Ingress controller with Treafik

## Ingress Controller Upgrade ![](https://i.gifer.com/5uJN.gif) --- ## Agenda 📜 1. Reverse Proxy overview  2. Reverse Proxy configuration 3. Reverse Proxy Kubernetes resources 5. Ingress route  6. Middlewares 7. DDos mitigation rules --- ### Reverse Proxy overview 👀 A reverse proxy (also known as Edge Router) is a server that sits in front of web servers and forwards client to those web servers Reverse proxy protects the web server’s identity ![](https://www.cloudflare.com/img/learning/cdn/glossary/reverse-proxy/reverse-proxy-flow.svg =650x) --- ### Main reasons for us to have the reverse proxy <ul style="font-size:3.2rem"> - Single entrypoint 🚪 - Beta and RC can remain public, however only admin users can have an access to them 🔒 - Internal servers does not need HTTPS conection - Distribute load from incoming requests to each of several servers that supports its own application area - Perform :ab: testing without inserting JavaScript into pages - Mitigation DDos attack 🏴‍☠️ </ul> --- ### Reverse Proxy configuration ⚙️ ![](https://i.imgur.com/hDVZwg3.png =150x) --- We are using TOML syntax inside of YAML to configure our reverse proxy ``` values.yaml chart.yaml templates: config.yaml definitions.yaml deployment.yaml ma.yaml middleware.yaml pvc.yaml service.yaml ``` --- ### **config.yaml ⚙️** ```metadata: name: {{ .Chart.Name }}-config namespace: {{ .Values.namespace }} ``` **static configurations** ```data: static.toml: | [entryPoints] [entryPoints.web] address = ":80" [entryPoints.web.http] [entryPoints.web.http.redirections] [entryPoints.web.http.redirections.entryPoint] to = "websecure" scheme = "https" [entryPoints.websecure] address = ":443" [entryPoints.websecure.http.tls] ``` --- **Definition of http connection** [entryPoints.web] address = ":80" **Definition of https connecton** [entryPoints.websecure] address = ":443" [entryPoints.websecure.http.tls] --- --- ### Certificates ```{{ if or (eq .Values.env "beta") (eq .Values.env "rc") }} certResolver = "staging" [[entryPoints.websecure.http.tls.domains]] main = "{{ .Values.env }}.apolitical.co" sans = ["*.{{ .Values.env }}.apolitical.co"] {{ end }} ``` --- ### Dynamic configurations ```dynamic.toml: | {{ if or (eq .Values.env "beta") (eq .Values.env "rc") }} [tls.options] [tls.options.default] [tls.options.default.clientAuth] caFiles = ["/etc/ma/engineeringCA.crt", "/etc/ma/internalCA.crt"] clientAuthType = "RequireAndVerifyClientCert" {{ else }} [[tls.certificates]] certFile = "/etc/certificates/apolitical.co.cert" keyFile = "/etc/certificates/apolitical.co.key" {{ end }} ``` --- ### Middlerware configurations ```apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: secure-headers namespace: {{ .Values.namespace }} spec: headers: frameDeny: true sslRedirect: true customFrameOptionsValue: SAMEORIGIN --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: cors-headers namespace: {{ .Values.namespace }} spec: headers: # accessControlAllowMethods: # - "GET" # accessControlAllowOriginList: # - "https://example.org" accessControlMaxAge: 100 addVaryHeader: true ``` --- ### Reverse Proxy Kubernetes resources ⛵️ Latest version of Treafik support Kubernetes Custom Resource Definition (kubernetesCRD). CRD allows to configure access to a Kubernetes cluster in a better way. When using KubernetesCRD as a provider, Traefik uses Custom Resource Definition to retrieve its routing configuration. --- ### Ingress route Is the CRD implementation of a Traefik HTTP router. --- ### Middlewares ![](https://doc.traefik.io/traefik/assets/img/middleware/overview.png =650x) --- ### Code exapmle from Approvals API ```apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: {{ .Chart.Name }} namespace: {{ .Values.namespace }} labels: k8s-app: {{ .Chart.Name }} spec: stripPrefix: prefixes: - {{ .Values.ingress.basePath }} ``` --- ### DDos mitigation rules --- ## Thank you! 🙏 ### Any Question ![](https://i.imgur.com/haaaEgJ.jpg =200x)