Deploy a 2nd Traefik for external services
Intro
Deploy a second Traefik instance in your kubernetes cluster specifically for external-only services.
Why
Because if you use a single instance for internal-only and external services and someone was able to determine what your host and domain name for the internal service, they could use a CNAME alias in DNS pointing to any of your public dns names and gain access to your internal service.
By using a second traefik with it’s own IP endpoint (second one in metallb range) you can port forward there, annotate the ingress rule for the traefik-external instance which will bind it to that second IP.
You can better firewall that IP as well without affecting internal services.
How
Assuming you already have a working cluster it’s pretty simple. Deploy Traefik again using helm.
1
helm install traefik-external traefik/traefik --namespace=kube-system --values=traefik-ext-chart-vals.yaml
Notice I changed the name after “install” so it will be obvious which is which, also there can’t be 2 of the same name
What I did was make a copy of the chart values file I used originally to deploy Traefik in the first place. In the first section add the annotation in the last line here:
1
2
3
4
5
additionalArguments:
- --providers.file.filename=/data/conf/traefik-config.yaml
- --serversTransport.insecureSkipVerify=true
- --providers.kubernetesingress.ingressclass=traefik-external
....
Under “web” add the last line shown below to redirect port 80 to 443 aka websecure port:
1
2
3
4
5
6
7
8
.........
web:
port: 8000
expose: true
exposedPort: 80
protocol: TCP
redirectTo: websecure
...........
lastly change the IP under service: section…
1
loadBalancerIP: "192.168.66.21" #metalLB IP
Thanks
Thank you for taking the time to read this post and a big thank you as well to TechnoTim for his tutorials on kubernetes!