This page provides information on how to configure FADI with the Traefik reverse proxy.
Traefik is an open-source reverse proxy and load balancer for HTTP and TCP-based applications that is easy, dynamic, automatic, fast, full-featured, production proven, provides metrics, and integrates with every major cluster technology... No wonder it's so popular!
Note: other reverse Proxies than Traefik could be used with FADI, check the list here.
You can find information about the Traefik Helm chart in Traefik Helm repository.
To enable the Traefik reverse proxy, you will need to set the values.yaml
. Create a values.yaml
file and add these lines:
traefik:
enabled: true
You can enable the dashboard by adding these lines in the values.yaml
file:
traefik:
enabled: true
dashboardIngress:
enabled: true
dashboardHost: dashboard.example.cetic.be
globalArguments:
- "--api.insecure=true"
If you have your own public IP address and you want to use it, navigate to the service
part of traefik
section and set the LoadBalancerIP
field to your public IP :
traefik:
service:
spec:
loadBalancerIP: "<your_public_IP>"
To provide an IP address to your Traefik LoadBalancer
service, you must have a loadbalancer like Metallb for a bare metal deployment. If you are in the Cloud, cloud providers have their own load balancers. For a Minikube
deployment, you can just type the following command:
minikube tunnel
See the default values file from the official repository for more configuration options.
Note that this configuration is not suitable for a production environment because access to the API is not secure. If you are deploying Traefik in a production environment, you must define security features through middleware. Please refer to Traefik documentation.
You will need to update IngressRoute
definitions for each service you want to expose behind your domain name. See https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/ for the documentation.
Update the FADI values.yaml
file. You can set all the service types to ClusterIP
as all services are now exposed through an IngressRoute
.
For instance, for Grafana:
grafana:
enabled: true
service:
type: ClusterIP
.............
traefikIngress:
enabled: true
host: grafana.example.cetic.be
You should now be able to access Grafana through the domain name you have chosen: http(s)://grafana.example.cetic.be
There are four services (Grafana, Nifi, JupyterHub and superset) and the Traefik dashboard which have already been built with an IngressRoute. You just have to activate them. If you want to build IngressRoutes
for other services, you must add them in the ingressroutes.yaml file. E.g. for Grafana:
{{- if and (.Values.grafana.enabled) (.Values.grafana.traefikIngress.enabled) -}}
{{- if .Values.grafana.traefikIngress.tls }}
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: grafana
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`{{ .Values.grafana.traefikIngress.host }}`) && PathPrefix(`/`)
services:
- name: {{ .Release.Name }}-grafana
port: 80
tls:
secretName: {{ .Values.grafana.traefikIngress.host }}
---
{{- end }}
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: grafana-http
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`{{ .Values.grafana.traefikIngress.host }}`) && PathPrefix(`/`)
services:
- name: {{ .Release.Name }}-grafana
port: 80
{{- if .Values.grafana.traefikIngress.tls }}
middlewares:
- name: https-redirect
{{- end }}
---
{{- end }}
Note : there is also a
middleware
object in theingressroute.yaml
file. It provides a https redirect when TLS is enabled.
Next you will also want to configure TLS access to your services. For that, have a look at the security documentation.