launchpad icon indicating copy to clipboard operation
launchpad copied to clipboard

Published 20 hours ago verified publisher icon techno-tim

Managing external resources through traefik

Open RovoMe opened this issue 2 years ago • 0 comments

I spent the last few days trying to figure out how I can use the kubernetes hosted traefik, which does know of the let's encrypt wildcard certificate, to handle also external services not located in kubernetes directly.

I.e. I have a couple of portainer installations which I "grouped up" in the past already via the environment section of portainer on my main server. That portainer was so far reachable via an internal host name I set for my server but it didn't use a valid certificate.

With the configuration below I am now finally able to address external services through traefik which itself is running in kubernetes (k3s to be precise). This allows to utilize the wildcard certificate obtained from let's encrypt on external service which are not yet part of kubernetes.

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: default-headers
  namespace: portainer
spec:
  headers:
    browserXssFilter: true
    contentTypeNosniff: true
    forceSTSHeader: true
    stsIncludeSubdomains: true
    stsPreload: true
    stsSeconds: 15552000
    customFrameOptionsValue: SAMEORIGIN
    customRequestHeaders:
      X-Forwarded-Proto: https
---
apiVersion: v1
kind: Service
metadata:
  name: portainer
  namespace: portainer
spec:
  type: ClusterIP
  ports:
    - name: https
      port: 443
      targetPort: 9443
      protocol: TCP
---
apiVersion: v1
kind: Endpoints
metadata:
  name: portainer
  namespace: portainer
subsets:
  - addresses:
    - ip: {ip-of-external-server}
    ports:
      - name: https
        port: 9443
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: portainer
  namespace: portainer
  annotations:
    kubernetes.io/ingress.class: traefik-external
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`portainer.local.example.com`)
      kind: Rule
      services:
        - name: portainer
          port: 443
      middlewares:
        - name: default-headers
  tls:
    secretName: local-example-com-tls

The ingress configuration is rather straight forward, though the service definition differs here. I tried a lot with ExternalName or ExternalIPs in the service config, though the primer one doesn't use ports while the latter one didn't show up in traefik dashboard no matter what I tried.

The final clue came while watching this Google Cloud Tech video where Sandeep mentioned all of the hurdles I faced and that on defining an Endpoints resource and defining the IP and port there directly one can still make use of traefik for external resources.

Hope this helps others :) If there is a simpler approach to get the job done, please feel free to post it here as I'm always keen on learning new tech-tings I can try in my homelab .

RovoMe avatar Aug 22 '22 18:08 RovoMe