Traefik Ingress Operator for Kubernetes

  • By Canonical Observability
Channel Revision Published Runs on
latest/stable 194 28 Jun 2024
Ubuntu 20.04
latest/candidate 199 28 Jun 2024
Ubuntu 20.04
latest/beta 199 21 Jun 2024
Ubuntu 20.04
latest/edge 203 Yesterday
Ubuntu 20.04
1.0/stable 164 16 Feb 2024
Ubuntu 20.04
1.0/candidate 164 22 Nov 2023
Ubuntu 20.04
1.0/beta 164 22 Nov 2023
Ubuntu 20.04
1.0/edge 164 22 Nov 2023
Ubuntu 20.04
juju deploy traefik-k8s --channel 1.0/candidate
Show information

Platform:

By default, the traefik charm sets up traefik in a way that allows both HTTP and HTTPS access. To force HTTPS redirect, you need to modify the requirer charm’s code.

This feature was introduced in revision 127 (PR#178).

Pack a charm with HTTPS redirection enabled

Let’s take alertmanager for example. It already imports and uses ingress per app:

from charms.traefik_k8s.v1.ingress import IngressPerAppRequirer

# --snip--

        self.ingress = IngressPerAppRequirer(
            self, port=self.api_port
        )

All you need to do is add another constructor argument:

        self.ingress = IngressPerAppRequirer(
            self, port=self.api_port, redirect_https=True
        )

Set up a tls demo model

Deploy traefik, alertmanager and self-signed-certificates, similar to how it is described in the “TLS termination using a local ca” tutorial.

Detailed juju commands for setup
# Your locally built charm with the new constructor arg
juju deploy ./alertmanager-k8s_ubuntu-20.04-amd64.charm alertmanager --resource alertmanager-image=ubuntu/prometheus-alertmanager:0.23-22.04_beta

# All the rest from charmhub
juju deploy --channel=edge traefik-k8s traefik --config external_hostname=demo.local
juju deploy --channel=edge self-signed-certificates ca

juju relate traefik ca
juju relate alertmanager traefik

juju show-unit --format json traefik/0 \
  | jq -r '."traefik/0"."relation-info"[0]."application-data".certificates' \
  | jq -r '.[0].certificate' > /tmp/local.cert

Verification

After relating the charms and storing the certificate locally, you should see a 301 Moved Permanently when you try to curl port 80:

$ TRAEFIK_IP=$(\
  juju status --format json traefik \
  | jq -r ".applications.traefik.address"\
)

$ curl http://$TRAEFIK_IP/tls-demo-alertmanager/-/ready
Moved Permanently

Or, similarly,

$ curl --resolve "demo.local:80:$TRAEFIK_IP" \
   http://demo.local:80/tls-demo-alertmanager/-/ready
Moved Permanently

And now curl should be able to reach the endpoint, even though it’s http and not https:

$ curl -L \
     --fail-with-body \
     --capath /tmp \
     --cacert /tmp/local.cert \
     http://demo.local/tls-demo-alertmanager/-/ready
OK

If you’re using the demo.local example, you may need to temporarily add Traefik’s IP to /etc/hosts to have curl match the cert when following the redirect:

$ cat /etc/hosts  
# --snip--
10.43.8.34 demo.local  # $TRAEFIK_IP

Help improve this document in the forum (guidelines). Last updated 1 year, 1 month ago.