Whew, that week went by in a flash. I’ve actually been working on this #DecemberAdventure project these past few days and have made some strides; I just kept running out of time (and inclination) to post about it.
Part of the problem—as an aside—is that I had to close the YAML project space in my VS Code editor in order to open the project space for writing a blog post, which makes it difficult to cross-reference very specific issues and instead relies on “vibes” for writing the post. I’m sure it’s to the detriment of any readers, but I enjoy being as specific as I can. If anyone wants to tell me the magic key combination that allows me to open up multiple project spaces simultaneously in VS Code, please do drop me a line.
Anyway, I hit upon a couple of crucial resources this past week that have helped me make some progress. First, I identified some very specific changes I need to make:
- Traefik needs to be moved to a
traefiknamespace - Cert-manager needs to be moved to a
cert-managernamespace - Upgrade cert-manager CRDs
- Cloudflare API keys need to be moved to
cert-managernamespace
These are easy enough, only requiring some minor configuration tweaks to the yaml.
But I have a lot of deeper questions about the configuration involved in having Traefik route to external services.
- A big one: just about all the examples I can find entail doing this, but for Docker-Compose, not kubernetes. Why is that? Here’s one, another one, another one (I think; it doesn’t actually specify), and another one (same problem).
- I did manage to find a few examples using kubernetes: here’s one (2+ years old), another one (4+ years old, bordering on useless), another one (the answer is not helpful), another one (also with an unhelpful “answer”), another one (2+ years old), and another one (this seems the most promising).
- Why is my traefik
values.yamlso much longer than the one used in TechnoTim’s video? Specifically, why is his traefik configuration devoid ofcertResolverandenv? Is it because I’ve managed to incorrectly configure how much cluster obtains certificates? - Why isn’t there a domain under his
portssection? Is this, again, because I seem to be doing certificates differently? - If I’m setting up both a
ServiceandIngressfor each external server I want to reverse proxy behind traefik, what do I set for their ports? And names? And namespaces? - How do I match namespaces with certificates?
But anyway. I tried to take a stab at it anyway, using this:
---
apiVersion: v1
kind: Service
metadata:
name: unraid
namespace: default
spec:
type: ExternalName
externalName: unraid.my.local.domain
ports:
- port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: unraid
namespace: default
annotations:
kubernetes.io/ingress.class: traefik
spec:
entryPoints:
- web
routes:
- match: Host(`unraid.my.local.domain`)
kind: Rule
services:
- name: unraid
namespace: defaultNo HTTPS, just regular ol’ port 80. And it worked… kind of. I got a 404 error.
After thinking about it for a couple minutes, I realized: right now I have my local DNS pointing unraid.my.local.domain to the IP address of the traefik proxy, NOT the actual Unraid server. Which I guess would explain the 404, right?
So then, here’s my biggest question: if I want to route all internal traffic through this proxy, but need the proxy to check with the external DNS server for the right IP address for the server… howwwww does that happen???
Citation
@online{quinn2024,
author = {Quinn, Shannon},
title = {December {Adventure:} {Exploring} {YAML}},
date = {2024-12-13},
url = {https://magsol.github.io/2024-12-13-december-adventure-exploring-yaml},
langid = {en}
}