Expose your home network services via Traefik Hub

This article was last updated on: February 7, 2024 pm

Traefik Hub

About Traefik Hub

📚️Reference:

Your cloud-native networking platform –
publishandreinforceYour containers have never been easier.
Traefik Hub provides a gateway for your services running on Kubernetes or other container platforms.

Traefik Hub Positioning:

  • Cloud-native networking platform

It has 2 core features, and that’s how I felt this experience:

  • (Easy) publishing (publish container service as a website domain name)
  • (Easy) hardening (HTTPS + authentication)

Traefik Hub main features

publish

Deploy Hub containers, choose your service, and get secure public access to your containers in seconds.

Security reinforcement

Access your containers through secure tunnels, deploy industry-standard authentication, and automate TLS certificate management.

Scalable

Start with a single Kubernetes or Docker cluster and seamlessly scale to multiple clusters on your centralized hub dashboard (with Traefik Hub Agent).

How Traefik Hub works

Traefik Hub Diagram

  • In your own Kubernetes or Docker cluster, install 2 Traefik Hub related components:
    • Traefik
    • Traefik Hub Agent (actually 3 components)
      • Hub Agent Auth Server
      • Hub Agent Controller
      • Hub Agent Tunnel
  • When you publish a service, Traefik Hub assigns a unique domain name (DNS) to your service
    • You need to access the HTTPS protocol for that domain
    • Traefik Hub then receives the request and forwards the request to the Traefik Hub Agent through a secure tunnel established between Traefik Hub and your own Traefik Hub Agent
    • The Traefik Hub Agent then forwards the request to Traefik, which then flows to the specific service

Traefik Hub’s association feature

🖱️ One-click service publishing

atedgeAccessing from anywhere has never been easier. For each published service, Traefik Hub provides a unique DNS name that can be immediately used to access the container from anywhere on the internet.

一键服务发布

🔒️ Encrypted tunnel

Traefik Hub connects to your cluster through a private, encrypted tunnel. With this tunnel, you can publish your containers for external access without having to worry about complex and insecure public IP or NAT configurations.

🎖️ Automate certificate management

Traefik Hub will request, update, and propagate ACME certificates to all your clusters so that all services maintain a consistent security configuration.

🔑 Flexible access control

No matter which container orchestration tool you use, secure and secure access to your services. Traefik Hub supports JSON Network Token (JWT), Basic Auth.

📺️ Centralized multi-cluster management dashboard

Easily visualize all your clusters, their configurations, and service performance and healthy inbound traffic in a single window.

Technical details

Supported container orchestration platforms

  • Kubernetes
  • Docker
  • Docker Swarm

Supported Ingress Controller

  • Traefik Proxy 2.8

In-house technology

  • Let’s Encrypt
  • Connection multiplexing
  • Secure tunnel

Traefik Hub quick installation

Apply for a Traefik Hub account

Passhttps://sso.hub.traefik.io/login Just sign up for an account.

Connect a new agent

After logging in normally, the interface is shown in the following figure:

Click the button Add.

Here my environment is:

  • K3s on your QNAP NAS (or Raspberry Pi) at home

So the next step to choose:Kubernetes, as shown below. (In addition to this, here are the options:docker docker compose docker swarm. Kubernetes is recommended if you have the ability, because it is convenient to publish other services at home through SVC+Endpoint in the future. Here’s the recommended lightweight Kubernetes distribution: K3s – 512MB of memory to run. )

After selecting Kubernetes, detailed steps will come out, as shown below:

📝Notes:

I followed the steps in the picture above step by step, and in fact I still encountered many accidents. The following will explain the problems and solutions I encountered this time in a separate chapter.

Install Traefik Proxy

Add the Traefik proxy helm repository:

1
2
3
helm repo add traefik https://helm.traefik.io/traefik
helm repo update

To install Traefik proxy:

1
2
3
4
5
6
7
8
9
helm upgrade --install traefik traefik/traefik \
--namespace hub-agent --create-namespace \
--set=additionalArguments='{--experimental.hub,--hub}' \
--set metrics.prometheus.addRoutersLabels=true \
--set providers.kubernetesIngress.allowExternalNameServices=true \
--set ports.web=null --set ports.websecure=null --set ports.metrics.expose=true \
--set ports.traefikhub-tunl.port=9901 --set ports.traefikhub-tunl.expose=true --set ports.traefikhub-tunl.exposedPort=9901 --set ports.traefikhub-tunl.protocol="TCP" \
--set service.type="ClusterIP" --set fullnameOverride=traefik-hub

Install the Traefik Hub Agent

Add the Traefik Hub Helm repository:

1
2
helm repo add traefik-hub https://helm.traefik.io/hub
helm repo update

Install the Traefik hub-agent

1
2
3
4
helm upgrade --install hub-agent traefik-hub/hub-agent \
--set token="<your-token>" --namespace hub-agent \
--create-namespace --set image.pullPolicy=Always --set image.tag=experimental

📝Notes

The token is given directly on the Traefik Hub interface.

This completes the installation with the following components installed:

  • Traefik Proxy: 1 pod
  • Traefik Hub Agent
    • Hub Agent Auth Server: 3 pod
    • Hub Agent Controller: 1 pod
    • Hub Agent Tunnel: 1 pod

The background installation is complete, click on the page Configuration Done:

After clicking, jump to the following interface, which is still very graphic:

I renamed this Agent of mine to:nas-k3sAs follows:

A quick overview of the Traefik Hub page

The Traefik Hub page is still very concise, this is the homepage - Dashboard:

  1. Agents
  2. Services
  3. Access Control Policies

Agents page:

Services page:

Access Control page:

Expose edge services through Traefik Hub

Exposing services in a Kubernetes cluster

Traefik Hub Agent will get all the services in the Kubernetes cluster, if you need to be exposed, just choose it directly, it is very simple, as shown below:

Wait about 1 minute for the creation to complete:

Click the URL to access normally, which really exposes complex edge services to simplicity and standardization. 👍️👍️👍️

Exposing edge non-Kubernetes services

At the edge (home), I still have a lot of services (e.g., Jellyfin, GOGS Git repository, Calibre-web library, NAS UI, etc.) that are not in the Kubernetes cluster. How to be exposed?

In fact, the Traefik Hub Agent and Traefik Hub are connected by a secure tunnel. The Kubernetes cluster and the edge (home) intranet are also connected. Then in fact, the Traefik Hub is connected to the internal network at home. Therefore, you can use Kubernetes Service + Endpoint to configure non-Kubernetes services at home as Kubernetes services. The implementation is exposed through the Traefik Hub.

Example: Exposing the Jellyfin service

Create the following services and endpoints in the Kubernetes cluster:

1
2
3
4
5
6
7
8
9
10
11
12
13
apiVersion: v1
kind: Service
metadata:
  name: jellyfin
  namespace: nas
  labels:
    app: jellyfin
spec:
  ports:
    - name: ui
      protocol: TCP
      port: 8096
      targetPort: 8096
1
2
3
4
5
6
7
8
9
10
11
12
13
14
apiVersion: v1
kind: Endpoints
metadata:
  name: jellyfin
  namespace: nas
  labels:
    app: jellyfin
subsets:
  - addresses:
      - ip: 192.168.1.23
    ports:
      - name: ui
        port: 8096
        protocol: TCP

Then publish Service: jellyfin in the same way as in the previous section.

Once published, it can be accessed via the URL of the Traefik Hub:

🎉🎉🎉

Problems encountered during the installation of Traefik Hub

Helm failed to install Traefik Proxy

The first problem encountered by the installation is that after executing the command, it is prompted that there is a problem with the rendered yaml file

1
2
3
4
5
6
7
8
9
helm upgrade --install traefik traefik/traefik \
--namespace hub-agent --create-namespace \
--set=additionalArguments='{--experimental.hub,--hub}' \
--set metrics.prometheus.addRoutersLabels=true \
--set providers.kubernetesIngress.allowExternalNameServices=true \
--set ports.web=null --set ports.websecure=null --set ports.metrics.expose=true \
--set ports.traefikhub-tunl.port=9901 --set ports.traefikhub-tunl.expose=true --set ports.traefikhub-tunl.exposedPort=9901 --set ports.traefikhub-tunl.protocol="TCP" \
--set service.type="ClusterIP" --set fullnameOverride=traefik-hub

The solution is to use:helm template --debug Generated it, and then reported an error indicating that there was a problem with the syntax of line 35 on the Deployment side, and found that the result after rendering was as follows:

1
2
3
4
5
6
...
spec:
  template:
    spec:
    - name: traefik:
...

There is one more ending: Come out, delete: , execute kubectl apply -f to successfully install.

All published service accesses report error 404

The second problem encountered is that all service access published reports error 404. Forwarding and redirecting are not performed normally.

Personally, I think it should be caused by Traefik Proxy not processing properly after the request is transferred to Traefik Proxy.

Workaround:

Check Traefik Proxy’s logs and find that there are a large number of errors reported as follows:

E0918 13:01:08.566076       1 reflector.go:138] k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1alpha1.ServersTransport: failed to list *v1alpha1.ServersTransport: serverstransports.traefik.containo.us is forbidden: User "system:serviceaccount:hub-agent:traefik-hub" cannot list resource "serverstransports" in API group "traefik.containo.us" at the cluster scope

Check the corresponding one traefik-hub ClusterRole permissions, find that the corresponding permissions are indeed missing, modify the ClusterRole to add the corresponding permissions:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
...
rules:
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - ''
    resources:
      - services
      - endpoints
      - secrets
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
      - ingressclasses
  - verbs:
      - update
    apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses/status
  - verbs:
      - get
      - list
      - watch
    apiGroups:
      - traefik.containo.us
    resources:
      - ingressroutes
      - ingressroutetcps
      - ingressrouteudps
      - middlewares
      - tlsoptions
      - tlsstores
      - traefikservices
      - serverstransports
...

After the configuration is complete, it can be accessed normally.

summary

Traefik recently launched an interesting edge gateway SaaS service called Traefik Hub. It’s easy to expose your home’s IP addresses and services behind nat. I just tried to expose the NAS UI and Jellyfin today, and it worked well.

Blocks complex tunnels, VPNs, tcpoverudp, SSL, DNS, domain names…, Publishing and encrypting edge gateways: simplifying and standardizing.

  • It’s easy to do 2 things: release and security hardening.
  • The standard lies in the unity of architecture:

Traefik Hub Diagram

👍️👍️👍️

📝Notes:

However, the Traefik Hub SaaS service is currently experimental, so it can be used for free.
Subsequent charges may apply at any time…

📚️ Reference documentation

CloudNative
#K8S #Security #https #K3S #IoT #Edge #Traefik
Expose your home network services via Traefik Hub
https://e-whisper.com/posts/37795/
Author
east4ming
Posted on
September 19, 2022
Licensed under