First things first, make sure you have a Service Fabric cluster up and running, either remotely or using the local development environment. Instructions on doing this can be found on the Service Fabric documentation page.
-
Clone this repository to your local machine.
git clone https://github.com/jjcollinge/traefik-on-service-fabric.git -
Download the latest Træfik binary for your architecture from the releases page.
curl -LOk https://github.com/containous/traefik/releases/download/v1.5.4/traefik_windows-amd64.exe > traefik.exe -
Copy the Træfik binary to the expected location.
cp traefik.exe $REPO_ROOT\Traefik\ApplicationPackageRoot\TraefikPkg\Code\If you're working against a local development cluster or don't require a secure cluster, skip to step 6.
-
Træfik must authenticate to the Service Fabric management API. Currently, you can only do this using a PEM formatted client certificate. If you only have a
.pfxcertificate you will need to convert it using the following commands:-
Extract the private key from the
.pfxfile.openssl pkcs12 -in $pfxCertFilePath -nocerts -nodes -out "$clientCertOutputDir\servicefabric.key" -passin pass:$certPass -
Extract the certificate from the
.pfxfile.openssl pkcs12 -in $pfxCertFilePath -clcerts -nokeys -out "clientCertOutputDir\servicefabric.crt" -passin pass:$certPass
Træfik only requires read-only access to the Service Fabric API and thus you should use a
Read-Onlycertificate. -
-
Copy your generated certificate files to the
Code\certsfolder Træfik expects to find them in.cp $clientCertOutputDir\* $REPO_ROOT\Traefik\ApplicationPackageRoot\TraefikPkg\Code\certs -
Open
$REPO_ROOT\Traefik\Traefik\ApplicationPackageRoot\TraefikPkg\Code\traefik.tomlin a text editor. If you're using a secure cluster, ensure the TLS configuration section is uncommented and make sure the provided certificate paths are correct. Additionally, change theclustermanagementurlto use the prefixhttps://.The
clustermanagementurlsetting is relative to where Træfik is running. If Træfik is running inside the cluster on every node, theclustermanagementurlshould be left ashttp[s]://localhost:19080, if however, Træfik is running externally to the cluster, an accessible endpoint should be provided. If you are testing Træfik against an unsecure cluster, like your local onebox cluster, usehttp://localhost:19080################################################################ # Service Fabric provider ################################################################ # Enable Service Fabric configuration backend [servicefabric] # Service Fabric Management Endpoint clustermanagementurl = "https://localhost:19080" # Service Fabric Management Endpoint API Version apiversion = "3.0" # Enable TLS connection. # # Optional # [serviceFabric.tls] cert = "certs/servicefabric.crt" key = "certs/servicefabric.key" insecureskipverify = true
-
Applies to Linux clusters only. If you deploy on a Windows cluster, proceed with step 8
If you are deploying Træfik on a Service Fabric Linux cluster, you update
traefik.toml,ApplicationManifest.xml, andServiceManifest.xmlas shown below.traefik.toml
Update Traefik's HTTP endpoint to use a high port (e.g. 8081).
[entryPoints] [entryPoints.http] address = ":8081"AplicationManifest.xml
Delete or comment out the
RunAsPolicy.<!--<Policies> <RunAsPolicy CodePackageRef="Code" UserRef="AdminUser" EntryPointType="All" /> </Policies>-->You can also delete or comment out the
Principalssection, as it is no longer required.ServiceManifest.xml
Update Træfik's proxy endpoint to use the previouly configured high port:
<Endpoint Name="TraefikTypeEndpoint" UriScheme="http" Port="8081" />Finally, remove the
.exefile extension from the program name.<EntryPoint> <ExeHost> <Program>traefik</Program> ... </ExeHost> </EntryPoint> -
This step is optional
You can choose to enable a watchdog service which will report stats and check Træfik is routing correctly by sending synthetic requests and recording the results. The results of these checks are sent to Application Insights. If you would like this enabled follow the guide here before continuing.
-
Now we need to connect
sfctlto our cluster using a suitable authentication method.sfctl cluster select --endpoint https://FQDN:19080 --pem /path/to/my/pem/cert.pem --no-verify -
We next need to upload our application package to the cluster.
sfctl application upload --path $REPO_ROOT\Traefik\ApplicationPackageRoot --show-progress -
Now provision a type from the uploaded package.
sfctl application provision --application-type-build-path $REPO_ROOT\Traefik\ApplicationPackageRoot -
Finally create a named instance of that package.
sfctl application create --app-name fabric:/Traefik --app-type TraefikType --app-version 1.0.4 -
To be able to ingress external requests via Træfik you'll need to open up and map the relevant ports on your public load balancer. For clusters on Azure, this will be your Azure Load Balancer. The default ports are;
tcp/80(proxy) andtcp/8080(API) but these can be configured in$REPO_ROOT\Traefik\ApplicationPackageRoot\TraefikPkg\Code\traefik.tomland in$REPO_ROOT\Traefik\Traefik\ApplicationPackageRoot\TraefikPkg\ServiceManifest.xml.If you have applied the changes for Linux clusters in step 7, you can map Traefik's proxy endpoint using a high port to a standard port (e.g. 80 or 443) on the Azure Load Balancer.
-
Once the load balancer has been configured to route traffic on the required ports, you should be able to visit the Træfik dashboard at http[s]://[clusterfqdn]:8080 if you have it enabled.
If your cluster does not have any applications deployed, you will see an empty dashboard.
NOTE: The dashboard will not render in various versions of Internet Explorer.
