Open-source reverse proxy / load balancer designed specifically for dynamic, cloud-native environments.
Well-suited for microservices and containerized architectures such as Kubernetes.
- Traefik Proxy is the default ingress controller for Rancher Lab's K3s
- Dashboard is read-only - shows static + dynamic configs for apps
- Traefik Enterprise is needed to integrate more than 1 ingress pod with LetsEncrypt
- Dynamic Configuration - automatically discovers services in real-time and updates its configuration without manual intervention
- Support for Multiple Protocols: Works with HTTP, HTTPS, TCP, and UDP traffic
- Load Balancing - distributes requests across multiple instances of a service to ensure high availability and scalability
- SSL Termination - native built-in support for Let's Encrypt to automatically generate and renew SSL certificates
- might need to add traditional ingresses instead of Traefik's advanced IngressRoute if wanting to use Cert Manager instead
- Routing - flexible routing rules based on various criteria like domain, path, headers, etc.
- Middleware - offers middleware capabilities for functionalities such as authentication, rate limiting, and access control
- Extensibility - highly customizable with plug-ins and easy integration with observability tools like Prometheus and Grafana
-
Static - at startup - can only use one of these in this order of priority:
- config file
- CLI args in deployment
- environment variables
- uses CLI args on K3s
- static config sets entrypoints (port), backend providers to enable for dynamic configs, tracing, observability, and logging
-
Dynamic - polls backend providers to get config updates
-
can listen to different protocols on the same port! eg. HTTPS and plain TCP passthrough on same port...
-
Provider Types
- Labels - Dockerfile
- Annotations - Kubernetes Ingress
- Key/Value Pairs - Etcd / ZooKeeper / Consul
- Files - Bare Metal or Kubernetes CRD such as IngressRoute, can also use Kubernetes ConfigMap mount for non-standard configurations
-
Provider Namespaces -
<name>@<provider>eg.middleware-redirect@kubernetescrd- in K8s Ingress this would be referenced as just
middleware-redirectbecause it's already part of Kubernetes CRD provider
- in K8s Ingress this would be referenced as just
Routers->entrypoint->Router- router analyzes request, connects it to middleware or service
- matches on protocol, path, hostname, and TLS config
Alters request before handing it off to a Service.
- auth
- rewrites
- redirects
- rate limiting
- compression
- buffering
- circuit breaking
- retries
- error handling
- available for HTTP and TCP routers
- can chain middleware together
Connects requests to backend servers.
- load balancing
- sticky session persistence
- canary
- blue / green
- weighted routing
- only uses K8s service to get list of healthy pods from endpoints resource, sends directly to pods and bypasses k8s service IP
- use
TraefikServicewhen you want the Traefik LB features
| Kubernetes CRD object | Traefik object |
|---|---|
| IngressRoute ( HTTP / TCP / UDP ) |
Router - can point to either Kubernetes service or more LB feature rich TraefikService |
| TraefikService | HTTP Service (not a Kubernetes service) |
| Middleware ( HTTP / TCP ) |
Middleware |
| TLSOptions TLSStore ServersTransport |
same |
- Deploy pods
- Release - when traffic is cut over to new pods
- sticky sessions / session persistence - same user goes to same server in web farm - using Source IP or Cookie Header
affinity
- Traefik Proxy uses header
Set-Cookie
- Traefik Proxy uses header
- canary deployment
- weighted round robin small percentage of traffic from real users or
- route to new version based on header for QA team only to see the new version on production
- mirroring - duplicate requests to new version, but do not send the traffic back to users
- analyze logfiles and metrics of how the app behaves
- Traefik doesn't interrupt in-flight connections to reload configuration
- Nginx creates a new file and then restarts pods!
- more secure - Nginx has had more vulnerabilities
- weighted balancing (but pods are the same size so does this matter??)
- rate limiting
- no-code authentication
- Lets Encrypt support (other ingresses like Nginx, Kong, HAProxy just use Cert Manager watching the k8s ingress object configuration to auto-generate which is a more generic solution)
- Observability - dashboard, log analysis, metrics and request tracing
- integrates with:
- Datadog
- Elastic stack
- InfluxDB
- Statsd
- Jaeger
- Prometheus
- Zipkin
- integrates with:
- Custom plugins
- Plugin Catalog - available from Dashboard and Traefik Labs home page
- Publishes services to Traefik and exposes them via a
https://<random>.traefikhub.ioURL - Tunnels from K8s cluster where agent is to Traefik Hub to get configurations
- Supports Traefik Proxy and Nginx Ingress
See HariSekhon/Kubernetes-configs - traefik-hub-agent
Create secret from command there and install kustomization helm chart
- XXX: set an Access Control Policy to protect this URL endpoint with JWT token, Basic Auth or OIDC to Google:
https://doc.traefik.io/traefik-hub/access-control-policies/methods/oidc-google/
- XXX: set an access control policy immediately here:
- creates a Kubernetes
accesscontrolpoliciesobject of the same name as the policy in the traefik namespace:
kubectl get accesscontrolpolicies -Ahub-agent-auth-server-cc8d559bf-hn65h 1/1 Running 0 5h47m
hub-agent-auth-server-cc8d559bf-l8x4f 1/1 Running 0 5h47m
hub-agent-auth-server-cc8d559bf-pdx6j 1/1 Running 0 5h47m
hub-agent-controller-656cccffd8-w7lms 1/1 Running 0 5h47m
hub-agent-dev-portal-fd5d4c68-95m6m 1/1 Running 0 5h47m
hub-agent-dev-portal-fd5d4c68-b2zd9 1/1 Running 0 5h47m
hub-agent-dev-portal-fd5d4c68-jndd9 1/1 Running 0 5h47m
hub-agent-tunnel-569669c8bb-wbx2v 1/1 Running 0 5h47m
HariSekhon/Kubernetes-configs - Traefik
Ported from private Knowledge Base page 2023+