traefik

Introduction

Traefik is used as ingress controller for the cluster. To allow more flexible configurations I disabled the built-in Traefik installation of K3s using their configuration file (which is provisioned using Ansible) and installed it separately with a custom HelmRelease found in this Namespace.

/etc/rancher/k3s/config.yaml

disable:
  - traefik

Traefik provides a custom resource definition IngressRoute for routing ingress traffic from the outside world to Service objects inside the cluster. Additionally Traefik provides a custom resource definition to implement Middleware objects which allow you to modify the requests and responses of your ingress objects.

Example of kind IngressRoute

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: dashboard
  namespace: authelia
spec:
  entryPoints:
    - https
  routes:
    - kind: Rule
      match: Host(`auth.${DOMAIN_INTERNAL}`)
      services:
        - kind: Service
          name: authelia
          namespace: authelia
          port: 80
      middlewares:
        - name: security
          namespace: traefik
  tls:
    secretName: auth.${DOMAIN_INTERNAL}

Example of kind Middleware

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: headers
  namespace: authelia
spec:
  headers:
    browserXssFilter: true
    customFrameOptionsValue: SAMEORIGIN
    customResponseHeaders:
      Cache-Control: no-store
      Pragma: no-cache

The dashboard of Traefik is enabled and needs to be accessible by domain. This Kustomization creates the required resources for that. It also creates a ServiceMonitor for the prometheus operator to pick up and monitor the traefik instance.

Created Resources

Kind	Name
Namespace	traefik
HelmRelease	traefik
Service	traefik-metrics
Certificate	traefik.${DOMAIN_INTERNAL}
IngressRoute	dashboard
ServiceMonitor	traefik

Links

• Documentation
• GitHub Repository
• Helm Chart