How to use Traefik Hub with Consul Connect on an Ubuntu Linux virtual machine (VM).
To follow along in this tutorial, we will need:
- A Linux machine running Ubuntu. For this tutorial, we are using Multipass to orchestrate an Ubuntu Focal VM.
- systemd (should be included in Ubuntu)
- Latest Traefik Hub binary
- Consul
All config files are in the public GitHub repository that accompany this article, so we just have to clone it:
git clone https://github.com/traefik-workshops/traefik-hub-consul-connect.git
cd traefik-hub-consul-connect
First, we will install Traefik Hub on Linux. We can do this by following the instructions in the official Traefik Hub documentation.
Here is the traefik-hub.toml
file we will use for this tutorial:
[hub]
token = "$HUB_TOKEN"
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[log]
level = "INFO"
filePath = "/var/log/traefik-hub.log"
# Enable API and dashboard
[api]
dashboard = true
insecure = true
# Enable ping
[ping]
[accesslog]
addInternals = true
Once we have successfully installed Traefik Hub, run the following command to update the configuration file and check that Hub started correctly:
export HUB_TOKEN=...
cat files/traefik-hub-intro.toml | envsubst | sudo tee /etc/traefik-hub/traefik-hub.toml
sudo systemctl restart traefik-hub.service
sudo systemctl --no-pager status traefik-hub.service
● traefik-hub.service - Traefik Hub
Loaded: loaded (/etc/systemd/system/traefik-hub.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2024-10-08 09:29:22 WAT; 2s ago
Main PID: 1528 (hub)
Tasks: 6 (limit: 1084)
Memory: 28.1M
CGroup: /system.slice/traefik-hub.service
└─1528 /usr/local/bin/hub --configfile=/etc/traefik-hub/traefik-hub.toml
Oct 08 09:29:22 scholarly-crossbill systemd[1]: Started Traefik Hub.
Note
We can get the hub token and hub platform url by creating a new Gateway for Linux on the Traefik Hub Online Dashboard and following the installation instructions.
If we enable the dashboard and we navigate to <server-ip>:8080/dashboard/
in the host machine browser, we should see the Traefik Hub Dashboard.
And if we head over to the Traefik Hub online dashboard, we should also see that the gateway status is online.
Note
You might need to add some firewall rules depending on your cloud provider.
Warning
You might need to add some firewall rules to allow traffic depending on your cloud provider.
Consul Connect is a proxy layer that routes all service-to-service traffic through an encrypted and authenticated (Mutual TLS) tunnel.
Traefik Hub needs the Consul Catalog provider to interact with Consul services.
Following consul installation instructions you will have to configure it a little bit to make it work as a standalone cluster:
sudo cp files/consul-standalone.hcl /etc/consul.d/
sudo systemctl start consul
sudo systemctl enable consul
sudo systemctl --no-pager status consul
Run the following command to configure the traefik-hub.toml
file to include Consul Catalog provider:
cat files/traefik-hub-final.toml | envsubst | sudo tee /etc/traefik-hub/traefik-hub.toml
The provider declaration looks like this:
[providers.consulCatalog]
exposedByDefault = false
connectAware = true
prefix = "traefik"
[providers.consulCatalog.endpoint]
address = "127.0.0.1:8500"
Restart Traefik Hub:
sudo systemctl restart traefik-hub.service
sudo systemctl --no-pager status traefik-hub.service
Register Traefik Hub with Consul by creating a new traefik-hub.hcl file:
sudo cp files/traefik-hub.hcl /etc/consul.d/traefik-hub.hcl
Add the following content:
service {
name = "traefik"
port = 80
connect {
sidecar_service {}
}
tags = ["traefik.enable=true"]
check {
name = "Traefik Health Check"
http = "http://localhost:8080/ping"
interval = "10s"
timeout = "1s"
}
}
Restart Consul:
sudo systemctl restart consul
If we head over to the local dashboard, we should see the consul catalog provider in the services section:
Next we need to Install Envoy Proxy as Consul Connect uses Envoy as the default sidecar proxy.
wget -O- https://apt.envoyproxy.io/signing.key | sudo gpg --dearmor -o /etc/apt/keyrings/envoy-keyring.gpg
echo "deb [signed-by=/etc/apt/keyrings/envoy-keyring.gpg] https://apt.envoyproxy.io focal main" | sudo tee /etc/apt/sources.list.d/envoy.list
sudo apt-get update
sudo apt-get install envoy
envoy --version
After installing Envoy, we need to add the Consul Connect sidecar proxy service for Traefik Hub by running the following command:
sudo cp files/traefik-sidecar-proxy.service /etc/systemd/system/
sudo systemctl start traefik-sidecar-proxy
sudo systemctl enable traefik-sidecar-proxy
sudo systemctl --no-pager status traefik-sidecar-proxy
==> Consul Connect proxy starting...
Configuration mode: Agent API
Sidecar for ID: traefik
Proxy ID: traefik-sidecar-proxy
==> Log data will now stream in as it occurs:
2024-10-08T15:23:55.563+0100 [INFO] proxy: Proxy loaded config and ready to serve
2024-10-08T15:23:55.564+0100 [INFO] proxy: Parsed TLS identity: uri=spiffe://8e89a024-7f37-ac2b-8b47-c81f9d755dbb.consul/ns/default/dc/server1/svc/traefik
2024-10-08T15:23:55.564+0100 [INFO] proxy: Starting listener: listener="public listener" bind_addr=0.0.0.0:21000
We are doing this because In Consul Connect, services communicate through local Envoy sidecar proxies. Traffic between services is routed through these proxies, enabling mTLS encryption and enforcing service mesh policies.
Behind the scene it will the following command you could have run manually:
consul connect proxy -sidecar-for traefik
The systemd unit file reflects this command:
[Unit]
Description=Consul Connect Sidecar Proxy for Traefik Hub
Requires=traefik-hub.service
After=network-online.target traefik-hub.service
Wants=network-online.target
[Service]
Restart=on-failure
ExecStart=/usr/bin/consul connect proxy -sidecar-for traefik
User=root
Group=root
[Install]
WantedBy=multi-user.target
Now, If we head over to the consul dashboard, we should see the traefik
service running.
Further inspecting the traefik
service in the dashboard, it should show us that all the checks passed for the service.
In this section, we’ll:
-
Install whoami as a service
-
Register the service with Consul.
-
Expose the service through Traefik Hub.
-
Verify that everything is working as expected.
Download the whoami binary:
wget https://github.com/traefik/whoami/releases/download/v1.10.3/whoami_v1.10.3_linux_amd64.tar.gz
Note
Replace linux_amd64 with your system architecture if necessary (e.g., linux_arm64 for ARM-based systems).
Extract the Binary:
tar -xvf whoami_v1.10.3_linux_amd64.tar.gz
Move the Binary to /usr/local/bin/
:
sudo mv whoami /usr/local/bin/
Make the Binary Executable:
sudo chmod +x /usr/local/bin/whoami
Setting up whoami as a systemd service ensures it starts on boot and can be managed easily.
The following commands will setup the whoami service:
sudo cp files/whoami.service /etc/systemd/system/
sudo systemctl start whoami
sudo systemctl enable whoami
This will add the following content to the file:
[Unit]
Description=Whoami Service
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-abnormal
User=root
Group=root
ExecStart=/usr/local/bin/whoami --port 8081
PrivateTmp=true
ProtectHome=true
ProtectSystem=full
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
Check the Status of the Service:
sudo systemctl --no-pager status whoami
● whoami.service - Whoami Service
Loaded: loaded (/etc/systemd/system/whoami.service; enabled; vendor preset: enabled)
Active: active (running) since Wed 2024-10-09 12:10:59 WAT; 2s ago
Main PID: 1887 (whoami)
Tasks: 3 (limit: 1084)
Memory: 980.0K
CGroup: /system.slice/whoami.service
└─1887 /usr/local/bin/whoami
Oct 09 12:10:59 scholarly-crossbill systemd[1]: Started Whoami Service.
Oct 09 12:10:59 scholarly-crossbill whoami[1887]: 2024/10/09 12:10:59 Starting up on port 80
Ensure the service is active and running.
Note
Make sure that the whoami service is not running on the same port as Traefik Hub or another service, this can cause it to fail.
We need to create a Consul service definition for whoami so that it can be discovered by Traefik Hub via the Consul Catalog provider.
Create the Consul Service definition:
sudo cp files/whoami.hcl /etc/consul.d/whoami.hcl
Here is the whoami service definition:
service {
name = "whoami"
port = 8081
connect {
sidecar_service {}
}
tags = ["traefik.enable=true"]
check {
name = "Whoami Health Check"
http = "http://localhost:8081/api"
interval = "10s"
timeout = "1s"
}
}
Save the file and reload the Consul configuration:
sudo systemctl restart consul
The sidecar proxy handles secure communication within the service mesh.
Start the Sidecar Proxy service:
sudo cp files/whoami-sidecar-proxy.service /etc/systemd/system/
sudo systemctl start whoami-sidecar-proxy
sudo systemctl enable whoami-sidecar-proxy
sudo systemctl --no-pager status whoami-sidecar-proxy
If we head over to our Consul dashboard, we should see the whoami service registered.
Next, we’ll need to update our Consul whoami service configuration to enable Traefik Hub to route traffic to the whoami service.
To do so, update the whoami.hcl
file with the following:
sudo cp files/whoami-final.hcl /etc/consul.d/whoami.hcl
The only difference resides in tags:
--- files/whoami.hcl
+++ files/whoami-final.hcl
@@ -4,7 +4,14 @@
connect {
sidecar_service {}
}
- tags = ["traefik.enable=true"]
+ tags = [
+ "traefik.enable=true",
+ "traefik.http.routers.whoami.rule=PathPrefix(`/whoami`)",
+ "traefik.http.routers.whoami.entrypoints=web",
+ "traefik.consulcatalog.connect=true",
+ "traefik.http.middlewares.whoami-stripprefix.stripPrefix.prefixes=/whoami",
+ "traefik.http.routers.whoami.middlewares=whoami-stripprefix"
+ ]
check {
name = "Whoami Health Check"
http = "http://localhost:8081/api"
Note
Alternatively, we can also include connectByDefault = true
to the static configuration if we want Traefik Hub to automatically connect to all consul services.
Restart Consul:
sudo systemctl restart consul
If we head over to the Traefik Hub local dashboard, we should now see whoami as a route.
We can make a quick test to make sure that Traefik Hub is routing traffic appropriately.
If we run the following command:
curl -i localhost/whoami
We should get a similar result:
HTTP/1.1 200 OK
Content-Length: 462
Content-Type: text/plain; charset=utf-8
Hostname:
IP: 127.0.0.1
IP: ::1
IP: 192.168.64.3
IP: fdac:f919:570f:ce1c:5054:ff:fe87:f84e
IP: fe80::5054:ff:fe87:f84e
IP: 172.17.0.1
RemoteAddr: 127.0.0.1:41176
GET / HTTP/1.1
Host: localhost
User-Agent: curl/7.68.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: ::1
X-Forwarded-Host: localhost
X-Forwarded-Port: 80
X-Forwarded-Prefix: /whoami
X-Forwarded-Proto: http
X-Forwarded-Server:
X-Real-Ip: ::1
If we check the logs, we should see an entry for this request:
sudo journalctl -n 10 --no-pager -u traefik-hub | grep whoami
Oct 09 15:55:43 scholarly-crossbill systemd[1]: Started Traefik Hub.
Oct 09 16:14:35 scholarly-crossbill hub[3944]: ::1 - - [09/Oct/2024:15:14:35 +0000] "GET /whoami HTTP/1.1" 200 462 "-" "-" 1 "whoami@consulcatalog" "https://192.168.64.3:21001" 61ms