Comments (8)
I find traefik more effort than it is worth to use it and do not like using it in Kubernetes.
Here's my thoughts on Traefik, and sorry to go off into a tangent:
- They want people to pay for the HA TLS implementation which they considered to be not great (using Consul) instead of using cert-manager.
- They do not want to support native cert-manager integration in their CRs but are willing to support external-dns in the future.
- Their CRs like
ingressroute
are painful and not needed 99% of the time over plain ingress annotations - You should be using cert-manager so the built in acme support in Traefik is useless and does not scale
- The grafana dashboard for ingress-nginx is prettier than anything I've found for Traefik.
- I can't name a single popular helm chart that supports the use of Traefik CRs.
- They continuously release breaking updates to their helm chart as patch or minor instead of a major release.
- ingress-nginx is a kubernetes-sigs project, which means support is much better and there is no ill-intentions that might be created by investors.
With that out of the way, you might want to use the immich-proxy container which is just nginx pre-configured to handle routing the requests. I used to use it before I was shown the way to do it without that pod.
See my deployments of immich at this commit
from home-ops.
I know this doesn't answer your question but I find more and more people migrating to ingress-nginx so it's hard to keep up with examples I've come across in the past on how to do XYZ using Traefik. You might want to try asking in the k8s@home or immich discord if you want to continue to try with what you are doing.
from home-ops.
I'm not using IngressRoute other than the dashboard
In that case migrating to ingress-nginx might be painless since all you need to do is swap annotations. I've done the migration in the past and it wasn't too hard, maybe took me 30 minutes overall. However it might be harder if you are using OIDC/oauth2-proxy etc..
from home-ops.
Thanks for tip wrt immich-proxy, works ootb, issue can be closed.
from home-ops.
I noticed you closed this out. You attempted Immich with Traefik just before I was able to try myself. I got it working without using the immich-proxy. I'll put some notes here for future references. An IngressRoute is not needed, just a middleware is needed.
- An immich-server middleware is needed to strip the
/api
to just/
:
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
namespace: immich
name: immich-server-stripprefix
spec:
stripPrefix:
prefixes:
- /api
forceSlash: true
- Add a reference to this middleware file in the main kustomization file:
- ./traefik-middleware.yaml
- Unlike what @onedr0p provides, I separated the two ingress to their respective
values.yaml
. Theimmich-web
andimmich-server
now each have a single ingress.
Ingress for immich-server (api):
ingress:
main:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
traefik.ingress.kubernetes.io/router.middlewares: "immich-immich-server-stripprefix@kubernetescrd"
hosts:
- host: photos.<redacted-domain>
paths:
- path: /api
pathType: Prefix
service:
name: immich-server
port: 3001
- The annotation for
entrypoints
resolves to my secure HTTPS port (443 to 8443). - The annotation for
middlewares
is the path to thestripprefix
middleware created above. It uses<namespace>-<middleware_name>@kubernetescrd"
. If you want to include additional middlewares, just use a comma separated list within that string.
And then the immich-web gets its respective ingress:
main:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
hosts:
- host: photos.<redacted-domain>
paths:
- path: /
pathType: Prefix
service:
name: immich-web
port: 3000
Now within Traefik, you will have the two ingress:
When viewing the details of the immich-server path, the middleware is reflected:
from home-ops.
BTW - I use a default TLS provider issued by cert-manager, that is a wildcard certificate. So I don't have to bother using any TLS references within any ingress. It will just automatically use TLS.
from home-ops.
Thanks @reefland for sharing the deep-dive learnings.
I've already engaged in the challenge outlined by @onedr0p as painless
What i also used to do with Traefik is allow LE certs per subdomain, via cloudflare and haproxy load balancer on a pi (multiple domains routed that's why). Also strict TLS setup
from CF. (So i can easily take CF out if down and still have a valid cert).
Also domains in CF were unable to be LE DNS01 challenged because they are not supported by CF api for that (.tk
like domain)
So separating the ingresses would have meant for me what i was initially thinking, have an api-photos.example.com
from home-ops.
You're right on all points wrt Traefik :)
Right now i cannot give you a reason for using it, other than - it's legacy and at the root of everything.
I have to do a major overhaul to take it out.
I'm not using IngressRoute other than the dashboard, and yes, right now coasting with Ingress generated with annotations. I was maybe impressed at some point with TCP capabilities but never used them.
from home-ops.
Related Issues (20)
- Set up logging from router to loki
- Deploy smartctl_exporter on router HOT 1
- Broken links detected 🔗
- Deploy kopia on router to backup config directory HOT 1
- Upgrade UPS to the latest firmware HOT 1
- Support for hw transcoding using gid 106 (render) HOT 1
- Upcoming cluster rebuild tasks HOT 1
- Consider migrating prowlarr, radarr, lidarr and bazarr to postgresql HOT 7
- Broken links detected 🔗
- Question on Frigate / app-template chart / using configMaps - file is mounted as directory HOT 1
- Create VyOS Grafana Dashboard HOT 1
- Deploy gatus on router to monitor local systems HOT 2
- Only allow github IPs on flux webhook ingress HOT 1
- Block banner ads on Android TV
- Investigate using prometheus remote write with thanos HOT 1
- Renovate against ghcr.io/onedr0p HOT 4
- incorrect url for frigate config schema HOT 1
- Volsync restore failing with "operation not permitted" HOT 3
- How does SOPS work in your config? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from home-ops.