Previously, we mentioned that Traefik 2.0 has officially been released, and it now supports TCP services. However, the official documentation for Traefik is somewhat confusing, especially regarding its use in Kubernetes, where the details are even less comprehensive. In my spare time, I have been trying to translate the official documentation. You can find it at: https://www.qikqiak.com/traefik-book, where I have removed some unnecessary documentation and added some usage examples in Kubernetes.
This article demonstrates how to expose a TCP service in Kubernetes using Traefik, taking Redis as an example. First, ensure that Traefik 2.0 is installed in your Kubernetes cluster. You can refer to the installation resource list we provided earlier at https://github.com/cnych/kubeapp.
Deploy Redis
For demonstration purposes, we will deploy a single-node Redis instance; the Redis cluster mode is not the focus here. Below is the resource manifest file we will use for deployment: (redis.yaml)
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: redis
spec:
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:3.2.11
ports:
- containerPort: 6379
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: redis
spec:
ports:
- port: 6379
targetPort: 6379
selector:
app: redis
You can create it directly:
$ kubectl apply -f redis.yaml
Expose TCP Service
Since using TCP routing configuration in Traefik requires SNI, which relies on TLS, we need to configure a certificate. However, if you do not have a certificate, you can use a wildcard * for the configuration. Here we create an IngressRouteTCP type of CRD object (we have already installed the corresponding CRD resources): (ingressroute-redis.yaml)
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: redis
spec:
entryPoints:
- redis
routes:
- match: HostSNI(`*`)
services:
- name: redis
port: 6379
Note that the entryPoints section here is determined by the entryPoints in the static configuration of the Traefik you started. For example, you can add a dedicated entry point for Redis:
containers:
- image: traefik:v2.0
name: traefik-ingress-lb
ports:
- name: web
containerPort: 80
hostPort: 80
- name: websecure
containerPort: 443
hostPort: 443
- name: redis
containerPort: 6379
hostPort: 6379
- name: admin
containerPort: 8080
args:
- --entrypoints.web.Address=:80
- --entrypoints.websecure.Address=:443
- --entrypoints.redis.Address=:6379
- --api.insecure=true
- --providers.kubernetescrd
- --api
- --api.dashboard=true
- --accesslog
Adding hostPort to the entry point here allows access to the service through the node’s port. For more information about entryPoints, you can refer to the documentation at https://www.qikqiak.com/traefik-book/routing/entrypoints/. Then create the IngressRouteTCP object above directly:
$ kubectl apply -f ingressroute-redis.yaml
Once created, you can also check the Traefik Dashboard page to see if it is effective:
Then we configure a domain name to resolve to the node where Traefik is located, and connect to the Redis service through port 6379:
$ redis-cli -h redis.youdianzhishi.com -p 6379
redis.youdianzhishi.com:6379> ping
PONG
redis.youdianzhishi.com:6379> set hello world
OK
redis.youdianzhishi.com:6379> get hello
"world"
redis.youdianzhishi.com:6379>
At this point, we have completed exposing the Redis (TCP) service to external users.
For more usage of Traefik 2.0, you can follow the documentation at https://www.qikqiak.com/traefik-book .
K8S Advanced Course Recommendations
Click the image below to learn more about the course details
