Traefik as ingress - is the ingress annotation really needed?

[rabidsloth]

I'm trying to figure out what linkerd.io/inject: ingress actually does and if it's truly necessary when running Traefik 2. I'm running Traefik as an ingress and if I just use the regular linkerd.io/inject: enabled annotation, things seem to work fine... I've done some packet captures from the Traefik instance and it seems that mtls is still encrypting data between Traefik and the downstream service and all works fine. If I change that annotation to ingress , it breaks all Traefik routing and the linkerd-proxy on that Traefik pod throws these:

[   201.365218s]  INFO ThreadId(01) outbound: linkerd_app_core::serve: Connection closed error=ingress-mode routing is HTTP-only

and Traefik throws a bunch of errors like this on startup:

E1201 02:01:17.770384       1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1alpha1.TLSOption: an error on the server ("") has prevented the request from succeeding (get tlsoptions.traefik.containo.us)
E1201 02:01:19.423556       1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1beta1.Ingress: an error on the server ("") has prevented the request from succeeding (get ingresses.extensions)

So, can anyone explain why there is a need for the annotation change on to ingress when using Traefik, and any ideas why it seems to work fine without that but breaks with it?

[mateiidavid]

Hi @rabidsloth, it all depends on how traffic is routed from the ingress controller to the downstream services. Linkerd generally expects the IP of a Kubernetes service (i.e virtual IP) and a port number when intercepting traffic. It does service discovery based on this virtual IP: current endpoints are collected and additional metadata such as ServiceProfile resources.

Most ingresses, by default, do their own endpoint selection. If the endpoint has already been picked, Linkerd will connect directly to it, but you won't have any other features enabled, such as load balancing, traffic splitting, and so on. When running in ingress mode, the proxy is configured to read the target based on header values. Since we can expect the target to be the FQDN of a service, we can do service discovery on it and provide all the features that are missing in ingress mode.

if it's truly necessary when running Traefik 2. I'm running Traefik as an ingress and if I just use the regular linkerd.io/inject: enabled annotation, things seem to work fine... I've done some packet captures from the Traefik instance and it seems that mtls is still encrypting data between Traefik and the downstream service and all works fine.

It's not necessary for mTLS. If you're happy with the ingress controller making its own routing decision, then you can leave it as is. If you want linkerd to be the authority here (no http header pun intended) then you can enable ingress mode. Both ways work, it really depends on what you need.

If I change that annotation to ingress , it breaks all Traefik routing and the linkerd-proxy on that Traefik pod throws these

In ingress mode, we only support HTTP calls (since we need to read the http headers to figure out where the target is). Port 443 is HTTPS, I've seen this before and I think it's very likely that Traefik is talking to the kubelet on 443 for readiness check. In this instance, you can bypass the proxy on 443 through --skip-outbound-ports.

Traefik throws a bunch of errors like this on startup

Hm, perhaps it's related to the above error? Skip port on 443 and Traefik will be able to talk to the k8s api server. In "normal" mode, the proxy should just transparently forward the request so you shouldn't need to do it.

So, can anyone explain why there is a need for the annotation change on to ingress when using Traefik, and any ideas why it seems to work fine without that but breaks with it?

I can't speak for how it breaks Traefik's routing (ideally Traefik wouldn't even have a say in the routing decision), but based on the logs, the proxy breaks because of the request on port 443.

You don't need the annotation for linkerd to work, it's a convinient way of enabling linkerd's feature alongside your ingress controller. Unfortunately, Traefik doesn't have a way of letting us overwrite its routing behaviour (e.g like service-upstream in ingress-nginx) so ingress mode is required for users that want to use ServiceProfiles and linkerd's lb algorithm.

You can read more about everything here: https://linkerd.io/2.11/tasks/using-ingress/#ingress-details

Thanks for the question, hope this solves your issues. :)

[rabidsloth]

@mateiidavid Thanks a ton for the quick response and very thorough answer! I'm strictly looking at Linkerd for mTLS, so this works great for me. Your explaination completely answers what I was confused about!

Cheers!