https://platformengineering.org logo
Join SlackCommunities
Powered by
This message was deleted.
# kubernetes
s
This message was deleted.
j
Basically where I think our misunderstanding comes into play is with what Ingresses are and how that relates to Traefik. Basically our Traefik controllers are setup as services and our AWS Controller stands up an NLB in front of that service. All of our services have their own Ingress. Now that I have dug into it deeper, we should really have Traefik as the Ingress, AWS Controller creating a LB for that ingress, and then have each service have an IngressRoute? More than happy to diagram it out or jump in a call
a
That sounds familiar to how Emissary Ingress works (don't have experience with Traefik on k8s unfortunately, although might do soon) in that there's a single cloud LB created for the ingress gateway/proxy, and routing to individual services is handled by CRDs (which looks like IngressRoute are?)
h
We use kong for ingress and thats how it works as well AWS LB ---> kong ingress ---> services annotated with kong ingress
Although there are 3rd party charts that spin up multiple lbs by default ( Looking at you wazuh 😡 )
j
Yeah, sounds like we have it setup incorrectly. Pains of growth.
h
Ya took me a while to wrap my head around lb/ingress stuff
j
Ha, thought I had my head wrapped around it last year 😆
So, Traefik actually lets you create routes based on Ingresses and because of the fact that 
ingressRoutes
is a Traefik CRD and we’re using Helm… it’d be a nightmare if we had to do it that way. We lucked out and didn’t fully understand what we were doing initially but it worked out. Now is just a matter of getting the AWS ALB Controller to work the way we need. On a side note, did find that you can limit Traefik to find routes via specific IngressClasses which is super beneficial in our use case. Less routing noise for each Traefik controller and easier troubleshooting. Assuming Sandbox works tonight, I’ll post a diagram here tomorrow for those curious. Gotta do one anyway for my team’s sake before I push this out
In case anyone was curious, here’s a rough diagram on how it’s working now vs before. Main reason for the change was WAF enablement. Had to change to ALBs but the ALB Controller doesn’t allow for ALBs on Loadbalancer Services. Also, since Traefik does pickup routes from IngressClasses, we don’t have to make any changes on the Ingress side of our apps. We opted early on to let the ingress routes live within the app’s helm chart.
3 Views
Open in Slack
PreviousNext
Powered by