There is no dedicated workshop with the monitoring Traefik by using Datadog. I’ve found in Datadog docs how to configure DataDog Agent and tune Traefik configuration to collect the data. However, I’ve not tested that setup.
2. In terms of Capabilities, how would Traefik provide a value add over some in-built services such as Azure LB or App Gateway?
Here are just a few of advantages by using Traefik:
- easier configuration / service discovery
- single point TLS termination
- platform agnostic (you can move to a different cloud provider and keep the same config and knowledge
- dev and cost friendly - how do you test an Azure/Google/AWS LB route locally?
No, this is the script that connects to my domain provider and updates DNS entries to use external IP provided by AWS because we had the test Kubernetes cluster provisioned in AWS. DNS updates can be done manually depending on your domain provider. Optionally, a one can also consider to use External DNS https://github.com/kubernetes-sigs/external-dns
If you deploy Traefik using the official Helm chart the only one Load Balancer will be created is classic AWS load balancer(ELB)..You can create many Ingress / IngressRoute resources that will be using the created load balancer and thanks to Traefik will be correctly routed to your backend. No need to create additional resources in the cloud provider. If you would like to use NLB the following annotation should be added to the existing service:
service.beta.kubernetes.io/aws-load-balancer-type: "nlb"
You can replace GKE default ingress controller by Traefik Proxy. However, if you create a service type Load Balancer as Kubernetes object, it will create an external Google Load Balancer assigning you the External IP address. It is one of the possible options of implementing Ingress. https://cloud.google.com/kubernetes-engine/docs/concepts/ingress Additionally, GKE creates a LB for each ingress. The advantage of Traefik is that you can have 1 LoadBalancer and manage multiple Ingress / IngressRoute. Traefik will significantly reduce the costs of your infrastructure because you have 1 LB instead of many LB for each Ingress.
I assume that questions are related to the service type Load balancer that is created by Helm chart. If you create a ClusterIP service, Traefik will be only reachable within a cluster and won't be able to access any incoming request coming from outside your cluster. That’s why in order to expose Traefik you need to create a service Load Balancer type that will be able to get external IP from cloud provider or from MetalLB (an external managed Loadbalancer). Another solution is to use port-forwarding, it might be fine though.
Having that configuration prepared you can use all of advantages of Traefik that works as Ingress for your cluster: such name based virtual hosts, TLS Termination and many other features.
Alternatively you can change the service type to NodePort and for testing / development purposes seems that it is a reasonable solution.
Here is the detailed explanation on how to test the new Kubernetes gateway API created by one of our team mates. Personally, I am super open to create another workshop concerning that topic: https://traefik.io/blog/getting-started-with-traefik-and-the-new-kubernetes-gateway-api/ Please note, that it is still experminatel feature. We already are implementing TCP and we are also working on more enhancements closely with the SIG.
There is no right answer which is better. It depends on your configuration use case. IngressRoute provides more features because not all of them are implemented as an annotation for standard Ingress. If you have more advanced topics to configure e.g. ServerTransport I would definitely go with IngressRoute.
From the other side
- if you any other existing Ingress controller already deployed I would use standard Ingress;
- If you build your environment from scratch I would use IngressRoute from the beginning.
The HTTP -> HTTPS redirection can be managed manually using RedirectScheme middleware on a router level or can be managed globally on entrypoint. It is demonstrated in the https://github.com/jakubhajek/traefik-workshop/tree/master/exercise-8 And the middleware has been assigned in that example: https://github.com/jakubhajek/traefik-workshop/blob/4dc778d4bca02cde46eb4905c1eef88891e5503a/exercise-9/ingress-web.yaml#L7
Here you can see how it has been achieved using CRD (IngressRoute) https://github.com/jakubhajek/traefik-workshop/blob/4dc778d4bca02cde46eb4905c1eef88891e5503a/exercise-12/ingresscrd-web.yaml#L15
Global redirection is described in our docs: https://doc.traefik.io/traefik/routing/entrypoints/#redirection
If we correctly understand the question you can use Istio as a service mesh and you can replace the built in Ingress into Istio by using Traefik Proxy. Traefik deployment needs to have added a custom annotation in order to work correctly with Istio.
In the future version of Traefik we are adding the plugin support for providers. Here is the PR opened for that: traefik/traefik#7794 It means that you can add any provider e.g. Service Fabric. There is also plugin Service Fabric already available: https://github.com/dariopb/traefikServiceFabricPlugin The work is in progress so it should be available soon. :)
Here you can find the current features that will be developed: https://github.com/traefik/traefik/projects/3 . We also encourage you to have a look on our Github repository and filter issues by label kind/proposal or by kind/enhancement. In regards K3S and Traefik, there is PR opened to have Traefik V2 added to K3S k3s-io/k3s#2910. Adding more, Traefik together with K3S will be in space https://www.suse.com/c/hypergiant-and-suse-rgs-taking-kubernetes-to-the-final-frontier/ :)
13. Is it possible to use persistence: True with horizontal pod autoscaler? In that way, I think you will have statefulset instead of deployment. If statefulset, how will certificates sync between Traefik instances?
This is a more complex topic than just considering using statefulset vs deployment. Storage is the least challenge in that aspect. Currently, Traefik uses persistence storage for keeping issued certificates. Let’s leave the storage issues for a while and imagine that we have run more than one instance of Traefik using e.g. HPA or manually scaled up. In that case if we use Lets Encrypt for our certificates we can face the problem with “lets Encrypt challenge”. That process validates that you control the domain names for which you are going to issue certificates. LetsEncrypt servers ask you to prove that you are eligible for issuing certificates and there are a few ways to prove it. The process is initiated by one of the Traefik instances (acme-client) by contacting Lets Encrypt server. Let’s Encrypt server asks to put a file in a specific location for HTTP-01 challenge or prove that you are the owner during a TLS handshake on port 443 and use ALPN protocol to validate that you are eligible to issue certificates.
The issue with those two approaches is that all of the servers, in our case of all Traefik instances need to answer with the same content.
This is solved in Traefik Enterprise by implementing a control plane.
Alternative solution is to have a Traefik and Cert Manager.
Traefik opened in the container ports 8000 and 8443 for the entrypoints web and websecure. Those ports were mapped to 80 and 443 in the service Load Balancer. That setup has been presented during the demo. I was using curl with “-L” parameter allowing curl to follow from http to https.
15. Could you please add to Middlewares functionality like you have in plugin https://github.com/traefik/plugin-blockpath traefik/traefik#4812
This is added to the backlog. However, there is an alternative solution with the Middleware ReplacePathPrefix traefik/traefik#4812 (comment) - that should help to achieve what you are asking for.
16. I am using the Traefik API "traefik.containo.us/v1alpha1" as the k8s ingress. Do you have any docs or references to convert ingressroute API "traefik.containo.us/v1alpha1" into the standardized k8s ingress API "networking.k8s.io/v1" you've shown earlier?
There is no automated tool prepared, you have to manage that manually. It also depends how advanced V2 does not have implemented as many annotations as it was in V1, all of them are available in CRD. It all depends on how complex your configuration is. Would you please shed some light why you are going to migrate from IngressRoute to standard Ingress implementation?
17. How does it affect the GKE ingress with Traefik? (I’m not sure what this is saying but it may need to be reworded) Should we keep HTTP load balancing disabled on GKE cluster?
Please see the answer 6.
If it has not been specified the communication between Traefik and backend is managed through HTTP. I think the question is related to the TLS PASSTHROUGH feature that is offered in Traefik with TCP routers. https://doc.traefik.io/traefik/routing/routers/#passthrough A one can also use ServerTransport to establish HTTPS between Traefik and the backend (mTLS).
If you tune HTTPS you need more compute. We don’t have any specific benchmarks that are too complex and depend on many factors. General answer is if you tune by adding more cipher suites, more cryptographic algorithms it can generate more CPU usage.
20. Do you have examples to use cert-manager without Let’s Encrypt. I want to use my internal CA and cert-manager to create the certificates.
I have found the link in the official Cert manager documentation https://cert-manager.io/docs/configuration/ca/ how to setup own Cert Manager with CA. Traefik integrates with Cert Manager as it is described in that repo: https://github.com/mmatur/traefik-cert-manager
Traefik has been designed as a stateless application and can be easily scale up manually or using horizontal pod autoscaler features from Kuberntes. You can read more about by downloading the whitepaper: https://traefik.io/blog/unleash-the-power-of-traefik-for-high-availability-load-balancing/
22. How do I access the dashboard once I set up Traefik on GKE using the operator? If it is installed standalone, dashboard is accessed using <public_ip of LB>:8080/dashboard, but does not work if installed using operator what do I do?
The Traefik dashboard is only exposed automatically at port 8080 when setting insecure in the static configuration.