Running Traefik in HakunaCloud

Tommaso Doninelli

24 Sep 2020

Share:

Deploy Traefik with Ket’s Encrypt SST certificates in HakunaCloud!

Overview

Traefik is a load balancer and HTTP reverse proxy that makes working with microservices and integrating with your infrastructure seamless.

Why Traefik is a must in your stack:

• SSL/HTTPS: Automate the provisioning and renewal of Let’s Encrypt SSL certificates;
• Simplify the management of exposed services;

More information about Traefik can be found in their great online docs

Goal of this tutorial

In this tutorial we are going to:

• Deploy Traefik using Docker (or HakunaCloud)
• Automatically configure the provisioning of SSL certificates using AWS Route53;

TL;DR

0) You have an AWS Route53 zone configured, with an IAM user that can create records on your behalf; 1) Create traefik.yaml and routes.yaml; 2) Deploy Traefik on HakunaCloud;

Step 1 - Configuration

Traefik has 2 configurations:

• static configuration, used to start the Traefik process;
• dynamic confuguratio used to specify the routes exposed to the internet;

We will use files for both of them.

Static configuration

The contents of traefik.yaml:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
## traefik.yml

log:
  level: INFO

entryPoints:
  websecure:
    address: :443
    # Enable TLS/SSL on port 443 - domains are taken from the routes, certificates will be automagically
    # provisioned and renewed
    http:
      tls:
        certResolver: leresolver

  web:    
    address: :80
      

providers:  
  file: 
    # Load routes from a file in the mounted volume
    filename: /etc/traefik/routes.yaml 
    # Watch the file for new routes
    watch: true


certificatesResolvers:
  leresolver:
    acme:
      email: "it@hakuna.cloud"
      # Save the certs in the mounted volume 
      storage: "/etc/traefik/acme.json"   
      # Use the dns challenge to verify the domain ownership
      # The domains are taken fom the routers that have a reference to this resolver
      dnsChallenge:
        provider: "route53"     

Dynamic confuguration

Add the routes to proxy in the routes.yaml file. In this scenario, we are exposing a container named jira - from this blog article

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
## routes.yml
http:
  routers:
    routerjira:
      entryPoints: ["websecure"]        
      rule: "Host(`jira.hakuna.cloud`)"
      service: "jira"
      tls:
        certResolver: leresolver
        domains:
          - main: "jira.hakuna.cloud"    
  services:
    jira:
      loadBalancer:
        passHostHeader: true
        servers:
          - url: "http://jira:8080"

Step 2 - Deploy Traefik

We need a volume to persist the configuration

1
hakuna volume create traefik

Now we can upload the files in the volume, using any of the available methods

Finally, we can start the Traefik container

1
2
3
4
5
6
7
8
hakuna run --name traefik \	
    --network jira \    # Traefik in the same network of your services                    
	-p 443:443 \        
	-p 80:80 \
	-e "AWS_ACCESS_KEY_ID=AKIAxxxx" \   # Confugure the AWS credential to perform the Let's Encrypt DNS challenge       
	-e "AWS_SECRET_ACCESS_KEY=yyyy" \
	-v traefik:/etc/traefik \           # Mount the configuration
	traefik:2.2

That’s IT! Now update your DNS record to point to the Traefik CNAME.