Traefik is an edge router that can be easily integrated with the common cluster management solutions. The presentation includes features provided in the recent major release of Traefik. The live demo includes presentation of canary deployment, mirroring which are built-in features. The cluster was running on a lightweight version of Kubernets called #k3s.
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Traefik as an open source edge router for microservice architectures
1. TRAEFIK AS AN OPEN SOURCE EDGE ROUTER
FOR MICROSERVICE ARCHITECTURES
JAKUB HAJEK
FEB 27TH, 2020
2. ▸ I am the owner and technical consultant working for Cometari
▸ I’ve been system admin since 1998
▸ Cometari is a solutions company implementing DevOps culture
and providing consultancy, workshops and software services.
▸ Our expertise are DevOps, Elastic Stack - log analysis,
▸ We are deeply involved in the travel tech industry
▸ However our solutions go much further than just integrating
travel API’s.
INTRODUCTION
3. “I strongly believe that implementing DevOps culture, across
the entire organisation, should provide measurable value and
solve the real issue rather than generate a new one.”
Jakub Hajek, Cometari
4. My goal is to show how Traefik can make your daily duties easier if you work
with microservice architectures running in distributed systems.
6. IMMUTABLE CONTAINERS
▸ Mutable vs Immutable
▸ No incremental changes to the image
▸ No more drifting configuration
▸ (No) imperative updates
▸ Base image + source code = An artefact / immutable image
▸ The artefact is scaling unit in distributed systems
▸ Canary and mirror deployments
▸ Rollback if an error occurs
9. TRAEFIK 2.X KEY FEATURES
▸ TCP support
▸ Kubernetes CRD
▸ ROUTER= frontend, SERVICE=backend, MIDDLEWARES=rules
▸ Fully customisable routes via middleware, which can be reused on many routers
▸ YAML, TOML is still good
▸ A new dashboard with web UI
▸ Canary deployment with Service Load balancer
▸ Network traffic Mirroring with Service Load balancer
▸ Consul catalog
10. KUBERNETES INGRESS PROVIDER
▸ Traefik can be used as an another ingress provider
▸ Configuration is done via (lots of) annotations
11. KUBERNETES CRD AND AVAILABLE CUSTOM RESOURCES
▸ Ingressroute - HTTP routing - http router
▸ Middleware - tweaks the HTTP before they are sent to a
service - HTTP Middleware
▸ TraefikService - abstraction for HTTP LB/mirroring
▸ IngressRouteTCP - TCP routing - TCP router
▸ TLSOptions - TLS connection parameters
https://docs.traefik.io/routing/providers/kubernetes-crd/
12. LETSENCRYPT WITH CRD
▸ Traefik is delivered as an immutable containers
▸ LetsEncrypt keeps persistence in a file
▸ Previous version keeps cert in KV stores (Consul)
▸ The file with cert works fine with only once Traefik instance
▸ SPOF
https://docs.traefik.io/providers/kubernetes-crd/#letsencrypt-support-with-the-custom-resource-definition-provider
13. IMMUTABLE CONTAINER WITH TRAEFIK
▸ Custom image with Traefik with added SSL certificate into
image
▸ Configuration files added directly to the image
▸ Works perfectly if you bought SSL cert and don’t use
dynamically updated Let’s Encrypt
▸ Horizontal scalability is simple, no need to care about the
persistence for Let’s Encrypt certificates
14. HA WITH LETSENCRYPT
▸ Traefik EE which supports distributed LetsEncrypt
▸ LetsEncrypt keeps persistence in a file
▸ Previous version keeps cert in KV stores (Consul)
▸ Cert Manager that keeps certificates in secrets
16. ENTRYPOINT ROUTER SERVICE
MIDDLEWARE 1 MIDDLEWARE 2 MIDDLEWARE 3
Request Calls to backend servers
Tweaking request before / after the arrives to their destination
17. MIRRORING OR LIVE TRAFFIC SHADOW
▸ Understand difference between Deployment vs Release
▸ Deployment brings new code to the production,
no production traffic yet!
▸ Run smoke, integration tests to make sure that new
deployment has no impact to your users
▸ Release brings live traffic to a deployment.
▸ We can shadow live traffic to the new deployment and
reduce the risk of failure.
19. CANARY DEPLOYMENT
▸ Deployment vs Release
▸ Instead of switching to new version in one step, we use a phased
approach
▸ We deploy a new app in a small part of the production
infrastructure
▸ Only a few users (1%) are routed to the newest version (Release)
▸ With no errors reported, the new version can be released to the
rest of the infrastructure.
22. OBSERVABILITY
▸ /metrics endpoint
▸ Enable Prometheus or any other backend
▸ Use Grafana to visualise metrics
▸ Use existing dashboards to visualise data (or develop your
own)
23. LOGGING AND VISUALISING ACCESS LOGS
▸ Traefik logs are in JSON including startup and errors events
▸ Access logs are written to STDOUT in JSON format.
▸ Treat logs as an event and transfer them to external system
(Elastic Stack + Fluentd)
▸ Use Kibana and Logs tab to have live data streaming
▸ Develop dashboard with a map and place GEO points of IP
addresses
24. TRACING
▸ You can’t just relay on app and system logs
▸ Visualize the requests flows
▸ Traefik uses OpenTracing for distributed tracing
▸ Jeager, Zipkin, Datadag and a few more
25. CONFIGURATION TIPS
▸ Don’t mix static configuration vs dynamic configuration
▸ CLI command can be used for static config or if you prefer you can define
config file as well
▸ Labels (for Swarm) can be used to define dynamic configuration or config files
▸ directory with WATCH flag enabled as well
▸ More advanced rules configuration via middleware are dynamically defined
▸ The most flexible is to run Traefik as container, instead of binary directly from
host
▸ Healthcheck for your services are crucial
27. DEMO ENVIRONMENT IN DETAILS
▸ K3S cluster* consisting of 3 nodes
▸ INSTALL_K3S_EXEC="server --no-deploy traefik”
▸ SSL certs issued by Lets Encrypt
▸ FQDN domains:
▸ https://a.labs.cometari.eu
▸ https://n.labs.cometari.eu
▸ https://c.labs.cometari.eu
▸ DNS Round Robin: Route 53 with its implemented health checks
▸ Web Server and NodeJS backend
28. Diagram of demo environment
TRAEFIK
WEB FRONTEND
NODEJS BACKEND
31. DEMO SCENARIOS
▸ Web UI to see how services are deployed
▸ Scaling services and generating some network traffic via
Slapper
▸ Example of Canary deployment
▸ Example of Mirroring configuration
32. SUMMARY
▸ Traefik provides flexible way to expose services, auto discovery
▸ It can be configured in multiple way, there are no ready to use config - just
refer to configuration tips
▸ Fully customise routes via middlewares
▸ Easily integrates with every major cluster technology
▸ Lets Encrypt integrated, managing SSL certs is easy
▸ Metrics, Tracing, Logs
▸ Rolling out releases thanks to Canary deployments
▸ Mirroring - duplicating incoming request and send them to different services.