[Microk8s](https://microk8s.io /) has a fairly good plugin system. One of them is Traffic plugin (link to the source) to implement the Ingress concept.
In simple words: I have 1 public IP address and several sites that I would like to make available. And also so that https certificates themselves can be obtained and updated for free. That’s what Traffic allows you to do.
At the same time, https requires a browser with SNI support (for example, IE8/WindowsXP does not support, but modern ones do), so it’s better not to make a mandatory hard redirect to https just in case (although an example of how to do this at the Traffic level will be in the last example).
Unfortunately, it was not possible to use this particular plugin. I’ll give you what I wanted in a different way:
- one instance is enough, because there is metallb in the cluster, and the Traffic itself is very productive
- the service should be of the LoadBalancer type, because there is metallb in the cluster (this is generally a common disease of plugins – for almost everyone with ui, I added LoadBalancer services to access them)
- I want to see the admin pages, but only inside the network (do not upload them to Ingress, but leave them on a separate LoadBalancer service)
- integration with Prometheus
- the version is not a year old (not that important, but a bell)
So take advantage of helm:
helm repo add traefik https://helm.traefik.io/traefik
helm repo update
k create ns traefik
k ns traefik
helm -n traefik install traefik traefik/traefik --values traefik-values.yaml
k apply -f traefik-extra.yaml
With your own settings:
ingressRoute:
dashboard:
enabled: false
logs:
general:
level: INFO
access:
enabled: true
globalArguments:
- "--global.checknewversion=false"
- "--global.sendanonymoususage=false"
additionalArguments:
- --providers.kubernetesingress.ingressendpoint.ip=my.publicInternet.ip.address
- --api.insecure=true
service:
spec:
loadBalancerIP: my.publicLan.ip.address
persistence:
enabled: true
certResolvers:
letsencrypt:
email: my@example.com
tlsChallenge: true
storage: /data/letsencrypt.json
# this is due to incorrect PV implementation in microk8s (storage plugin)
securityContext:
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
podSecurityContext:
fsGroup: 0
I note that with the storage plugin, the rights to the folder were incorrect, so we had to reduce security. Although this is not a special problem for the house, I will change it when I switch to the opennews plugin for PV.
In addition to Helm, I also added access to the admin panel from the local network and the use of only secure protocols:
---
apiVersion: v1
kind: Service
metadata:
name: traefik-ui
namespace: traefik
spec:
type: LoadBalancer
loadBalancerIP: my.publicLan2.ip.address
selector:
app.kubernetes.io/name: traefik
app.kubernetes.io/instance: traefik
ports:
- name: admin
port: 80
targetPort: 9000
protocol: TCP
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: traefik
spec:
minVersion: VersionTLS12
Example of how to use it (for http, https and redirect-to-https for automatic redirects to https):
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
namespace: test1
name: test1
spec:
entryPoints:
- web
routes:
- match: Host(`my.example.com`)
kind: Rule
# middlewares:
# - name: redirect-to-https
# namespace: test1
services:
- name: test1
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: test1-tls
namespace: test1
spec:
entryPoints:
- websecure
routes:
- match: Host(`my.example.com`)
kind: Rule
services:
- name: test1
port: 80
tls:
certResolver: letsencrypt
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-to-https
namespace: test1
spec:
redirectScheme:
scheme: https
permanent: true