Traefik balancer review
Comparison with other balancers:
Functional | Traefik | Nginx | HAProxy |
---|---|---|---|
Automatic service discovery | Yes | No (requires additional settings) | No (requires additional settings) |
Support for containers and orchestrators | Docker, Kubernetes, etc. | Limited | Limited |
Dynamic configuration | Yes | Limited (with reboot) | Limited (with reboot) |
HTTPS support and automatic receipt of certificates | Yes | Yes | Yes |
Plugins and Extensibility | Eat | Yes (via modules) | Limited |
Architecture
Traefik divides its architecture into two main components: Control plane And Data plane:
Control plane
Control plane is responsible for all the logic: discovering services before generating and applying routing configurations, interacts with various providers (like cybernets) to dynamically discover services and their states, and then form routing rules based on this data.
Main components of the Control plane:
Providers: configuration sources for Traefik. Providers can be static (configuration files) or dynamic (container orchestrators, discovery services, etc.). The control plane subscribes to changes in these providers to update the routing configuration in real time.
API and Dashboard: The interface allows you to view the current configuration, statistics and manage Traefik through the web interface or programmatically.
Configuration storage system: stores the current Traefik configuration received from all connected providers. This configuration is dynamically updated as the state of services or their configurations change.
When Traefik starts, the Control plane begins the service discovery process by connecting to the configured providers.
Traefik establishes connections with configured providers to obtain information about services and their status. The control plane collects configurations from all providers, combining them into a single routing configuration.
When a service state or configuration changes in one of the providers, the Control plane automatically updates the routing configuration in Traefik.
Data plane
Data plane is responsible for directly processing and routing incoming traffic to the appropriate services.
Based on the rules defined in the Control plane, the Data plane routes incoming requests to the appropriate backends or services, and also distributes requests across multiple service instances and decrypts encrypted traffic on the balancer side, reducing the load on the backends.
The data plane also uses various middleware to modify requests/responses or perform additional security checks.
The Data plane is very closely integrated with the Control plane and is capable of dynamically updating its configuration without restarts or interruption of traffic service.
traefik configuration
Traefik configuration file can be in TOML, YAML and JSON formats
Global:
global:
checkNewVersion: true
sendAnonymousUsage: true
checkNewVersion
: Check for new versions on startup.
sendAnonymousUsage
: Send anonymous usage statistics to improve Traefik.
EntryPoints:
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
Defines the entry points through which traffic enters Traefik, configures listening ports and, if necessary, TLS settings.
Providers:
providers:
file:
filename: /path/to/dynamic/conf.yaml
docker:
exposedByDefault: false
Provider configuration from where Traefik gets information about services. May include Docker, Kubernetes, file system, etc. More on this later.
APIs and dashboards:
api:
dashboard: true
Includes Dashboard Traefik
Log:
log:
level: ERROR
filePath: /path/to/log/file.log
format: common
Logging settings, including logging level, path to the log file and logging format.
Access log:
accessLog:
filePath: /path/to/access/log/file.log
bufferingSize: 100
Access log configuration, including file path and logging buffer size.
Certificates Resolvers for TLS:
certificatesResolvers:
myresolver:
acme:
email: email@example.com
storage: acme.json
httpChallenge:
entryPoint: web
Configuring certificate resolvers to automatically obtain and update SSL/TLS certificates via ACME, specifying the method for obtaining certificates and the entry point for verification.
Middlewares:
http:
middlewares:
testHeader:
headers:
customRequestHeaders:
X-Script-Name: "traefik"
Defining middleware that can be used to modify requests/responses, add headers, redirect, etc.
services and loadbalancer:
http:
routers:
myRouter:
rule: "Host(`example.com`)"
service: "myService"
services:
myService:
loadBalancer:
servers:
- url: "http://127.0.0.1:80"
Defines routers and services. Routers define rules for directing traffic to services, and services describe how traffic should be distributed among backends.
Setting up Traefik in Docker and Kubernetes
Docker
First you need to prepare docker-compose.yml
file for Traefik. In this file we define how Traefik will be launched and how it will discover Docker containers:
version: '3'
services:
traefik:
image: traefik:v2.5
command:
- "--log.level=DEBUG"
- "--api.insecure=true"
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.web.address=:80"
ports:
- "80:80"
- "8080:8080"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
We mount a Docker socket so that Traefik can communicate with the Docker daemon and automatically detect running containers. Open port 80 for web traffic and port 8080 for access to Dashboard Traefik. We tell Traefik not to consider all containers by default to avoid unwanted publication of services.
Next, we'll add a service that Traefik should automatically discover and route traffic to. To do this, we will add another service to docker-compose.yml
file:
services:
my-service:
image: my-service-image
labels:
- "traefik.enable=true"
- "traefik.http.routers.my-service.rule=Host(`my-service.local`)"
- "traefik.http.routers.my-service.entrypoints=web"
Let's launch my-service
with the image my-service-image
.
traefik.enable=true
tells Traefik to process this container.
traefik.http.routers.my-service.rule=Host(my-service.local)
defines a host-based routing rule.
traefik.http.routers.my-service.entrypoints=web
points to the entrypoint we defined in the Traefik configuration.
After setup docker-compose.yml
run:
docker-compose up -d
Traefik automatically detects my-service
and begins to route traffic to it. You can check this via Dashboard Traefik at http://localhost:8080
.
Kubernetes
We install Traefik as an Ingress Controller in our Kubernetes cluster. You can do this using Helm:
helm repo add traefik https://helm.traefik.io/traefik
helm repo update
helm install traefik traefik/traefik
You can customize the installation using the file values.yaml
or passing parameters directly via cmd
Next you need to configure Ingress so that traffic can be directed to services:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
kubernetes.io/ingress.class: "traefik"
spec:
rules:
- host: example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
The manifest creates an Ingress rule that directs all traffic to example.com
to the service example-service
per port 80
.
Traefik automatically discovers services and Ingress resources in yours thanks to integration with the Kubernetes API.
Plugins
Plugins in Traefik are developed using Go and are implemented as individual modules that can be loaded and activated at runtime.
Traefik Pilot is a SaaS platform from the developers of Traefik that allows you to manage and monitor Traefik instances. To use plugins, you must register your instance of Traefik with Pilot and activate the required plugins through the web interface.
Once the plugin is activated in Pilot, it can be configured and used in your Traefik instance by adding the appropriate settings to the Traefik configuration.
Some of the popular plugins:
Traefik Custom Log Fields: Allows you to add custom fields to Traefik logs.
CORS: adds support CORS to requests.
Authelia: integrates Traefik with Authelia for strong authentication and authorization.
OAuth: OAuth support for user authentication.
Configuration for example for the CORS plugin in dynamic_conf.toml
might look something like this:
[http.middlewares]
[http.middlewares.myCorsPlugin.plugin.cors]
accessControlAllowMethods = ["GET", "OPTIONS", "PUT"]
accessControlAllowHeaders = ["Content-Type", "Authorization"]
accessControlAllowOriginList = ["https://example.com"]
accessControlMaxAge = 100
addVaryHeader = true
Sample configuration configures CORS to allow requests with https://example.com
supporting methods GET
, OPTIONS
, PUT
and setting the maximum prefetch cache time to 100 seconds.
In conclusion, I would like to remind you that my friends from OTUS There are a number of infrastructure courses taught by practicing industry experts. Details in the catalog.