Getting started with Traefik

A quick guide to getting Traefik up and running with Kubernetes.

What is Traefik?

From their website; Traefik is a modern HTTP reverse proxy and load balancer made to deploy micro-services with ease. It supports several backends (Docker, Swarm, Kubernetes, Marathon, Mesos, Consul, Etcd, Zookeeper, BoltDB, Rest API, file…) to manage its configuration automatically and dynamically.

Why EvaluAgent started using Traefik?

Our Kubernetes cluster runs on a fleet of Amazon Web Services (AWS) EC2 instances. We also utilise their Elastic Load Balancer (ELB) service that provisioned an ELB to each micro-service we run. Running ~10 micro-services per customer, the cost was getting quite high having an ELB for each service, so we needed to find alternative. Enter Traefik.

By using Kubernetes Ingress controllers with Traefik we now have a single ELB per customer that we route all traffic to. From there, the Ingress controller (we setup one per externally exposed micro-service) tells Traefik what service needs the traffic, and how it’s going to get there.

Getting Started

Traefik provides a tiny docker image that you can use to get started or you can fork the Github repo and go from there. For the purposes of this, we’ll be using their docker image, version: v1.2.0-rc1-alpine. We are running Traefik on Kubernetes v1.5.2 but it should work from Kubernetes v1.4.7+.

The Deployment Controller
As a quick start, i’ve left the replicas as 1 although I’d recommend at least 3 if your going to run in production. The resource limits are also minimal so they’ll probably need fine tuning to suit your environment.

kind: Deployment
apiVersion: extensions/v1beta1
metadata:
name: traefik-proxy
labels:
app: traefik-proxy
tier: proxy
spec:
replicas: 1
selector:
matchLabels:
app: traefik-proxy
tier: proxy
template:
metadata:
labels:
app: traefik-proxy
tier: proxy
spec:
terminationGracePeriodSeconds: 60
containers:
- image: traefik:v1.2.0-rc1-alpine
name: traefik-proxy
resources:
limits:
cpu: "200m"
memory: "30Mi"
requests:
cpu: "100m"
memory: "20Mi"
ports:
- containerPort: 80
hostPort: 80
name: traefik-proxy
- containerPort: 8080
name: traefik-ui
args:
- --web
- --kubernetes

Exposing the Proxy Service
There are two services that run on the container; Traefik Proxy (Port 80) and Traefik UI (Port 8080). The service for the Proxy, i’ve exposed on Port 443 so we can get HTTPS termination.

apiVersion: v1
kind: Service
metadata:
name: traefik-proxy
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:eu-west-1:ACCOUNTID:certificate/CERT-ID"
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
spec:
type: LoadBalancer
selector:
app: traefik-proxy
tier: proxy
ports:
- port: 443
targetPort: 80

Running the above will provision a single ELB in your AWS account that you can then CNAME your DNS entries to. You can use kubectl to get the ELB’s address by running:

kubectl describe service traefik-proxy | grep LoadBalancer

That command will return something like:

Type:   LoadBalancer
LoadBalancer Ingress: XXXXXXX-XXXXXXXXXX.eu-west-1.elb.amazonaws.com

Exposing the Traefik UI
This step will create a service in your Kubernetes cluster that will allow you to view the Traefik UI.

apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
spec:
selector:
app: traefik-proxy
tier: proxy
ports:
- port: 80
targetPort: 8080

Creating Ingress Rules
The ingress rules can be as simple or complex as you require. For this example i’m going to define a host name and what backend service I want the traffic routed to.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: auth-service
spec:
rules:
- host: auth-service.domain.com
http:
paths:
- backend:
serviceName: auth-service
servicePort: 80

Once you’ve configured your DNS to CNAME your traffic to the Proxies ELB, any user that requests https://auth-service.domain.com in their browser will come through the ELB and in to Traefik Proxy which will then route the traffic to my auth-service backend on Port 80.

The User Interface
You can access the UI by using the port-forwarding command in kubectl. To do this run;

kubectl port-forward $(kubectl get pods | grep traefik | awk -F' ' '{print $1}DD') 8080:8080

This command assumes you only have 1 pod running called Traefik. From your web browser you can then visit localhost:8080 and you should see something like;

This screen will list all of your ingress controller rules and show you where the backend target is.

The health screen will give you some metrics around average response time and total status code count.

Health Screen

About EvaluAgent

We provide call centres with the software and support they need to engage their agents and deliver a truly great customer experience.

We are recruiting for Platform Engineers and UI Engineers. If your interested in working with some cool stuff like Amazon Web Services (EC2, RDS, Elasticache, Route53, S3, IAM, SQS, etc), Kubernetes, Docker, Laravel, Symfony, Python and React take a look at our Careers page: http://www.evaluagent.net/careers