Traefik v3 on Kubernetes / Rancher
This is how I migrated from Traefik v2 to v3. I use HostPort for having the real IP's inside traefik logs and the services.
Migrating vom v2 to v3 wasn't straight forward, I had to move all IngressRoute from traefik.containo.us to traefik.io
Old:
apiVersion: traefik.containio.us/v1alpha1
kind: IngressRoute
metadata:
name: simpleingressroute
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`your.example.com`) && PathPrefix(`/notls`)
kind: Rule
services:
- name: whoami
port: 80
New:
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: simpleingressroute
namespace: default
spec:
entryPoints:
- web
routes:
- match: Host(`your.example.com`) && PathPrefix(`/notls`)
kind: Rule
services:
- name: whoami
port: 80
I used the following command to export all IngressRoutes:
kubectl get --all-namespaces IngressRoute -o yaml 2> /dev/null > 2024-ingressroutes.yamlAnd kubectl apply -f 2024-ingressroutes.yaml to play them back in after regex foo.
This is the yaml for traefik v3 for the helm-chart, do not forget to change it to your needs (example.com and the password):
core:
defaultRuleSyntax: v2
deployment:
kind: DaemonSet
ports:
web:
port: 80
http:
redirections:
entryPoint:
scheme: https
to: https
websecure:
http3:
enabled: true
advertisedPort: 443
middlewares: []
port: 443
tls:
certResolver: 'letsencrypt-prod'
domains: []
enabled: true
options: ''
priorityClassName: system-cluster-critical
providers:
kubernetesCRD:
allowCrossNamespace: false
allowEmptyServices: true
allowExternalNameServices: true
enabled: true
namespaces: []
kubernetesIngress:
allowEmptyServices: true
allowExternalNameServices: true
enabled: true
namespaces: []
publishedService:
enabled: true
service:
enabled: false
rbac:
enabled: true
namespaced: false
persistence:
enabled: true
name: data
accessMode: ReadWriteOnce
certificatesResolvers:
letsencrypt-prod:
acme:
email: me@example.com
tlsChallenge: true
httpChallenge:
entrypoint: "web"
storage: /data/acme.json
hostNetwork: true
ingressClass:
enabled: true
isDefaultClass: true
logs:
access:
enabled: true
fields:
general:
defaultmode: keep
names: {}
headers:
defaultmode: drop
names:
Content-Type: keep
RequestLine: keep
User-Agent: keep
filters: {}
general:
level: DEBUG
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
maxSurge: 0
securityContext:
capabilities:
drop: [ALL]
add: [NET_BIND_SERVICE]
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
# as I do not have podSecurityContext enabled, I am not sure this part works.
podSecurityContext:
fsGroup: null
# Create the custom middlewares used by the IngressRoute dashboard (can also be created in another way).
# /!\ Yes, you need to replace "changeme" password with a better one. /!\
extraObjects:
- apiVersion: v1
kind: Secret
metadata:
name: traefik-dashboard-auth-secret
type: kubernetes.io/basic-auth
stringData:
username: admin
password: changeme
- apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: traefik-dashboard-auth
spec:
basicAuth:
secret: traefik-dashboard-auth-secret
# Create an IngressRoute for the dashboard
ingressRoute:
dashboard:
enabled: true
# Custom match rule with host domain
matchRule: Host(`traefik.example.com`)
entryPoints: ["websecure"]
# Add custom middlewares : authentication and redirection
middlewares:
- name: traefik-dashboard-authTo apply it:
helm repo update
helm upgrade -n kube-system traefik traefik/traefik -f 2024-04-26-traefik.yaml