Traefik Ingress Operator for Kubernetes

  • By Canonical Observability
Channel Revision Published Runs on
latest/stable 129 11 Sep 2023
Ubuntu 20.04
latest/candidate 148 11 Sep 2023
Ubuntu 20.04
latest/beta 148 11 Sep 2023
Ubuntu 20.04
latest/edge 156 29 Sep 2023
Ubuntu 20.04
1.0/stable 129 11 Sep 2023
Ubuntu 20.04
1.0/candidate 148 11 Sep 2023
Ubuntu 20.04
1.0/beta 148 11 Sep 2023
Ubuntu 20.04
1.0/edge 148 11 Sep 2023
Ubuntu 20.04
juju deploy traefik-k8s
Show information

Platform:

By default, the traefik charm sets up traefik in a way that allows both HTTP and HTTPS access. To force HTTPS redirect, you need to modify the requirer charm’s code.

This feature was introduced in revision 127 (PR#178).

Pack a charm with HTTPS redirection enabled

Let’s take alertmanager for example. It already imports and uses ingress per app:

from charms.traefik_k8s.v1.ingress import IngressPerAppRequirer

# --snip--

        self.ingress = IngressPerAppRequirer(
            self, port=self.api_port
        )

All you need to do is add another constructor argument:

        self.ingress = IngressPerAppRequirer(
            self, port=self.api_port, redirect_https=True
        )

Set up a tls demo model

Deploy traefik, alertmanager and self-signed-certificates, similar to how it is described in the “TLS termination using a local ca” tutorial.

Detailed juju commands for setup
# Your locally built charm with the new constructor arg
juju deploy ./alertmanager-k8s_ubuntu-20.04-amd64.charm alertmanager --resource alertmanager-image=ubuntu/prometheus-alertmanager:0.23-22.04_beta

# All the rest from charmhub
juju deploy --channel=edge traefik-k8s traefik --config external_hostname=demo.local
juju deploy --channel=edge self-signed-certificates ca

juju relate traefik ca
juju relate alertmanager traefik

juju show-unit --format json traefik/0 \
  | jq -r '."traefik/0"."relation-info"[0]."application-data".certificates' \
  | jq -r '.[0].certificate' > /tmp/local.cert

Verification

After relating the charms and storing the certificate locally, you should see a 301 Moved Permanently when you try to curl port 80:

$ TRAEFIK_IP=$(\
  juju status --format json traefik \
  | jq -r ".applications.traefik.address"\
)

$ curl http://$TRAEFIK_IP/tls-demo-alertmanager/-/ready
Moved Permanently

Or, similarly,

$ curl --resolve "demo.local:80:$TRAEFIK_IP" \
   http://demo.local:80/tls-demo-alertmanager/-/ready
Moved Permanently

And now curl should be able to reach the endpoint, even though it’s http and not https:

$ curl -L \
     --fail-with-body \
     --capath /tmp \
     --cacert /tmp/local.cert \
     http://demo.local/tls-demo-alertmanager/-/ready
OK

If you’re using the demo.local example, you may need to temporarily add Traefik’s IP to /etc/hosts to have curl match the cert when following the redirect:

$ cat /etc/hosts  
# --snip--
10.43.8.34 demo.local  # $TRAEFIK_IP

Help us improve this documentation

Most of this documentation can be collaboratively discussed and changed on the respective topic in the doc category of the Charmhub forum. See the documentation guidelines if you’d like to contribute.

Last updated 3 months ago. Help improve this document in the forum.