Why traifik ingress?

What is the Traefik Ingress ？ 

      Before parsing this concept , Let's review Kubernetes Ecological components Ingress Controller （ Chinese meaning ： Entrance controller ） The concept of .

      basis  Kubernetes As stated in the official documents , entrance “ Ingress ” Is defined as ：

     1、 A kind of API object , Used to manage services in the cluster （ Usually it is HTTP） External access to .

     2、 Can provide load balancing 、SSL Termination and name based virtual hosts .

     In the cloud primary ecosystem , Usually , entrance “ Ingress ” It can be considered similar to reverse proxy and load balancer , except Kubernetes use BYOS（ Own software ） Outside method , And there is no software to support these functions . It only provides API Interface as a standardized method of defining rules , These rules define which traffic flows to which service . Here is the entrance controller “Ingress Controller ” The function of .Ingress Controller It is the application in the cluster that we deploy , It can realize the following functions ：

     1、 Insert Kubernetes API 

     2、 Monitor entry object

     3、 Read internal entry rules

     4、 Configure itself to route received traffic according to these rules

     Generally speaking , In the actual business scenario ,Ingress Controller The service itself is usually configured to receive all traffic from the entire cluster . stay HTTP/HTTPS In the context of traffic , This means that the listening cluster will receive traffic from the public IP The port on the address 80 and 443.

     that , What is?  Traefik ?

     According to the official definition ：Traefik It is based on modern HTTP Reverse agents and load balancers , Microservices can be easily deployed .Traefik With the current popular existing infrastructure components （Docker、Swarm Pattern 、Kubernetes、Marathon、Consul、Etcd、Rancher、Amazon ECS etc. ） Integrate , And automatically and dynamically self adaptively configure . take Traefik Pointing to our choreographer should be the only configuration step we need . therefore , utilize Traefik It can make microservice deployment easier .

     Traefik It's an open style SourceEdge Router , It makes publishing a fun and simple experience . It manages the receipt of requests from related systems , And dynamically identify the component responsible for processing the request .

     Traefik In addition to having many basic functions , There is also a difference , That is ： Automatic identification , Find the right configuration for the service based on its characteristics . When Traefik When checking the infrastructure , It will find relevant information , And find out which service serves which request , This magical phenomenon will be in Traefik This router is playing its best .

     be based on Traefik, We usually don't have to maintain and synchronize individual configuration files ： All operations will be performed automatically and in real time （ Thermal loading ）. therefore , be based on Traefik, We just need to focus most of our energy on developing new functional components and deploying them into the system , Instead of wasting time on idle configuration and maintenance .

     As already mentioned ,Traefik yes Kubernetes Implementation of entrance controller . It was originally designed as an extensible 、 Lightweight reverse proxy , But then I got the same as Kubernetes The ability of a cluster to be fully integrated , At the same time, it retains Docker Compatibility with other interfaces , Make it have more powerful functions . As an external guardian , Intercept and route all requests to this platform , And according to the relevant logic and rules to specify the corresponding service to handle . be based on Traefik Real time detection and automatic updating of routing rules and automatic service discovery , So that the performance can be effectively improved in the process of traffic access .

      Up to current ,Traefik The latest version is V2.4.14. This article takes Traefik V2.x For example , Its basic architecture and component structure , As shown in the diagram below ：

     Based on the above reference diagram , We can see , For the entire Traefik In terms of system , Its core components usually include the following ：

     1、Entrypoints , Network entry point , Monitor the access traffic （ port ）, It mainly defines the port to receive the request （HTTP perhaps TCP）. The workflow architecture is shown in the following figure ：

     The configuration example is as follows ：

##  Static configuration 
##  Two are defined  entrypoints： One is called  web, Another plus  web-secure;web  monitor  80  port , web-secure  monitor  443  port .
entryPoints:
  web:
    address: ":80"

  web-secure:
    address: ":443"

     2、Routers , Analysis request （Host、Path、Headers、SSL And related ）, It is mainly responsible for connecting access requests to services that can handle these requests . The workflow architecture is shown in the following figure ：

     The configuration example is as follows ：

##  Dynamic configuration 
##  Use  File Provider  take  /foo  Request to be  service-foo  Service handling 
http:
  routers:
    my-router:
      rule: "Path(`/foo`)"
      service: service-foo

     3、Services , Forward the request to the corresponding application （Load Balancing etc. ）, It is mainly responsible for configuring how to get the actual service that will eventually process the incoming request . The workflow architecture is shown in the following figure ：

     The configuration example is as follows ：

##  Dynamic configuration 
##  Use  File Provider  For one  HTTP  Two instances of the service declaration 
http:
  services:
    my-service:
      loadBalancer:
        servers:
        - url: "http://private-ip-server-1/"
        - url: "http://private-ip-server-2/"
----------------------------------------------------------------------------
##  Use  File Provider  For one  TCP  Two instances of the service declaration 
tcp:
  services:
    my-service:
      loadBalancer:         
        servers:
        - address: "10.10.10.10"
        - address: "10.10.10.11"

4、Middlewares , It is used to modify the request or make some judgment based on the request （Authentication、Rate Limiting、Headers And others ）,Traefik Built in middleware with many different functions , Some of them can modify the request , Header information , Some are responsible for redirecting , Some add authentication and so on . Middleware can be applied to various situations through chain combination . The workflow architecture is shown in the following figure ：

     5、Providers , Used to automatically discover services on the platform , It can be a choreographer 、 Container engine or Key-Value Storage, etc , such as Docker、Kubernetes、File etc. .

     In addition to the above , stay Traefik v2.4 In the version, it has been added to Kubernetes Gateway API Support for .Gateway API By SIG-NETWORK An open source project for community management . The objective of the project is to Kubernetes Developing service networks within ecosystems API. gateway API Provided for exposure Kubernetes Application's Service、Ingress etc. .Gateway API Designed to provide expressible , Extensible , Role oriented interfaces to improve the service network , These interfaces have been implemented by many suppliers and have been widely supported by the industry . gateway API yes API resources （ service 、 Gateway class 、 gateway 、HTTPRoute、TCPRoute etc. ） Set . Together, these resources model various network use cases, and so on .

     Compared with other existing cloud native ecosystems  Ingress Components ,Traefik Where are the advantages of components ？

     Traefik yes Traefiklabs（ Formerly known as Containeous ） Developed a reverse proxy solution ,2016 First stable release in ,2015 year 9 First open source in January ,Github Stars The largest number in the reverse proxy framework , by 34.1K. Despite its long history , But it is still under active development , The last submission was in 16 Hours before . These impressive figures reinforce the popularity of the framework in the community , It also provides some guarantees for its active development in the future for a long time , When choosing to use the open source framework , This is an important consideration that should not be underestimated .

     In terms of availability ,Traefik What we have “ The core ” The advantages can be embodied in the following aspects ：

     1、 adopt  Middlewares  Middleware custom extension

     2、 With observable GUI instrument panel

     3、 Handle with ease TLS Automatic renewal of certificates

     4、 Documentation is full of each provider type 、 Configuration examples of each function

Extensibility

     Traefik Support a large number of middleware functions . They have a lot of built-in middleware , We can configure and use it immediately according to different business scenario logic processing .

     A complete list of these middleware can be found here ：https://doc.traefik.io/traefik/middlewares/overview/, Here are some of the most widely used in the cluster 、 Middleware worthy of attention , The details are as follows ：

     1、BasicAuth, Used at insecure local endpoints （ for example Traefik The dashboard itself ） Provides basic authentication on

     2、ForwardAuth, Is not supported in the cluster OpenLDAP Authenticated applications provide a single sign on front end

     3、RateLimit, Provide... For all endpoints DDoS Basic protection against attacks

      Based on the relevant official documents , Middleware functionality is also easy to use , And can be configured as Kubernetes Custom resource specification . for example , The following is a brief BasicAuth Example of middleware application configuration ：

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: admin-auth
  namespace: traefik-system
spec:
  basicAuth:
    secret: traefik-admin-auth-secret

     besides , We can learn from the middleware definition defined in the example , It is associated with Kubernetes Secrets Integrate , And from the name of traefik admin auth secret Of Kubernetes Secret To get the basic authentication key , This means that there is no need to hard code any password in any file , Allow it to be created 、 modify 、 Or delete .

     Observability  

     Traefik Built in a very beautiful dashboard , Based on this , We can use it to check the health of applications and middleware .

     stay Traefik V2.x In the ecology of , From the architectural dimension , The observability is divided into the following parts ：

     1、 Service log : Traefik Operation logs related to the process itself

     2、 Access log : from Traefik Access log of the agent service taken over

     3、Metrics: Traefik Provide their own detailed Metrics data

     4、Tracing: Traefik It also provides interfaces related to link tracking , It can be used to visualize the invocation in distributed or micro services

     The following is a Traefik Dashboard Refer to the schematic diagram ：

     In detail view , We can also see the entry rules 、Pod name 、TLS Configuration and any middleware being used , This provides us with great transparency of all the entry routes currently configured in the entire cluster . This enables us to track traffic scheduling in an all-round way in combination with the actual business scenarios 、 Observation, etc , So as to improve the operation and maintenance efficiency .

TLS Certificate auto update

     Since setting Traefik since , I completely forgot my TLS The existence of the certificate , This shows that Traefik Managing my Let's Encrypt TLS How successful it is with certificates , These certificates are required every 90 Every day .

     In my settings , I use it through DNS-01 ACME（ Automatic certificate management environment ） Wildcards for challenge settings TLS certificate , allow Https Automatic on-demand access to all my portals .Traefik In each of its management TLS Automatically renew the certificate several days before the certificate expires , Make us forget completely TLS Certificate renewal process .

     adopt Let's Encrypt ACME TLS-ALPN-01 challenge To configure Traefik In order to get TLS The certificate is very simple , Just specify the following in the static configuration file ：

certificatesResolvers:
  default:
    acme:
      email: [email protected]
      tlsChallenge: {}

      Configuration example

     stay Traefik in , What I really appreciate is , Although they support a large number of routing rule configuration providers , Such as Docker、Kubernetes、Concur etc. , But their examples have never been lax . For every feature they have , They provide examples of all the configuration providers they support . With BasicAuth For example ,BasicAuth Middleware restricts known users from accessing our services . Its processing workflow is as follows ：

     With Kubernetes Platform as an example , The corresponding file configuration example is as follows ：

# Declaring the user list
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: demo-auth
spec:
  basicAuth:
    secret: secretName

     about Yaml  In terms of documents , The corresponding file configuration example is as follows ：

# Declaring the user list
http:
  middlewares:
    demo-auth:
      basicAuth:
        users:
          - "demo1:$apr1$H6usqqqW$IgXLP6ewTrSuBkTrqE8wj/"
          - "demo2:$apr1$d9hr9POO$4HxwgUir3HP4EsggP/QNo0"

     Of course , In addition to the above “ The core ” Beyond the advantages , In the actual business scenario ,Traefik It also has the following advantages ： for example , With its cloud native nature , It can fully support Metrics, And Prometheus and Kubernetes Seamless integration, etc ; It can also have more advanced functions . for example , Multi version grayscale release 、 Traffic replication 、 Automatic generation HTTPS Free certificates and other related features .

     indeed ,Traefik It may not be perfect right now , But its development momentum is still rapid , Relative to other components of the same type , It is very worthy of recommendation and application , After all , With the rapid iteration of its version , Whether from the entry layer of the traffic Topology , Or gateway routing layer , All of them are able to 2 And make it seamless . besides , From the perspective of business landing , It has become the first choice for more and more enterprises to implement cloud native traffic entry layer components .

besides , Based on the continuous maturation of the original ecosystem of cloud , Microservice architecture and container technology （ Docker Technology and K8S Layout tools ） In recent years, it has been hot , therefore , Traditional reverse proxy technology system , such as Nginx、Apache In front of the cloud's original ecological environment, they are stretched out 、 feeble , In addition, their bone marrow does not deliberately provide support for cloud primary ecology . That's why Ingress Controller This component implements K8S and Nginx The connection between . and Traefik Is born to provide with Docker、K8S Support for , in other words Traefik It can follow K8S API Interactively aware of back-end changes , So we are using cloud based native ecology Traefik When the component ,Ingress Controller and Nginx Such components lose the meaning of their existence .

     If you decide to follow this path , Please read on to the next article , In the next article , I will interpret the document for you , And gradually introduce how to deploy on your own cluster Traefik, And interpret it in combination with relevant scenes .