Kubernetes Service Annotations
The Services are responsible for configuring how to reach the actual services that will eventually handle the incoming requests.
Kubernetes provides the Services objects that allow connecting traefik Hub API Gateway to the pods.
Traefik Hub API Gateway provides annotations to customize the connection.
"Annotations or IngressRoute?"
The Ingress and Service objects are limited and force using annotations.
For such a reason, we have created our own CRD IngressRoute that eases the configuration.
Even if you can use Ingress and Service objects,
we recommend to use the IngressRoute to expose your APIs through Traefik Hub API Gateway.
Configuration Example
- Service
- ServersTransport
- Ingress
- Deployment
- Secret
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: apps
annotations:
traefik.ingress.kubernetes.io/service.passhostheader: "true"
traefik.ingress.kubernetes.io/service.serverstransport: apps-mytransport@kubernetescrd
traefik.ingress.kubernetes.io/service.sticky.cookie: "true"
traefik.ingress.kubernetes.io/service.sticky.cookie.name: my-sticky-cookie
spec:
ports:
- port: 80
name: whoami
selector:
app: whoami
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
name: mytransport
namespace: apps
spec:
disableHTTP2: true
insecureSkipVerify: true
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: whoami
namespace: apps
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.priority: "42"
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
rules:
- host: my-domain.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: whoami
namespace: apps
port:
number: 80
tls:
- secretName: supersecret
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoami
namespace: apps
spec:
replicas: 3
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
apiVersion: v1
kind: Secret
metadata:
name: supersecret
namespace: apps
data:
tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0=
tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
Annotations
| Annotation | Description | Default | Required |
|---|---|---|---|
traefik.ingress.kubernetes.io/service.nativelb | Allow using the Kubernetes Service load balancing between the pods instead of the one provided by Traefik Hub API Gateway. | false | No |
traefik.ingress.kubernetes.io/service.nodeportlb | Use the nodePort IP address when the service type is NodePort. It allows services to be reachable when Traefik Hub APi Gateway runs externally from the Kubernetes cluster but within the same network of the nodes. | false | No |
traefik.ingress.kubernetes.io/service.serversscheme | Scheme to use for the request to the upstream Kubernetes Service. | "http" "https" if port is 443 or contains the string https. | No |
traefik.ingress.kubernetes.io/service.serverstransport | Name of ServersTransport resource to use to configure the transport between Traefik and your servers. Format: <serverstransport-namespace>-<serverstransport-name>@<providername>.Ex: apps-mytransport@kubernetescrd | "" | No |
traefik.ingress.kubernetes.io/service.passhostheader | Forward client Host header to server. | true | No |
traefik.ingress.kubernetes.io/service.sticky.cookie.name | Name of the cookie used for the stickiness. | "" | No |
traefik.ingress.kubernetes.io/service.sticky.cookie.httpOnly | Allow the cookie can be accessed by client-side APIs, such as JavaScript. | false | No |
traefik.ingress.kubernetes.io/service.sticky.cookie.secure | Allow the cookie can only be transmitted over an encrypted connection (i.e. HTTPS). | false | No |
traefik.ingress.kubernetes.io/service.sticky.cookie.sameSite | SameSite policy. | "" | No |
traefik.ingress.kubernetes.io/service.sticky.cookie.maxAge | Number of seconds until the cookie expires. Negative number, the cookie expires immediately. 0, the cookie never expires. | 0 | No |