Skip to content

Waypoint installation with Traefik Proxy ingress rule

Waypoint Helm Chart default installation configures LoadBalancer type for the UI service waypoint-ui, and ClusterIP for the server service waypoint-server. It uses grpc in port 9701 and https on port 9702. The UI service also configure a http port on 80 and https on 443

# Example part of code of the K8s UI service definition deployed with Waypoint
apiVersion: v1
kind: Service
metadata:
  ...
  name: waypoint-ui
  namespace: waypoint
  ...
spec:
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: http
  - name: https
    port: 443
    protocol: TCP
    targetPort: https
  - name: grpc
    port: 9701
    protocol: TCP
    targetPort: grpc
  - name: https-2
    port: 9702
    protocol: TCP
    targetPort: https

In the case of using Traefik Proxy as ingress controller we need to change the UI service type and do some configuration definitions in the Waypoint Helm chart values.

Waypoint Helm Chart Configuration

Summary points to install with ingress is:

  • Change Waypoint UI service to ClusterIP
  • Define the Helm Chart configuration ui.ingress

This would be the Helm chart values to install this configuration:

# waypoint-values.yaml file
server:
  enabled: true
  image:
    repository: "docker.io/hashicorp/waypoint"
    tag: "0.7.1"
    pullPolicy: IfNotPresent

ui:
  service:
    # Using ClusterIP to use Traefik Ingress Controller
    type: ClusterIP
  ingress:
    enabled: true
    hosts:
      - host: ""
        paths:
          - /
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: websecure

Host redirection

ui.ingress.hosts[*].host is defined as empty value to be able to use also IPs or any host. Put your domain name or FQDN if it applies

To install Waypoint then: 

helm install waypoint -n waypoint --create-namespace -f waypoint-values.yaml hashicorp/waypoint

Traefik Proxy configuration

There are a couple of things to configure Traefik to make the redirection work:

  • Enable insecureskipverify in Traefik to avoid TLS handshake error when Traefik connects to Waypoint service, because by default Waypoint uses https service with a self-signed certificate. This is done by configuring Traefik Helm chart additionalArguments parameter.
  • Expose 9701 port in Traefik
  • Configure a passthrough rule in a Traefik IngressRouteTCP for the port 9701

This is done by:

  • Deploying Traefik Helm chart with following values
# Added configuration to other Values modifications
ports:
    waypoint:
      port: 9701
      expose: true
      exposedPort: 9701
      protocol: TCP

  additionalArguments:
    - --serverstransport.insecureskipverify=true
  • Deploying this IngressRouteTCP CRD:
# waypoint-route.yaml values file
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
    name: routewaypoint
    namespace: waypoint
spec:
entryPoints:                  
  - waypoint
routes:                       
  - match: HostSNI(`*`)         
    services:                   
    - name: waypoint-server                
      port: 9701                
tls:              
  passthrough: true

kubectl apply -f waypoint-route.yaml

Manual Traefik Ingress deployment

You can deploy Waypoint without configuring ingress in the Helm values (but you need to set ui.service.type=ClusterIP) and deploy the Traefik ingress rule manually. And you can disable TLS in this case, using port 80 to connect to waypoint-ui service:

# waypoint-ingress.yaml values
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: waypoint
  namespace: waypoint
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    # Between Proxy and Waypoint it is a HTTP connection, so disable TLS
    traefik.ingress.kubernetes.io/router.tls: "false"
spec:
  rules:
    # - host: 192.168.2.83.nip.io
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name:  waypoint-ui
                port:
                  #  Don't use port 9702, because we are going insecure from proxy. HTTP port is 80
                  number: 80

Then you deploy in your Kubernetes cluster: 

kubectl apply -f waypoint-ingress.yaml

Using Traefik Proxy included in Ranched Desktop

I am using Ranched Desktop in my MacOS laptop. To configure the Traefik Proxy included is just by adding a HelmChartConfig object configuration file /var/lib/rancher/k3s/server/manifests/traefik-config.yaml in the Lima VM that Rancher deploys.

You can do this by:

LIMA_HOME=~/Library/Application\ Support/rancher-desktop/lima/ \
limactl shell 0 sudo sh -c "cat - > /var/lib/rancher/k3s/server/manifests/traefik-config.yaml" <<EOF 
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    ports:
      waypoint:
        port: 9701
        expose: true
        exposedPort: 9701
        protocol: TCP

    additionalArguments:
      - --serverstransport.insecureskipverify=true
EOF