Skip to content

Instantly share code, notes, and snippets.

@undeadops

undeadops/traefik-alb.tf

Created April 15, 2020 23:55
Show Gist options
  • Save undeadops/410c1ff771b757d19e2ac7515ccc097f to your computer and use it in GitHub Desktop.
Save undeadops/410c1ff771b757d19e2ac7515ccc097f to your computer and use it in GitHub Desktop.
Download ZIP
Kubernetes ALB + Traefik Daemon Set Ingress Controller
Raw
traefik-alb.tf
// Traefik Ingress controller ALB
resource "aws_lb" "traefik" {
name = "traefik-alb"
internal = false
load_balancer_type = "application"
security_groups = [aws_security_group.traefik-ingress.id]
subnets = data.terraform_remote_state.vpc.outputs.vpc-public-subnets
enable_deletion_protection = true
enable_cross_zone_load_balancing = false
enable_http2 = true
ip_address_type = "ipv4"
access_logs {
bucket = <s3_bucket>
prefix = "ingress/traefik-ingress"
enabled = true
}
tags = {
Name = "traefik-ingress"
}
}
resource "aws_lb_target_group" "traefik-http" {
name = "traefik-http"
port = 80
protocol = "HTTP"
vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id
target_type = "instance"
tags = {
Name = "traefik-http"
env = "dev"
application_name = "traefik-ingress-controller"
owner = "sre"
}
health_check {
enabled = true
interval = 30
healthy_threshold = 2
unhealthy_threshold = 2
protocol = "HTTP"
port = "8080"
path = "/ping"
}
}
resource "aws_lb_target_group" "traefik-https" {
name = "traefik-https"
port = 443
protocol = "HTTPS"
vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id
tags = {
Name = "traefik-https"
env = "dev"
application_name = "traefik-ingress-controller"
owner = "sre"
}
health_check {
enabled = true
interval = 30
healthy_threshold = 2
unhealthy_threshold = 2
protocol = "HTTP"
port = "8080"
path = "/ping"
}
}
// Port 80 ALB Forward -> https [443]
resource "aws_lb_listener" "traefik-http" {
load_balancer_arn = aws_lb.traefik.arn
port = "80"
protocol = "HTTP"
default_action {
type = "redirect"
redirect {
port = "443"
protocol = "HTTPS"
status_code = "HTTP_301"
}
}
}
// HTTPS Listener
resource "aws_lb_listener" "traefik-https" {
load_balancer_arn = aws_lb.traefik.arn
port = "443"
protocol = "HTTPS"
ssl_policy = "ELBSecurityPolicy-TLS-1-2-Ext-2018-06"
certificate_arn = "<default_certificate_arn>"
default_action {
type = "forward"
target_group_arn = aws_lb_target_group.traefik-http.arn
}
}
// Additional HTTPS Certs
resource "aws_lb_listener_certificate" "wildcard-foobar" {
listener_arn = aws_lb_listener.traefik-https.arn
certificate_arn = "<certificate_ARN>"
}
resource "aws_lb_listener_certificate" "wildcard-cert" {
listener_arn = aws_lb_listener.traefik-https.arn
certificate_arn = "<certificate_ARN>"
}
resource "aws_lb_listener_certificate" "example-cert" {
listener_arn = aws_lb_listener.traefik-https.arn
certificate_arn = "<certificate_ARN>"
}
// Security Group
resource "aws_security_group" "traefik-ingress" {
name = "traefik-ingress"
description = "Traefik Ingress"
vpc_id = data.terraform_remote_state.vpc.outputs.vpc-id
ingress {
from_port = 80
to_port = 80
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
ingress {
from_port = 443
to_port = 443
protocol = "tcp"
cidr_blocks = ["0.0.0.0/0"]
ipv6_cidr_blocks = ["::/0"]
}
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "traefik-ingress"
}
}
Raw
traefik-deamonset.yaml
---
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: traefik-ingress-controller
namespace: traefik
labels:
k8s-app: traefik-ingress
spec:
selector:
matchLabels:
k8s-app: traefik-ingress
name: traefik-ingress
template:
metadata:
labels:
k8s-app: traefik-ingress
name: traefik-ingress
spec:
serviceAccountName: traefik
terminationGracePeriodSeconds: 60
hostNetwork: true
containers:
- image: traefik:v2.2
name: traefik
ports:
- name: http
containerPort: 80
hostPort: 80
- name: https
containerPort: 443
hostPort: 443
- name: admin
containerPort: 8080
hostPort: 8080
securityContext:
capabilities:
drop:
- ALL
add:
- NET_BIND_SERVICE
args:
- --api
- --api.dashboard=true
- --api.insecure=true
- --ping=true
- --providers.kubernetesingress=true
- --providers.kubernetesingress.ingressclass=traefik
- --providers.kubernetesingress.ingressendpoint.hostname=<ALB ENDPOINT DNS NAME>
- --providers.kubernetescrd.ingressclass=traefik
- --entryPoints.web.address=:80
- --entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.1.0.0/24,10.1.1.0/24,10.1.2.0/24
- --metrics.prometheus=true
#- --log.level=INFO
- --log.level=DEBUG
- --log.format=json
# enable access log
- --accesslog=true
- --accesslog.fields.defaultmode=keep
- --accesslog.fields.headers.defaultmode=keep
# write logs into container STDOUT
# - --accesslog.filepath=/dev/stdout
- --accesslog.format=json
# Check for updates
- --global.checknewversion=true
readinessProbe:
httpGet:
path: /ping
port: 8080
initialDelaySeconds: 2
timeoutSeconds: 2
periodSeconds: 10
failureThreshold: 4
livenessProbe:
httpGet:
path: /ping
port: 8080
initialDelaySeconds: 6
timeoutSeconds: 2
periodSeconds: 10
failureThreshold: 6
Raw
webby-ingress.yaml
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: webby
namespace: webby
annotations:
kubernetes.io/ingress.class: "traefik"
traefik.ingress.kubernetes.io/router.middlewares: webby-ratelimit@kubernetescrd
spec:
rules:
- host: webby.example.com
http:
paths:
- backend:
serviceName: webby
servicePort: 80
- host: webby.foobar.xyz
http:
paths:
- backend:
serviceName: webby
servicePort: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: ratelimit
namespace: webby
spec:
rateLimit:
average: 1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment