We will use the mch1307/rancher-traefik:220.127.116.11. It is an alpine based image, inspired from rawmind0. The image will read the SSL certs and Rancher API key/secret from Rancher secret through environment variables that we will define when creating the service.Create new stack, we will call it prx. Then add a service to it.
PortsWe will use the following ports:
- 80 -> http
- 443 -> https
- 8000 -> Traefik UI
Those ports will be exposed on the host(s) that will run the Traefik container(s). Make sure they are not yet in use, or choose other ones.
In the Secrets tab, set up your secrets:
Container environment variables
To add secrets as environment variables, go to the “Command” tab and define environment variable as follows. The name of the env vars should be:
- TRAEFIK_RANCHER_ACCESSKEY = Rancher API key
- TRAEFIK_RANCHER_SECRET = Rancher API secret
- TRAEFIK_SSL_CERT= Wildcard SSL cert (bundle ii with intermediate CA if applicable)
- TRAEFIK_SSL_PRIVATE_KEY = SSL private key (without password protection)
- TRAEFIK_RANCHER_ENDPOINT = URL to Rancher API
- TRAEFIK_RANCHER_DOMAIN = domain to be used in Traefik
The secrets are available at /run/secrets/alias. Alias is defined in the secrets in the previous step.
*Hint: Copy the table above and paste it to the first environment variable. Rancher UI will create all the variables so that you only need to put appropriate value in the right column
Go to the “scheduling” tab and create a new scheduling rule. We will create a rule based on host label. It means we will ask Rancher to run the container on host having a given label. Remember the labels we saw in the Rancher infrastructure (
traefik_lb=true), this is where they will enter into action:
Once done, click on “Create” to trigger container deployment. Rancher will download the image from Docker Hub and them schedule the container. You should have a running Traefik stack within a few minutes.
Setup the Web Application
Traefik needs a few labels at the web app level in order to automatically create the config for the service. These are the different labels we will use:
- traefik.enable = true
- traefik.port = 80
- traefik.frontend.rule = Host:whoami.domain.com
Go to the whoami stack, choose upgrade and add the labels.
Hint: Copy the table above and paste it to the first label. Rancher UI will create all the labels and values. The adapt the values to suit your setup. Additional ones can be used, refer to the Traefik documentation
Once the whoami stack is upgraded, you should be able to access the traefik UI on port 8000:
You should now define a DNS alias for the whoami that points to the rancher host(s) that runs the traefik container. Once done open your favorite web browser and go to the whoami URL.
Traefik will redirect the HTTP traffic to HTTPS using the wildcard cert we configured earlier. Hit F5 several times, you will see different IPs which shows the load balancing feature of Traefik. You can run further test by scaling up or down the number of whoami containers. Check the traefik UI to see the number of whoami backends is updated.
We have seen how traefik can be deployed as proxy / load balancer in a rancher cattle cluster, using basic setup. Traefik offers many other options, consult the documentation for further information
Michael Champagne is a containers and OSS enthusiast / fan.