Traefik Ingress Operator for Kubernetes
- By Canonical Observability
| Channel | Revision | Published | Runs on |
|---|---|---|---|
| latest/stable | 176 | 24 Apr 2024 | |
| latest/candidate | 177 | 24 Apr 2024 | |
| latest/beta | 180 | 24 Apr 2024 | |
| latest/edge | 184 | 25 Apr 2024 | |
| 1.0/stable | 164 | 16 Feb 2024 | |
| 1.0/candidate | 164 | 22 Nov 2023 | |
| 1.0/beta | 164 | 22 Nov 2023 | |
| 1.0/edge | 164 | 22 Nov 2023 |
juju deploy traefik-k8s --channel 1.0/edge
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
By default, the traefik charm sets up traefik in a way that allows both HTTP and HTTPS access. To force HTTPS redirect, you need to modify the requirer charm’s code.
This feature was introduced in revision 127 (PR#178).
Pack a charm with HTTPS redirection enabled
Let’s take alertmanager for example. It already imports and uses ingress per app:
from charms.traefik_k8s.v1.ingress import IngressPerAppRequirer
# --snip--
self.ingress = IngressPerAppRequirer(
self, port=self.api_port
)
All you need to do is add another constructor argument:
self.ingress = IngressPerAppRequirer(
self, port=self.api_port, redirect_https=True
)
Set up a tls demo model
Deploy traefik, alertmanager and self-signed-certificates, similar to how it is described in the “TLS termination using a local ca” tutorial.
Detailed juju commands for setup
# Your locally built charm with the new constructor arg
juju deploy ./alertmanager-k8s_ubuntu-20.04-amd64.charm alertmanager --resource alertmanager-image=ubuntu/prometheus-alertmanager:0.23-22.04_beta
# All the rest from charmhub
juju deploy --channel=edge traefik-k8s traefik --config external_hostname=demo.local
juju deploy --channel=edge self-signed-certificates ca
juju relate traefik ca
juju relate alertmanager traefik
juju show-unit --format json traefik/0 \
| jq -r '."traefik/0"."relation-info"[0]."application-data".certificates' \
| jq -r '.[0].certificate' > /tmp/local.cert
Verification
After relating the charms and storing the certificate locally, you should see a 301 Moved Permanently when you try to curl port 80:
$ TRAEFIK_IP=$(\
juju status --format json traefik \
| jq -r ".applications.traefik.address"\
)
$ curl http://$TRAEFIK_IP/tls-demo-alertmanager/-/ready
Moved Permanently
Or, similarly,
$ curl --resolve "demo.local:80:$TRAEFIK_IP" \
http://demo.local:80/tls-demo-alertmanager/-/ready
Moved Permanently
And now curl should be able to reach the endpoint, even though it’s http and not https:
$ curl -L \
--fail-with-body \
--capath /tmp \
--cacert /tmp/local.cert \
http://demo.local/tls-demo-alertmanager/-/ready
OK
If you’re using the demo.local example, you may need to temporarily add Traefik’s IP to /etc/hosts to have curl match the cert when following the redirect:
$ cat /etc/hosts
# --snip--
10.43.8.34 demo.local # $TRAEFIK_IP