Customizing the Manifest File

Once the manifest file is generated, it can be reviewed and customized if necessary.

The following aspects should be taken into account:

  • Resource Requests and Limits. Controllers and proxies both come with enforced resource limits. The defaults are voluntarily kept large to fit most use cases. They can be adjusted to better fit the targeted installation.
  • Network Configuration and Exposed Ports. By default, the proxy deployment is configured to expose ports 80 and 443. However, if other ports are required, they should be changed to match the proxy deployment and the associated service.
  • Readiness Probes. The proxy deployment comes with readiness probes disabled by default, as it is related to the entry points configured on the cluster. The probes should be configured accordingly and enabled to avoid sending traffic to non-configured proxies.
  • Environment variables. To use Datadog or ACME DNS Challenge, for instance, environment variables should be configured on proxies or controllers.

Common Scenarios Requiring Customization

External Load Balancer

By default, the manifest files generated by teectl setup gen include a service definition with a LoadBalancer type for the proxies.

This service type relies on the cloud provider's ability to create an external load balancer, while automatically creating a ClusterIP and NodePort that will be targeted by it.

While this is fine for most use cases, it's also common to not want to dynamically create load balancers but instead use an external load balancer to route to Kubernetes services via ClusterIP or NodePort.

To achieve this, the service type must be changed in the manifest file before applying it to the cluster:

apiVersion: v1
kind: Service
#[...]
spec:
  type: NodePort
  ports:
    - name: http
      port: 80
      targetPort: http
    - name: https
      port: 443
      targetPort: https
  #[...]
apiVersion: v1
kind: Service
#[...]
spec:
  type: ClusterIp
  ports:
    - name: http
      port: 80
      targetPort: http
    - name: https
      port: 443
      targetPort: https
  #[...]

With this configuration, the load balancer can target either the address of individual nodes running the proxy service or the cluster IP address.

Port management when using NodePort

When setting the NodePort field to a fixed port, the management of port conflicts is the cluster operator's responsibility.

Custom Cluster Domain

If your Kubernetes cluster does not use the default cluster.local domain name, you need to update the initContainers section for the proxies and the controllers.

Below is an example of customization with my-custom.domain as cluster domain value:

#[...]
initContainers:
- name: wait-dns
  image: busybox:1.31.1
  command: ['sh', '-c', 'until nslookup -type=a default-ctrl-svc.traefikee.svc.my-custom.domain; do echo waiting for published dns records; sleep 1; done;']
  resources:
    requests:
      memory: "10Mi"
      cpu: "100m"
    limits:
      memory: "100Mi"
      cpu: "1000m"
#[...]

Using KubeDNS with service mesh enabled

If Traefik Enterprise is installed with service mesh enabled and the Kubernetes cluster is using KubeDNS, the CoreDNS section in the manifest needs to be updated.

Below is an example with the custom domain example.org:

```yaml
#[...]
  Corefile: |
    .:53 {
        errors
        health
        kubernetes example.org in-addr.arpa ip6.arpa {
          pods insecure
          upstream
          fallthrough in-addr.arpa ip6.arpa
        }
#[...]
```