Traefik Ingress Operator for Kubernetes
- By Canonical Observability
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| latest/stable | 129 | 11 Sep 2023 | |
| latest/candidate | 148 | 11 Sep 2023 | |
| latest/beta | 148 | 11 Sep 2023 | |
| latest/edge | 156 | 29 Sep 2023 | |
| 1.0/stable | 129 | 11 Sep 2023 | |
| 1.0/candidate | 148 | 11 Sep 2023 | |
| 1.0/beta | 148 | 11 Sep 2023 | |
| 1.0/edge | 148 | 11 Sep 2023 |
juju deploy traefik-k8s
You will need Juju 2.9 to be able to run this command. Learn how to upgrade to Juju 2.9.
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
By default, the traefik charm sets up traefik in a way that allows both HTTP and HTTPS access. To force HTTPS redirect, you need to modify the requirer charm’s code.
This feature was introduced in revision 127 (PR#178).
Pack a charm with HTTPS redirection enabled
Let’s take alertmanager for example. It already imports and uses ingress per app:
from charms.traefik_k8s.v1.ingress import IngressPerAppRequirer
# --snip--
self.ingress = IngressPerAppRequirer(
self, port=self.api_port
)
All you need to do is add another constructor argument:
self.ingress = IngressPerAppRequirer(
self, port=self.api_port, redirect_https=True
)
Set up a tls demo model
Deploy traefik, alertmanager and self-signed-certificates, similar to how it is described in the “TLS termination using a local ca” tutorial.
Detailed juju commands for setup
# Your locally built charm with the new constructor arg
juju deploy ./alertmanager-k8s_ubuntu-20.04-amd64.charm alertmanager --resource alertmanager-image=ubuntu/prometheus-alertmanager:0.23-22.04_beta
# All the rest from charmhub
juju deploy --channel=edge traefik-k8s traefik --config external_hostname=demo.local
juju deploy --channel=edge self-signed-certificates ca
juju relate traefik ca
juju relate alertmanager traefik
juju show-unit --format json traefik/0 \
| jq -r '."traefik/0"."relation-info"[0]."application-data".certificates' \
| jq -r '.[0].certificate' > /tmp/local.cert
Verification
After relating the charms and storing the certificate locally, you should see a 301 Moved Permanently when you try to curl port 80:
$ TRAEFIK_IP=$(\
juju status --format json traefik \
| jq -r ".applications.traefik.address"\
)
$ curl http://$TRAEFIK_IP/tls-demo-alertmanager/-/ready
Moved Permanently
Or, similarly,
$ curl --resolve "demo.local:80:$TRAEFIK_IP" \
http://demo.local:80/tls-demo-alertmanager/-/ready
Moved Permanently
And now curl should be able to reach the endpoint, even though it’s http and not https:
$ curl -L \
--fail-with-body \
--capath /tmp \
--cacert /tmp/local.cert \
http://demo.local/tls-demo-alertmanager/-/ready
OK
If you’re using the demo.local example, you may need to temporarily add Traefik’s IP to /etc/hosts to have curl match the cert when following the redirect:
$ cat /etc/hosts
# --snip--
10.43.8.34 demo.local # $TRAEFIK_IP
Help us improve this documentation
Most of this documentation can be collaboratively discussed and changed on the respective topic in the doc category of the Charmhub forum. See the documentation guidelines if you’d like to contribute.