Traefik as an open source edge router for microservice architectures

TRAEFIK AS AN OPEN SOURCE EDGE ROUTER
FOR MICROSERVICE ARCHITECTURES
JAKUB HAJEK
FEB 27TH, 2020

▸ I am the owner and technical consultant working for Cometari
▸ I’ve been system admin since 1998
▸ Cometari is a solutions company implementing DevOps culture
and providing consultancy, workshops and software services.
▸ Our expertise are DevOps, Elastic Stack - log analysis,
▸ We are deeply involved in the travel tech industry
▸ However our solutions go much further than just integrating
travel API’s.
INTRODUCTION

“I strongly believe that implementing DevOps culture, across
the entire organisation, should provide measurable value and
solve the real issue rather than generate a new one.”
Jakub Hajek, Cometari

My goal is to show how Traeﬁk can make your daily duties easier if you work
with microservice architectures running in distributed systems.

IMMUTABLE CONTAINERS
▸ Mutable vs Immutable
▸ No incremental changes to the image
▸ No more drifting conﬁguration
▸ (No) imperative updates
▸ Base image + source code = An artefact / immutable image
▸ The artefact is scaling unit in distributed systems
▸ Canary and mirror deployments
▸ Rollback if an error occurs

Immutable containers are at the core of any distributed systems

TRAEFIK 2.X KEY FEATURES
▸ TCP support
▸ Kubernetes CRD
▸ ROUTER= frontend, SERVICE=backend, MIDDLEWARES=rules
▸ Fully customisable routes via middleware, which can be reused on many routers
▸ YAML, TOML is still good
▸ A new dashboard with web UI
▸ Canary deployment with Service Load balancer
▸ Network trafﬁc Mirroring with Service Load balancer
▸ Consul catalog

KUBERNETES INGRESS PROVIDER
▸ Traeﬁk can be used as an another ingress provider
▸ Conﬁguration is done via (lots of) annotations

KUBERNETES CRD AND AVAILABLE CUSTOM RESOURCES
▸ Ingressroute - HTTP routing - http router
▸ Middleware - tweaks the HTTP before they are sent to a
service - HTTP Middleware
▸ TraeﬁkService - abstraction for HTTP LB/mirroring
▸ IngressRouteTCP - TCP routing - TCP router
▸ TLSOptions - TLS connection parameters
https://docs.traeﬁk.io/routing/providers/kubernetes-crd/

LETSENCRYPT WITH CRD
▸ Traefik is delivered as an immutable containers
▸ LetsEncrypt keeps persistence in a file
▸ Previous version keeps cert in KV stores (Consul)
▸ The file with cert works fine with only once Traefik instance
▸ SPOF
https://docs.traefik.io/providers/kubernetes-crd/#letsencrypt-support-with-the-custom-resource-definition-provider

IMMUTABLE CONTAINER WITH TRAEFIK
▸ Custom image with Traefik with added SSL certificate into
image
▸ Configuration files added directly to the image
▸ Works perfectly if you bought SSL cert and don’t use
dynamically updated Let’s Encrypt
▸ Horizontal scalability is simple, no need to care about the
persistence for Let’s Encrypt certificates

HA WITH LETSENCRYPT
▸ Traefik EE which supports distributed LetsEncrypt
▸ LetsEncrypt keeps persistence in a file
▸ Previous version keeps cert in KV stores (Consul)
▸ Cert Manager that keeps certificates in secrets

ENTRYPOINTS :80, :443
ROUTERS
PROVIDER 1
Traeﬁk conﬁguration introduction
PROVIDER
CONNECTION
INFORMATION
SERVICES
MIDDLEWARES
CERTIFICATES
PROVIDER 2
DYNAMIC (WHILE RUNNING)STATIC (STARTUP TIME)

ENTRYPOINT ROUTER SERVICE
MIDDLEWARE 1 MIDDLEWARE 2 MIDDLEWARE 3
Request Calls to backend servers
Tweaking request before / after the arrives to their destination

MIRRORING OR LIVE TRAFFIC SHADOW
▸ Understand difference between Deployment vs Release
▸ Deployment brings new code to the production,
no production traffic yet!
▸ Run smoke, integration tests to make sure that new
deployment has no impact to your users
▸ Release brings live traffic to a deployment.
▸ We can shadow live traffic to the new deployment and
reduce the risk of failure.

MIRRORING
VERSION 2
VERSION 1
https://service
Mirroring with Service Load Balancer
20%
https://github.com/containous/traeﬁk/issues/2989

CANARY DEPLOYMENT
▸ Deployment vs Release
▸ Instead of switching to new version in one step, we use a phased
approach
▸ We deploy a new app in a small part of the production
infrastructure
▸ Only a few users (1%) are routed to the newest version (Release)
▸ With no errors reported, the new version can be released to the
rest of the infrastructure.

CANARY
VERSION 2
VERSION 1
Canary deployment with Service Load balancers
1% of live trafﬁc, a few users
Majority of users
https://github.com/containous/traeﬁk/issues/1164

CANARY VERSION 2
Canary deployment with Service Load balancers
VERSION 2VERSION 2VERSION 2

OBSERVABILITY
▸ /metrics endpoint
▸ Enable Prometheus or any other backend
▸ Use Grafana to visualise metrics
▸ Use existing dashboards to visualise data (or develop your
own)

LOGGING AND VISUALISING ACCESS LOGS
▸ Traeﬁk logs are in JSON including startup and errors events
▸ Access logs are written to STDOUT in JSON format.
▸ Treat logs as an event and transfer them to external system
(Elastic Stack + Fluentd)
▸ Use Kibana and Logs tab to have live data streaming
▸ Develop dashboard with a map and place GEO points of IP
addresses

TRACING
▸ You can’t just relay on app and system logs
▸ Visualize the requests ﬂows
▸ Traeﬁk uses OpenTracing for distributed tracing
▸ Jeager, Zipkin, Datadag and a few more

CONFIGURATION TIPS
▸ Don’t mix static configuration vs dynamic configuration
▸ CLI command can be used for static config or if you prefer you can define
config file as well
▸ Labels (for Swarm) can be used to define dynamic configuration or config files
▸ directory with WATCH flag enabled as well
▸ More advanced rules configuration via middleware are dynamically defined
▸ The most flexible is to run Traefik as container, instead of binary directly from
host
▸ Healthcheck for your services are crucial

DEMO ENVIRONMENT IN DETAILS
▸ K3S cluster* consisting of 3 nodes
▸ INSTALL_K3S_EXEC="server --no-deploy traeﬁk”
▸ SSL certs issued by Lets Encrypt
▸ FQDN domains:
▸ https://a.labs.cometari.eu
▸ https://n.labs.cometari.eu
▸ https://c.labs.cometari.eu
▸ DNS Round Robin: Route 53 with its implemented health checks
▸ Web Server and NodeJS backend

Diagram of demo environment
TRAEFIK
WEB FRONTEND
NODEJS BACKEND

Talk is cheap, show me the code!

DEMO SCENARIOS
▸ Web UI to see how services are deployed
▸ Scaling services and generating some network trafﬁc via
Slapper
▸ Example of Canary deployment
▸ Example of Mirroring conﬁguration

SUMMARY
▸ Traefik provides flexible way to expose services, auto discovery
▸ It can be configured in multiple way, there are no ready to use config - just
refer to configuration tips
▸ Fully customise routes via middlewares
▸ Easily integrates with every major cluster technology
▸ Lets Encrypt integrated, managing SSL certs is easy
▸ Metrics, Tracing, Logs
▸ Rolling out releases thanks to Canary deployments
▸ Mirroring - duplicating incoming request and send them to different services.

THANK YOU
@_JAKUBHAJEK
JAKUB.HAJEK@COMETARI.COM

Traefik as an open source edge router for microservice architectures

More Related Content

What's hot (20)

Similar to Traefik as an open source edge router for microservice architectures (20)

More from Jakub Hajek (6)

Recently uploaded (20)

Traefik as an open source edge router for microservice architectures