Traefik is a "cloud native" load balancer. We chose this project because it has Kubernetes and Let's Encrypt integration. Traefik can watch Ingress objects and reload routing rules. Make sure to understand the Traefik basics and the Kubernetes configuration and user guide.
Note: We deploy traefik as two deployments, "alpha" and "beta" (along with their PersistentVolumeClaim) such that:
- The traefik
ConfigMapcan be reloaded per-side first (and not accidently drop all traffic) - We can help isolate failure.
- We've been having our preemptible nodes die and taking traefik with. (Issue: #20)
- The PVC has to (maybe) move, re-mount, and then traefik can start...
We run the pusher/oauth2_proxy to handle auth infront of our infra-oss.moov.io resources. You just need to authorize our Github OAuth2 application (oauth creds are in 11-secrets.yml) to be granted access. This blog post from DigitalOcean covers a similar setup to how we've deployed oauth2_proxy.
We use Let's Encrypt integration in Traefik to dynamically generate certificates according to hostnames specified in Ingress objects. Each certificate is stored in a PersistentVolume and rotated automatically by Traefik. For configuration parameters checkout the ConfigMap called traefik-config in the lb namespace.
Also, we monitor the Certificate Transparency logs for moov.io (and any future domains) with CertSpotter.
Read over the https.dev ACME Operations tips and tricks for in-depth technical knowledge of certificate gathering.