Expose your home network services via Traefik Hub
This article was last updated on: July 24, 2024 am
About Traefik Hub
📚️Reference:
Your cloud-native networking platform –
publishandreinforceYour containers have never been easier.
Traefik Hub provides a gateway for your services running on Kubernetes or other container platforms.
Traefik Hub Positioning:
- Cloud-native networking platform
It has 2 core features, and that’s how I felt this experience:
- (Easy) publishing (publish container service as a website domain name)
- (Easy) hardening (HTTPS + authentication)
Traefik Hub main features
publish
Deploy Hub containers, choose your service, and get secure public access to your containers in seconds.
Security reinforcement
Access your containers through secure tunnels, deploy industry-standard authentication, and automate TLS certificate management.
Scalable
Start with a single Kubernetes or Docker cluster and seamlessly scale to multiple clusters on your centralized hub dashboard (with Traefik Hub Agent).
How Traefik Hub works
- In your own Kubernetes or Docker cluster, install 2 Traefik Hub related components:
- Traefik
- Traefik Hub Agent (actually 3 components)
- Hub Agent Auth Server
- Hub Agent Controller
- Hub Agent Tunnel
- When you publish a service, Traefik Hub assigns a unique domain name (DNS) to your service
- You need to access the HTTPS protocol for that domain
- Traefik Hub then receives the request and forwards the request to the Traefik Hub Agent through a secure tunnel established between Traefik Hub and your own Traefik Hub Agent
- The Traefik Hub Agent then forwards the request to Traefik, which then flows to the specific service
Traefik Hub’s association feature
🖱️ One-click service publishing
atedgeAccessing from anywhere has never been easier. For each published service, Traefik Hub provides a unique DNS name that can be immediately used to access the container from anywhere on the internet.
🔒️ Encrypted tunnel
Traefik Hub connects to your cluster through a private, encrypted tunnel. With this tunnel, you can publish your containers for external access without having to worry about complex and insecure public IP or NAT configurations.
🎖️ Automate certificate management
Traefik Hub will request, update, and propagate ACME certificates to all your clusters so that all services maintain a consistent security configuration.
🔑 Flexible access control
No matter which container orchestration tool you use, secure and secure access to your services. Traefik Hub supports JSON Network Token (JWT), Basic Auth.
📺️ Centralized multi-cluster management dashboard
Easily visualize all your clusters, their configurations, and service performance and healthy inbound traffic in a single window.
Technical details
Supported container orchestration platforms
- Kubernetes
- Docker
- Docker Swarm
Supported Ingress Controller
- Traefik Proxy 2.8
In-house technology
- Let’s Encrypt
- Connection multiplexing
- Secure tunnel
Traefik Hub quick installation
Apply for a Traefik Hub account
Passhttps://sso.hub.traefik.io/login Just sign up for an account.
Connect a new agent
After logging in normally, the interface is shown in the following figure:
Click the button Add.
Here my environment is:
- K3s on your QNAP NAS (or Raspberry Pi) at home
So the next step to choose:Kubernetes
, as shown below. (In addition to this, here are the options:docker
docker compose
docker swarm
. Kubernetes is recommended if you have the ability, because it is convenient to publish other services at home through SVC+Endpoint in the future. Here’s the recommended lightweight Kubernetes distribution: K3s – 512MB of memory to run. )
After selecting Kubernetes, detailed steps will come out, as shown below:
Install the Hub Agent and related components on the K3s
📝Notes:
I followed the steps in the picture above step by step, and in fact I still encountered many accidents. The following will explain the problems and solutions I encountered this time in a separate chapter.
Install Traefik Proxy
Add the Traefik proxy helm repository:
1 |
|
To install Traefik proxy:
1 |
|
Install the Traefik Hub Agent
Add the Traefik Hub Helm repository:
1 |
|
Install the Traefik hub-agent
1 |
|
📝Notes
The token is given directly on the Traefik Hub interface.
This completes the installation with the following components installed:
- Traefik Proxy: 1 pod
- Traefik Hub Agent
- Hub Agent Auth Server: 3 pod
- Hub Agent Controller: 1 pod
- Hub Agent Tunnel: 1 pod
The background installation is complete, click on the page Configuration Done:
After clicking, jump to the following interface, which is still very graphic:
I renamed this Agent of mine to:nas-k3sAs follows:
A quick overview of the Traefik Hub page
The Traefik Hub page is still very concise, this is the homepage - Dashboard:
- Agents
- Services
- Access Control Policies
Agents page:
Services page:
Access Control page:
Expose edge services through Traefik Hub
Exposing services in a Kubernetes cluster
Traefik Hub Agent will get all the services in the Kubernetes cluster, if you need to be exposed, just choose it directly, it is very simple, as shown below:
Wait about 1 minute for the creation to complete:
Click the URL to access normally, which really exposes complex edge services to simplicity and standardization. 👍️👍️👍️
Exposing edge non-Kubernetes services
At the edge (home), I still have a lot of services (e.g., Jellyfin, GOGS Git repository, Calibre-web library, NAS UI, etc.) that are not in the Kubernetes cluster. How to be exposed?
In fact, the Traefik Hub Agent and Traefik Hub are connected by a secure tunnel. The Kubernetes cluster and the edge (home) intranet are also connected. Then in fact, the Traefik Hub is connected to the internal network at home. Therefore, you can use Kubernetes Service + Endpoint to configure non-Kubernetes services at home as Kubernetes services. The implementation is exposed through the Traefik Hub.
Example: Exposing the Jellyfin service
Create the following services and endpoints in the Kubernetes cluster:
1 |
|
1 |
|
Then publish Service: jellyfin in the same way as in the previous section.
Once published, it can be accessed via the URL of the Traefik Hub:
🎉🎉🎉
Problems encountered during the installation of Traefik Hub
Helm failed to install Traefik Proxy
The first problem encountered by the installation is that after executing the command, it is prompted that there is a problem with the rendered yaml file
1 |
|
The solution is to use:helm template --debug
Generated it, and then reported an error indicating that there was a problem with the syntax of line 35 on the Deployment side, and found that the result after rendering was as follows:
1 |
|
There is one more ending:
Come out, delete:
, execute kubectl apply -f
to successfully install.
All published service accesses report error 404
The second problem encountered is that all service access published reports error 404. Forwarding and redirecting are not performed normally.
Personally, I think it should be caused by Traefik Proxy not processing properly after the request is transferred to Traefik Proxy.
Workaround:
Check Traefik Proxy’s logs and find that there are a large number of errors reported as follows:
E0918 13:01:08.566076 1 reflector.go:138] k8s.io/[email protected]/tools/cache/reflector.go:167: Failed to watch *v1alpha1.ServersTransport: failed to list *v1alpha1.ServersTransport: serverstransports.traefik.containo.us is forbidden: User "system:serviceaccount:hub-agent:traefik-hub" cannot list resource "serverstransports" in API group "traefik.containo.us" at the cluster scope
Check the corresponding one traefik-hub
ClusterRole permissions, find that the corresponding permissions are indeed missing, modify the ClusterRole to add the corresponding permissions:
1 |
|
After the configuration is complete, it can be accessed normally.
summary
Traefik recently launched an interesting edge gateway SaaS service called Traefik Hub. It’s easy to expose your home’s IP addresses and services behind nat. I just tried to expose the NAS UI and Jellyfin today, and it worked well.
Blocks complex tunnels, VPNs, tcpoverudp, SSL, DNS, domain names…, Publishing and encrypting edge gateways: simplifying and standardizing.
- It’s easy to do 2 things: release and security hardening.
- The standard lies in the unity of architecture:
👍️👍️👍️
📝Notes:
However, the Traefik Hub SaaS service is currently experimental, so it can be used for free.
Subsequent charges may apply at any time…