- 01-Basic: We're going to make
hashicorp/vaultaccessible through traefik. the first example is very simple, you can connect to the address "vault.isc" using theHTTPprotocol ✅ - 02-HTTPS: We'r going to use
"websecure"entrypoint instead of "web" entrypoint to connect to "valut.isc" usingHTTPSprotocol . You have 3 different options to use tls in traefik . the first one is traefikdefault certifacte, the second one is using yourown certificateand the last one is usinglet's encrypt. if you prefer to use let's encrypt, your provider must be supported by traefik, you can find the list of available providers here: https://doc.traefik.io/traefik/https/acme/ ✅ - 03-RedirectScheme-middleware: The
RedirectScheme middlewareredirects the request if the request scheme is different from the configured scheme. We're going toredirecthttp requests to https using RedirectScheme middleware. https://doc.traefik.io/traefik/middlewares/http/redirectscheme/ ✅ - 04-BasicAuth-middleware: The BasicAuth middleware
grants accessto services to authorized users only, because of that , We're going to create 2 different users. To createuser:passwordpair, it's possible to use this command:echo $(htpasswd -nB user) | sed -e s/\\$/\\$\\$/g. you can usehtpasswdifapache/httpdpackage is installed. https://doc.traefik.io/traefik/middlewares/http/basicauth/ ✅ - 05-Errors-middleware: It has never been easier to say that something went wrong. The Errors middleware returns a custom page in lieu of the default, according to configured ranges of HTTP Status codes. In this example we're going to use a new service in our docker-compose called
"error". this new service is responsible to buildBunch of custom error pagesfor Traefik. you can follow their project here: https://github.com/guillaumebriday/traefik-custom-error-pages . so if i receive an error code (ex: 404) for my hashicorp/vault service , one of error pages of "error" service will be appeared based on status code. https://doc.traefik.io/traefik/middlewares/http/errorpages/ ✅ - 06-Traefik-secure: We have been connecting to traefik dashboard in an insecure manner so far . we're going to connect to traefik dashboard using
httpsprotocol . because of that we need to follow some steps . first of all modify traefik.yml and replace"insecure:true"with"insecure:false"and then create a router for traefik service to enabletlsusinglabelsin docker-compose ✅
- 07-Setup: We're going to use traefik helm chart to install it. as i saild earlier, we have some different options to use tls in traefik . i'm using my
own certificatefor the examples of this repository. so i need to override some values of traefik helm chart. if you want to do the same, follow the steps innote.txt✅ - 08-Basic:
IngressRouteis theCRDimplementation of a Traefik HTTP router. we're going to use this CRD to connect to "vault.isc" usingHTTPprotocol. you can also use kubernetes ingress provider insted of ingressRoute , but i prefer to use ingressRoute, because i don't need to use lots of annotations. it will be difficult to manage all those annotations. ✅ - 09-HTTPS: We'r going to use
"websecure"entrypoint instead of "web" entrypoint to connect to "valut.isc" usingHTTPSprotocol ✅ - 10-RedirectScheme-middleware: Middleware is the
CRDimplementation of a Traefik middleware. first of all We need to create"RedirectScheme-middleware"using Middleware CRD, then createingressRouteusing its CRD and refer to RedirectScheme-middleware by its name in the manifest of ingressRoute ✅ - 11-BasicAuth-middleware:
Middlewareis the CRD implementation of a Traefik middleware. follow thses steps to use basicAuth : 1- We need to create akubernetes secretthat contains the list ofauthorized users(you can generate use:password using this command:htpasswd -nb user password | base64). 2- create"basicAuth-middleware"using MiddlewareCRDand refer to the name of users secret in the manifest of middleware. 3- Create theingressRouteusing its CRD and refer to basicAuth-middleware by its name in the manifest of ingressRoute ✅