Progressive deployment that might be also called Canary deployment can be achieved between two separate clusters. I would recommend using that with Weighted Round Robin Load Balancing with Nested Health Checks. Please note that it is available as a dynamic configuration provided via File provider.
Is the Traefik Proxy running inside or outside k8s? And how can you scale this if needed (for a huge amount of incoming traffic for instance)?
Traefik Proxy is running inside the Kubernetes cluster and you can scale it up by running more replicas. Please be warned that simply scaling up while using our Lets Encrypt integration might cause problems because of the shared persistence volume.. If you don’t use that feature you should not have any issues. We also have a distributed Lets Encrypt solution in Traefik Enterprise.
HPA - Horizontal Pod Autoscaler - it is a built-in feature in the Kubernetes cluster. It uses metrics such as CPU Usage, Memory Usage and custom metrics in order to make a decision whether we need to scale up or scale down. This is the general description of that feature and I encourage you to see the official docs for that feature. Traefik also can work with that feature, there is already a preconfigured setup in the Traefik Helm Chart to achieve this: https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml#L354 Please note that it won’t work correctly if you enable persistence.
stickyness only works using cookies ATM. Our app is embedded in an iframe and we don't have access to the embedding page so that we can set the cookie from the parent page. This breaks stickyness in Safari. Is there support for IP-based stickyness?
Not yet, but there is an issue already with ongoing discussions on the implementation details for ip based stickiness: traefik/traefik#1035 - I encourage you to follow it or jump in to explain your use case and requirements.
Yes, absolutely. You can have more providers available e.g. KubernetesCRD and File provider. The example of how to manage that has been presented in the last example while showing Nested healthchecks.
Unfortunately no. The nested health check is only available as a File provider. We are working on implementing that as a TraefikService feature.
You can use one of the plugins called Fail2Ban that is available at pilot.traefik.io https://github.com/tomMoulard/fail2ban Is this what you are looking for ? Let us know.
No, it won’t work. And although we’re working on adding support for Kubernetes secrets it would still not solve all problems for running a distributed LE environment.
Adding security headers were presented on the first workshop, please see the link to repository: https://github.com/jakubhajek/traefik-workshop/blob/master/exercise-12/ingresscrd-websecure.yaml#L50