Traefik

The Cloud Native Edge Router

28 March 2019

Rael Garcia

Systems Engineer at CAPSiDE

Traefik

The Cloud Native Edge Router

Traefik is an open-source Edge Router, it receives requests on behalf of your system and finds out which components are responsible for handling them.

2

Edge Router

Traefik is an Edge Router, it means that it's the door to your platform, and that it intercepts and routes every incoming request: it knows all the logic and every rule that determine which services handle which requests (based on the path, the host, headers, and so on ...).

3

Auto Service Discovery

It automatically discovers the right configuration for your services. The magic happens when Traefik inspects your infrastructure, where it finds relevant information and discovers which service serves which request.

4

Dashboard

The dashboard is the central place that shows you the current active routes

5

HTTPS & TLS

6

Features

7

Traefik 1.0 - Internal architecture

Traefik 1.0 Internals
8

Traefik 1.0 - Internal architecture

They are the network entry points into Traefik: Listening port, SSL, traffic redirection...

A frontend defines routes from entrypoints to backends.

Routes are created using requests fields (Host, Path, Headers...) and can match or not a request.

A backend can be composed by one or more servers, and by a load-balancing strategy.

9

10

Traefik 2.0 - Internal architecture

Traefik 2.0 Internals
11

Traefik 2.0 - Clear Responsibilities

IP, health, ...
ports, protocols, ...
host, path, headers, SSL, ...
load balancing, ...
authentication, rate limiting, headers, ...
12

Traefik 2.0 - Providers

Providers are the cluster technologies used as backend:

Providers only available in 1.0:

13

Traefik 2.0 - Configuration discovery

Traefik uses your provider’s API to discover the routes to your services.

Traefik 2.0 Providers Overview
14

Traefik 2.0 - Entrypoints

Entrypoints, in their most basic forms, are the open ports where requests will land.

Traefik 2.0 Routing Entrypoints
15

Traefik 2.0 - Routers

Routers connect incoming requests to your services.

Traefik 2.0 Routing Routers
16

Traefik 2.0 - Routers

Routers hold the rules that decide which service handles the request.

17

Traefik 2.0 - Middleware

Attached to the routers, pieces of middleware are a mean of tweaking the requests before they are sent to your service (or before the answer are sent to the clients).

Traefik 2.0 Middlewares
18

Traefik 2.0 - Middlewares

Middleware tool

Path Modifier

AddPrefix - Prefixing the Path
19

Traefik 2.0 - Middlewares

Request lifecycle

ErrorPage - It Has Never Been Easier to Say That Something Went Wrong
20

Traefik 2.0 - Middlewares

Request lifecycle

RateLimit - Protection from Too Many Calls
21

Traefik 2.0 - Middlewares

Security

Content

Headers - Adding Headers to the Request / Response
22

Services

Services represent the software hosted on your infrastructure.

Traefik 2.0 Routing Services

Traefik knows how to deal with multiple instances of your programs and use the services configuration to determine how to reach the actual program.

23

Traefik 2.0 - TCP Support

Closes the GitHub Issue #10 - TCP support

Traefik 2.0 TCP Routers

Supports routing based on SNIs and multiple protocols in the same entrypoint

24

New in 2.0 - TCP Support

[entrypoints]
  [entrypoints.the-one]
      address = ":443"
[tcp]
  [tcp.routers]
      [tcp.routers.to-db-1]
        rule = "HostSNI(`db-1.domain`)"
        service = "db-1"
        [tcp.routers.to-db-1.tls] # The route is for TLS requests only

    [tcp.routers.to-db-2]
       entrypoints = ["mongo-port"]
       rule = "HostSNI(`db-2.domain`)"
       service = "db-2"
       [tcp.routers.to-db-2.tls] # The route is for TLS requests only

[http]
  [http.routers]
      [http.routers.my-api]
        rule = "Host(`api.domain`)"
        service = "my-api"
25

New in 2.0 - Kubernetes Custom Resource Definition (CRD)

The Traefik Kubernetes provider used to be a Kubernetes Ingress controller, it would manage access to a cluster services by supporting the Ingress specification and was configured using annotations (lots of them in some situations).

The Traefik Kubernetes IngressRoute (CRD) expands upon the functionality of the Ingress API, extending the specification to implement every Traefik feature.

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us

spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced
The Kubernetes Ingress Controller, The Custom Resource Way.
26

New in 2.0 - Kubernetes Custom Resource Definition (CRD)

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: test.crd
spec:
  entrypoints: [ web, web-secure ]
  routes:
    - match: Host(`traefik.io`) && PathPrefix(`/foo`)
      kind: Rule
      services:
        - name: whoami1
          port: 80
          strategy: RoundRobin
      middlewares:
        - name: stripprefix
    - match: Host(`containo.us`) && Method(`POST`)
      kind: Rule
      services:
        - name: whoami2
          port: 80
  tls:
    secretName: supersecret
The Kubernetes Ingress Controller, The Custom Resource Way.
27

New in 2.0 - New Expressive Routing Rule Syntax

An expressive syntax to define the router rules, with and, or, and parenthesis!

Traefik 2.0 Routers Rules

The available matchers being Headers, HeadersRegexp, Host, HostRegexp, Method, Path, PathPrefix, and Query. Since TCP is a whole different world, for now, it only supports a dedicated matcher: HostSNI.

rule = (Host(`api.domain`) && PathPrefix(`/v2`)) || Host(`api-v2.domain`)
rule = (Method(`DELETE`) || (Method(`POST`) && Query(`action`, `delete`))) && Host('api.domain')
28

New in 2.0 - Cross-Provider Support

Allows to declare elements (middlewares, services, routers) in a provider, and to use them from a different one.

Traefik 2.0 Providers
29

New in 2.0 - Cross-Provider Support

Declare an authentication middleware in a configuration file...

[http.middlewares.my-users.basicauth]
  users = ["test:$apr1$H6uskkkW$IgXLP6ewTrSuBkTrqE8wj/",
          "test2:$apr1$d9hr9HBB$4HxwgUir3HP4EsggP/QNo0"]
Somewhere in a configuration file for the file File provider

...and use it from a Docker label:

your-container:
    image: your-docker-image
    labels:
      - "traefik.http.routers.my-router.middlewares=file.my-users"
somewhere in a docker compose file, used by the Docker provider
30

New in 2.0 - TLS Termination per Route

TLS termination or passthrough configuration is enabled on the Router level.

Traefik 2.0 Routers TLS
31

New in 2.0 - TLS Termination per Route

[entrypoints]
  [entrypoints.web-secure]
      address = ":443"

[http]
  [http.routers.to-service-1]
      rule = "Host(`domain-1`)"
      service = "service-1"
      [http.routers.to-service-1.tls]
        # terminates the tls connection and sends clear data to service 1
[tcp]

  [tcp.routers.to-service-2]
      rule = "HostSNI(`domain-2`)"
      service = "service-2"
      [tcp.routers.to-service-2.tls]
        # terminates the tls connection and sends clear data to service 2

  [tcp.routers.to-service-3]
        rule = "HostSNI(`domain-3`)"
        service = "service-3"
        [tcp.routers.to-service-3.tls]
          passthrough = true # sends encrypted data "as is" to service-3
32

New in 2.0 - A lot more comming

Full changelog at github.com/containous/traefik/blob/master/CHANGELOG.md

33

Credits, sources and more information

34

Docker Demo

35

Kubernetes Demo

36

Thank you

Rael Garcia

Systems Engineer at CAPSiDE

Use the left and right arrow keys or click the left and right edges of the page to navigate between slides.
(Press 'H' or navigate to hide this message.)