Traefik Ingress Operator for Kubernetes

After relating traefik to your charm, you may encounter reachability errors such as:

• Internal server error
• 404 page not found

Checklist

• Your charm either uses open-port^1,2 or applies a kubernetes service patch for exposing the workload’s port.
• Your workload is not bound to a particular IP address, i.e. it is listening on “0.0.0.0”.
• You either pass strip_prefix=True to the ingress library, or your workload’s pebble command includes the path prefix generated by traefik (/model_name-app_name) so your app is serving correctly.
• The SANs in your workload’s certificate match the url in traefik’s config.
• Traefik trusts the same CA that signed your workload’s certificate.
• Inspect logs.

Workload is correctly exposed

juju ssh into the charm container and run ss -tulpn. Find your app’s port in the list and make sure it is not bound to a particular IP, e.g.

Local Address:Port
            *:3200
            *:9096

Also make sure kubernetes has your ports listed as ClusterIP, for example:

$ kubectl -n welcome-k8s get svc                       
NAME    TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)                                                   AGE
tempo   ClusterIP   10.152.183.237   <none>        3200/TCP,4317/TCP,4318/TCP,9411/TCP,14268/TCP,14250/TCP   30m

Ingress path prefix is handled correctly

By default, traefik uses deterministic paths to all proxied endpoints, such as http://<traefik ip>/model_name-app_name.

This means that you need to tell your workload about it (for example alertmanager takes a --web.external-url cli arg) or tell traefik to strip prefix:

        self.ingress = IngressPerAppRequirer(
            self,
            "ingress",
            port=self._port,
            scheme=lambda: "https" if self.server_cert.cert else "http",
            redirect_https=True,
            strip_prefix=True,
        )

Workload’s certificate has the correct SAN DNS

To avoid using insecureSkipVerify in traefik configuration, the url specified in the traefik config must match the DNS in the cert.

Shell into the traefik workload container to confirm:

$ juju ssh --container traefik trfk/0 bash

root@trfk-0:/# cat /opt/traefik/juju/juju_ingress_ingress_48_am.yaml | grep url
        - url: https://am-0.am-endpoints.welcome-k8s.svc.cluster.local:9093

root@trfk-0:/# echo | openssl s_client -showcerts -connect am-0.am-endpoints.welcome-k8s.svc.cluster.local:9093 | openssl x509 -text | grep DNS
                DNS:am-0.am-endpoints.welcome-k8s.svc.cluster.local

Traefik trusts the same CA that signed your workload’s certificate

To avoid using insecureSkipVerify in traefik configuration, traefik must trust the CA that signed the proxied app’s certificate.

Shell into the traefik workload container to confirm:

$ juju ssh --container traefik trfk/0 bash

root@trfk-0:/# cat /opt/traefik/juju/juju_ingress_ingress_48_am.yaml | grep -E "url|cert"
      - /opt/traefik/juju/ca.cert
        - url: https://am-0.am-endpoints.welcome-k8s.svc.cluster.local:9093

root@trfk-0:/# curl --capath /opt/traefik/juju \
    --cacert /opt/traefik/juju/ca.cert \
    https://am-0.am-endpoints.welcome-k8s.svc.cluster.local:9093/welcome-k8s-am/-/ready
OK

Inspect traefik’s log

Make sure traefik is running.

$ juju ssh --container traefik trfk/0 /charm/bin/pebble changes traefik
ID   Status  Spawn               Ready               Summary
1    Done    today at 13:20 UTC  today at 13:20 UTC  Replan service "traefik"

$ juju ssh --container traefik trfk/0 /charm/bin/pebble tasks 1        
Status  Spawn               Ready               Summary
Done    today at 13:20 UTC  today at 13:20 UTC  Start service "traefik"

Look at the traefik log as you add/remove relations:

kubectl -n welcome-k8s logs pods/trfk-0 -c traefik -f