Traefik
The Cloud Native Edge Router
28 March 2019
Rael Garcia
Systems Engineer at CAPSiDE
Rael Garcia
Systems Engineer at CAPSiDE
Traefik is an open-source Edge Router, it receives requests on behalf of your system and finds out which components are responsible for handling them.
2Traefik is an Edge Router, it means that it's the door to your platform, and that it intercepts and routes every incoming request: it knows all the logic and every rule that determine which services handle which requests (based on the path, the host, headers, and so on ...).
3It automatically discovers the right configuration for your services. The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request.
4The dashboard is the central place that shows you the current active routes
5They are the network entry points into Traefik: Listening port, SSL, traffic redirection...
A frontend defines routes from entrypoints to backends.
Routes are created using requests fields (Host, Path, Headers...) and can match or not a request.
A backend can be composed by one or more servers, and by a load-balancing strategy.
IP, health, ...
ports, protocols, ...
host, path, headers, SSL, ...
load balancing, ...
authentication, rate limiting, headers, ...
Providers are the cluster technologies used as backend:
Providers only available in 1.0:
Traefik uses your provider’s API to discover the routes to your services.
Entrypoints, in their most basic forms, are the open ports where requests will land.
Routers connect incoming requests to your services.
Routers hold the rules that decide which service handles the request.
Attached to the routers, pieces of middleware are a mean of tweaking the requests before they are sent to your service (or before the answer are sent to the clients).
Middleware tool
Path Modifier
Request lifecycle
Request lifecycle
Security
Content
Services represent the software hosted on your infrastructure.
Traefik knows how to deal with multiple instances of your programs and use the services configuration to determine how to reach the actual program.
23Closes the GitHub Issue #10 - TCP support
Supports routing based on SNIs and multiple protocols in the same entrypoint
24[entrypoints] [entrypoints.the-one] address = ":443" [tcp] [tcp.routers] [tcp.routers.to-db-1] rule = "HostSNI(`db-1.domain`)" service = "db-1" [tcp.routers.to-db-1.tls] # The route is for TLS requests only [tcp.routers.to-db-2] entrypoints = ["mongo-port"] rule = "HostSNI(`db-2.domain`)" service = "db-2" [tcp.routers.to-db-2.tls] # The route is for TLS requests only [http] [http.routers] [http.routers.my-api] rule = "Host(`api.domain`)" service = "my-api"
The Traefik Kubernetes provider used to be a Kubernetes Ingress controller, it would manage access to a cluster services by supporting the Ingress specification and was configured using annotations (lots of them in some situations).
The Traefik Kubernetes IngressRoute (CRD) expands upon the functionality of the Ingress API, extending the specification to implement every Traefik feature.
apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressroutes.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRoute plural: ingressroutes singular: ingressroute scope: Namespaced
apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: test.crd spec: entrypoints: [ web, web-secure ] routes: - match: Host(`traefik.io`) && PathPrefix(`/foo`) kind: Rule services: - name: whoami1 port: 80 strategy: RoundRobin middlewares: - name: stripprefix - match: Host(`containo.us`) && Method(`POST`) kind: Rule services: - name: whoami2 port: 80 tls: secretName: supersecret
An expressive syntax to define the router rules, with and, or, and parenthesis!
The available matchers being Headers, HeadersRegexp, Host, HostRegexp, Method, Path, PathPrefix, and Query. Since TCP is a whole different world, for now, it only supports a dedicated matcher: HostSNI.
rule = (Host(`api.domain`) && PathPrefix(`/v2`)) || Host(`api-v2.domain`) rule = (Method(`DELETE`) || (Method(`POST`) && Query(`action`, `delete`))) && Host('api.domain')
Allows to declare elements (middlewares, services, routers) in a provider, and to use them from a different one.
Declare an authentication middleware in a configuration file...
[http.middlewares.my-users.basicauth] users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/", "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
...and use it from a Docker label:
your-container: image: your-docker-image labels: - "traefik.http.routers.my-router.middlewares=file.my-users"
TLS termination or passthrough configuration is enabled on the Router level.
[entrypoints] [entrypoints.web-secure] address = ":443" [http] [http.routers.to-service-1] rule = "Host(`domain-1`)" service = "service-1" [http.routers.to-service-1.tls] # terminates the tls connection and sends clear data to service 1 [tcp] [tcp.routers.to-service-2] rule = "HostSNI(`domain-2`)" service = "service-2" [tcp.routers.to-service-2.tls] # terminates the tls connection and sends clear data to service 2 [tcp.routers.to-service-3] rule = "HostSNI(`domain-3`)" service = "service-3" [tcp.routers.to-service-3.tls] passthrough = true # sends encrypted data "as is" to service-3
Full changelog at github.com/containous/traefik/blob/master/CHANGELOG.md
33blog.containo.us/back-to-traefik-2-0-2f9aa17be305