oneke_traefik - lukasfazik/one-apps GitHub Wiki
Traefik is deployed during cluster creation, from an official Helm chart with the following manifest:
---
apiVersion: v1
kind: Namespace
metadata:
name: traefik-system
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: one-traefik
namespace: kube-system
spec:
targetNamespace: traefik-system
chartContent: <BASE64 OF A TRAEFIK HELM CHART TGZ FILE>
valuesContent: |
deployment:
replicas: 2
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
app.kubernetes.io/name: traefik
service:
type: NodePort
ports:
web:
nodePort: 32080
websecure:
nodePort: 32443- A dedicated namespace
traefik-systemis provided. - An anti-affinity rule is applied to Traefik pods to minmize potential downtime during failures and upgrades.
- Traefik is exposed on a
NodePorttype of the Kubernetes Service. By default the HAProxy instance (running on the leader VNF node) connects to all worker nodes on ports32080and32443, then forwards all incoming traffic to ports80and443to the Traefik instance running inside Kubernetes.
graph LR;
internet --- vnf;
vnf --- master & worker & storage;
internet((Internet));
style vnf text-align:left
style master text-align:left
style worker text-align:left
style storage text-align:left
vnf[["vnf (NAT 🔀)"<br>haproxy - *:80,443<br><hr>eth0:10.2.11.86<br><hr>eth1:172.20.0.68]];
master[master<br><hr>eth0:172.20.0.101<br><hr>GW:172.20.0.86<br>DNS:1.1.1.1];
worker[worker<br>traefik - *:32080,32443<br><hr>eth0:172.20.0.102<br><hr>GW:172.20.0.86<br>DNS:1.1.1.1];
storage[storage<br><hr>eth0:172.20.0.103<br><hr>GW:172.20.0.86<br>DNS:1.1.1.1];
Important
To deploy Traefik:
- Set
ONEAPP_K8S_TRAEFIK_ENABLEDto "YES".
Warning
Since Traefik 3.0.0 apiVersion: traefik.io/v1alpha1 must be used in CRD objects.