripPrefix:
prefixes:
- /userssrv
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: users-service-ingress
spec:
entryPoints:
- service-port
routes:
- kind: Rule
match: PathPrefix(`/userssrv`)
services:
- name: users-service
namespace: users
port: service-port
middlewares:
- name: users-stripprefix
If any more information is needed, just lmk. Thanks!
A default Traefik installation on Kubernetes creates two entrypoints:
web for http access, and
websecure for https access
But you have in your IngressRoute configuration:
entryPoints:
- service-port
Unless you have explicitly configured Traefik with an entrypoint named "service-port", this is probably your problem. You want to remove the entryPoints section, or specify something like:
entryPoints:
- web
If you omit the entryPoints configuration, the service will be available on all entrypoints. If you include explicit entrypoints, then the service will only be available on those specific entrypoints (e.g. with the above configuration, the service would be available via http:// and not via https://).
Not directly related to your problem, but if you're using Kustomize, consider:
Drop the app: users-service label from the deployment, the service selector, etc, and instead set that in your kustomization.yaml using the commonLabels directive.
Drop the explicit namespace from the service specification in your IngressRoute and instead use kustomize's namespace transformer to set it (this lets you control the namespace exclusively from your kustomization.yaml).
I've put together a deployable example with all the changes mentioned in this answer here.
Currently I use Traefik IngressRoute to expose the Traefik dashboard. I am using this configuration:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: my-namespace
spec:
routes:
- match: Host(`traefik.example.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
kind: Rule
services:
- name: api#internal
kind: TraefikService
middlewares:
- name: traefik-dashboard-https-redirect
- name: traefik-dashboard-basic-auth
tls:
certResolver: le
and it works fine.
However I would like to expose it with a native Kubernetes Ingress. I can't find any resource which shows how to access api#internal from an Ingress. Is it even possible?
It is not possible to reference api#internal from an Ingress.
There is a workaround I think, which could be:
expose the api as insecure, it exposes the dashboard by default on an entrypoint called traefik on port 8080.
update the entrypoint manually in the static conf: entrypoints.traefik.address=<what-you-want>
create a service pointing to the traefik entrypoint (port 8080 by default).
create an ingress pointing to the service
I'm having a hard time routing TCP traffic to a Pod with Traefik.
This pod I'm trying to proxy is named "realtime" and namespaced under "default"
According to the doc provided by traefik, I have created the following
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: realtime-tcp-route
namespace: default
spec:
routes:
- match: HostSNI(`subdomain.hostname.com`)
services:
- name: realtime
port: 3002
According to the traefik dashboard, something is wrong: the service "default-realtime-tcp-ingress-542127811efa012038fd#kubernetescrd" does not exist, what am I doing wrong ?
Thanks
Can any body explain istio Subsets and destination rules in a a simple manner and explain the problem they are trying to solve by introducing the subsets.
DestinationRule is a resource that adds additional routing policies after routing happens to a Service, for example say that you have the following service:
apiVersion: v1
kind: Service
metadata:
name: my-service
namespace: default
spec:
selector:
app: my-service
ports:
- name: http
protocol: TCP
port: 80
This Service can route to multiple resources, it picks up any pod which contains label app: my-service, which means you can have, for example, different versions of the same service running in parallel using one deployment for each.
Now, with a DestinationRule you can add additional routing policies on top of that, a subset means part of your pods which you can identify through labels, for example:
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: my-service-ab
spec:
host: my-service.default.svc.cluster.local
trafficPolicy:
loadBalancer:
simple: LEAST_CONN
subsets:
- name: a-test
labels:
version: v3
trafficPolicy:
loadBalancer:
simple: ROUND_ROBIN
This DestinationRule uses a round robin load balancing policy for all traffic going to a subset named a-test that is composed of endpoints (e.g., pods) with labels (version:v3). This can be useful for scenarios such as A/B testing, or to keep multiple versions of you service running in parallel.
Also, you can specify custom TrafficPolicies for a subset that will override TrafficPolicies defined at a Service level.
I am trying to configure https with traefik(v2.1.6) in kubernetes cluster(v1.15.2) by following this documentation.
My traefik deployment YAML looks like this:
And this is my IngressRoute config:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-route
namespace: kube-system
spec:
entryPoints:
- websecure
tls:
certresolver: ali
routes:
- match: Host(`traefik.example.com`)
kind: Rule
services:
- name: traefik
port: 8080
When I access the website, it gives me following message: not secure.
What should I do to make it work?
Since this certificate is from acme staging its root ca not present in browsers. You need to add it to your systems trust store.