Traefik Configuration

Our Traefik configuration for the Bastion is minimal and can be extended easily. Traefik is launched as a Bastion’s system job through the GENVID_TOOLBOX_FOLDER/bastion-services/local/templates/traefik.nomad.tmpl which control most of its deployment and configuration. The configuration is done mostly through GENVID_TOOLBOX_FOLDER/bastion-services/local/55-traefik.hcl which is loaded during the genvid-bastion install -l process or with the genvid-bastion load-bastion-config command. This section explains how Traefik is configured by default, and how you can extended it.

Traefik Static Configuration

Traefik’s static configuration file is populated using the content of the Consul KV /genvid/traefik/static. This entry is read as a YAML formatted content, where the string CONSUL_HTTP_ADDR is replaced with value of environment variable CONSUL_HTTP_ADDR before being parsed.

Important

Modifying this configuration will force the Traefik job to be restarted on Windows.

By default, that part configure two Traefik Providers:

Those two providers give the flexibility to discover new services while also updating the configuration through the Consul KV Store. We try to keep the usage of service tags for configuration to the minimum and favor Consul Provider for more flexibility, allowing minimal disruption of the services during configuration updates.

Traefik Entrypoints

All Traefik EntryPoints are declared under /genvid/traefik/entrypoints and append to the Traefik Static Configuration when launching. A new service associated with the traefik job reserving the port in Nomad is also created.

Important

Adding, removing or modifying an entrypoint requires a restart, since the job definition is also affected, you also need to run:

genvid-bastion start traefik

to refresh it (and restarting the traefik if necessary).

An entrypoint is defined this way:

/genvid/traefik/entrypoints/{name}

The name of the entrypoint (required). This name will also be used to compose the name of the service for this entrypoint, in the format of ep-name.

/genvid/traefik/entrypoints/{name}/port

The port number to use (required).

/genvid/traefik/entrypoints/{name}/udp

If present and set to true, will configure that entrypoint as UDP (optional).

/genvid/traefik/entrypoints/{name}/options

If present, this entry have to be a valid YAML object that will be append to the entrypoint configuration (optional).

Traefik Reserved Entrypoints

Two entrypoints are expected and reserved for the Toolbox usage:

  • traefik is used for exposing the Traefik API and its Dashboard. By default, it uses port 8080.

  • admin is used for exposing the Toolbox services, ie. Bastion API, Cluster API and Hashi UI. It uses port 8081.

Note

Cluster API is still being proxied through the bastion API proxy service rather than traefik. It is still possible to make special rules using the /bastion/v1/proxy/clusterid/cluster-api path.

Traefik Services Discovery

Our Traefik deployment uses Consul Catalog to discover new services. To help with the configuration of those services, instead of hardcoding the tags in the Nomad Templates, we have reserved a KV folder under /genvid/traefik/services for this usage. The convention for the subfolders under that prefix is to use the name of the service upon which the tags will be applied, and to contain a unique key called tags which contains a JSON array with the tags to append.

Warning

This is currently only a convention and could change in future versions of the Toolbox.

To include the tags in your services, you must modify the Nomad Templates to include a section similar to this one:

        # {{- with $tags := (keyOrDefault `genvid/traefik/services/hashi-ui/tags` `[]` | parseJSON) -}}
        # {{- range $i, $tag := $tags }}
        "{{$tag}}",
        # {{- end }}
        # {{- end }}

See the Nomad Service Block for how to define a service.

Traefik Config Section

The prefix /genvid/traefik/config is used for the Consul Provider and our convention is to use it by default to define Traefik Routers and other options.

Genvid Traefik Configuration Block

To help this configuration, a new block traefik was added to the Genvid configuration files. Each object in this block represent a folder under /genvid/traefik and each non-object property is inserted as a key-value. Support for this is limited to the genvid-bastion load-bastion-config. Support in the SDK will be available with the 1.46 release and later.