Ingress controller with Treafik

## Ingress upgrade: Traefik Proxy v2 ![](https://i.gifer.com/5uJN.gif) --- ## Agenda 📜 1. Traefik Proxy overview  2. Why should I use a Reverse Proxy? 3. Reverse Proxy 4. Traefik Proxy configs 4.1. Static configs 4.2. Dynamic configs 5. Kubernetes CRD  6. Ingress route 7. Middlewares 8. DDoS mitigation --- ### Traefik Proxy overview 👀 Traefik Proxy is a reverse proxy and load balancer that makes deploying microservices easy. It receives requests on behalf of your system and finds out which components are responsible for handling them. ![](https://doc.traefik.io/traefik/assets/img/traefik-architecture.png =650x) --- ### Why should I use a Reverse Proxy? <ul style="font-size:2.2rem"> - **Single entrypoint :door:** - Multiple web-servers must be accessible via a single public IP address - **TLS termination :lock:** - Removes overhead for internal connections - **Access control :passport_control:** - Staging envs can remain public but only admin users can access them - **Load balancering :twisted_rightwards_arrows:** - Distribute load from incoming requests to several servers, with each server supporting its own application area - **Firewall :vertical_traffic_light:** - Protection from attacks, such as DDoS mitigation </ul> --- ### Reverse Proxy We are using Helm to define all the Kubernetes resources required to define our Reverse Proxy ``` /templates config.yaml definitions.yaml deployment.yaml service.yaml values.yaml chart.yaml ``` --- ### **Traefik Proxy configs ⚙️** ![](https://doc.traefik.io/traefik/assets/img/static-dynamic-configuration.png =650x) --- ### **Static configs ⚙️** ```toml= [entryPoints] [entryPoints.web] address = ":80" [entryPoints.web.http] [entryPoints.web.http.redirections] [entryPoints.web.http.redirections.entryPoint] to = "websecure" scheme = "https" [entryPoints.websecure] address = ":443" [entryPoints.websecure.http.tls] ``` ```toml= [providers] [providers.file] filename = "/etc/config/dynamic.toml" [providers.kubernetesCRD] namespaces = ["public"] allowCrossNamespace = false ``` --- ### **Dynamic configs ⚙️** ```toml= [[tls.certificates]] certFile = "/etc/certificates/apolitical.co.cert" keyFile = "/etc/certificates/apolitical.co.key" ``` --- ### Kubernetes CRD ⛵️ <ul style="font-size:2.2rem"> - Latest version of Treafik support Kubernetes CRD (Custom Resource Definition) - CRD allows to configure the routing rules with the use of Ingress Routes and Middlewares custom resources - When using KubernetesCRD as a provider, Traefik uses Custom Resource Definition to retrieve its routing configuration </ul> --- ### Ingress Route ![](https://doc.traefik.io/traefik/assets/img/traefik-concepts-2.png =650x) --- ### Ingress Route example People API Ingress Route example: ```yaml= apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: people-api namespace: public labels: k8s-app: people-api spec: entryPoints: - web - websecure routes: - match: PathPrefix(`/api/people-api/`) kind: Rule services: - name: people-api port: 3000 middlewares: - name: people-api ``` --- ### Middlewares ![](https://doc.traefik.io/traefik/assets/img/middleware/overview.png =650x) --- ### Middleware example People API Middleware example to strip the URL prefix: ```yaml= apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: people-api namespace: public labels: k8s-app: people-api spec: stripPrefix: prefixes: - /api/people-api/ ``` --- ### DDoS mitigation middlewares <ul style="font-size:1.6rem"> - **Rate Limit** 🚧 - Strategy for limiting network traffic (req/sec) - Ensures that services will receive a fair number of requests, and allows you define what is fair - **In flight request** 🛬 - Strategy for limiting the number of simultaneous requests (amount) - Prevents services from being overwhelmed with high load, a limit on the number of simultaneous in-flight requests can be applied - **IP Whitelist** 📓 - Accepts / refuses requests based on the client IP </ul> --- ## Thank you! 🙏 ### Any Question ![](https://i.imgur.com/haaaEgJ.jpg =200x)