Traefik Ingress Operator for Kubernetes
- Canonical Observability
Channel | Revision | Published | Runs on |
---|---|---|---|
latest/stable | 203 | 03 Dec 2024 | |
latest/candidate | 218 | 03 Dec 2024 | |
latest/beta | 223 | 03 Dec 2024 | |
latest/edge | 224 | 04 Dec 2024 | |
1.0/stable | 164 | 16 Feb 2024 | |
1.0/candidate | 164 | 22 Nov 2023 | |
1.0/beta | 164 | 22 Nov 2023 | |
1.0/edge | 164 | 22 Nov 2023 |
juju deploy traefik-k8s --channel 1.0/candidate
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
By default, the traefik charm sets up traefik in a way that allows both HTTP and HTTPS access. To force HTTPS redirect, you need to modify the requirer charm’s code.
This feature was introduced in revision 127 (PR#178).
Pack a charm with HTTPS redirection enabled
Let’s take alertmanager for example. It already imports and uses ingress per app:
from charms.traefik_k8s.v1.ingress import IngressPerAppRequirer
# --snip--
self.ingress = IngressPerAppRequirer(
self, port=self.api_port
)
All you need to do is add another constructor argument:
self.ingress = IngressPerAppRequirer(
self, port=self.api_port, redirect_https=True
)
Set up a tls demo model
Deploy traefik, alertmanager and self-signed-certificates, similar to how it is described in the “TLS termination using a local ca” tutorial.
Detailed juju commands for setup
# Your locally built charm with the new constructor arg
juju deploy ./alertmanager-k8s_ubuntu-20.04-amd64.charm alertmanager --resource alertmanager-image=ubuntu/prometheus-alertmanager:0.23-22.04_beta
# All the rest from charmhub
juju deploy --channel=edge traefik-k8s traefik --config external_hostname=demo.local
juju deploy --channel=edge self-signed-certificates ca
juju relate traefik ca
juju relate alertmanager traefik
juju show-unit --format json traefik/0 \
| jq -r '."traefik/0"."relation-info"[0]."application-data".certificates' \
| jq -r '.[0].certificate' > /tmp/local.cert
Verification
After relating the charms and storing the certificate locally, you should see a 301 Moved Permanently
when you try to curl port 80:
$ TRAEFIK_IP=$(\
juju status --format json traefik \
| jq -r ".applications.traefik.address"\
)
$ curl http://$TRAEFIK_IP/tls-demo-alertmanager/-/ready
Moved Permanently
Or, similarly,
$ curl --resolve "demo.local:80:$TRAEFIK_IP" \
http://demo.local:80/tls-demo-alertmanager/-/ready
Moved Permanently
And now curl should be able to reach the endpoint, even though it’s http
and not https
:
$ curl -L \
--fail-with-body \
--capath /tmp \
--cacert /tmp/local.cert \
http://demo.local/tls-demo-alertmanager/-/ready
OK
If you’re using the demo.local
example, you may need to temporarily add Traefik’s IP to /etc/hosts
to have curl
match the cert when following the redirect:
$ cat /etc/hosts
# --snip--
10.43.8.34 demo.local # $TRAEFIK_IP