Skip to content

devops: migrate from nginx-ingress to Traefik #300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mxschmitt merged 1 commit into from
Jan 29, 2026
Merged

devops: migrate from nginx-ingress to Traefik #300

mxschmitt merged 1 commit into from
Jan 29, 2026
+3 −647

Conversation

@mxschmitt
Copy link
Owner

@mxschmitt mxschmitt commented Jan 28, 2026

Summary

  • Delete custom nginx-ingress manifest (642 lines)
  • Switch ingress to use k3s built-in Traefik
  • Remove --disable traefik from k3s install

Background

Why nginx-ingress was added (March 2021, #173):

  • At the time, bare-metal k3s deployments commonly used nginx-ingress
  • Used hostNetwork: true to bind nginx directly to host ports 80/443
  • Traefik (k3s default) was less mature and nginx was more familiar

Why this became a problem:

  • hostNetwork: true exposes ALL container ports to the host, including port 8443 (admission webhook)
  • BSI (German Federal Office for Information Security) flagged exposed port 8443 as a security risk
  • CVE-2025-1974 "IngressNightmare" allows unauthenticated RCE via exposed admission webhooks
  • While we updated to patched nginx v1.14.1 (security: update Ingress-NGINX to v1.14.1 to fix CVE-2025-1974 #294), the webhook should never be internet-accessible

Why Traefik is better now:

  • Built into k3s, no custom manifest to maintain
  • Auto-updates with k3s upgrades
  • Doesn't expose admission webhooks externally
  • Traefik v3 (in k3s 1.32+) is mature and feature-complete

Deployment notes

On the production server:

# Remove old nginx-ingress resources
kubectl delete namespace ingress-nginx

# Apply updated manifests
kubectl apply -f k8/

Traefik is already running (k3s default) and will pick up the ingress.

🤖 Generated with Claude Code

@mxschmitt @claude
devops: migrate from nginx-ingress to Traefik
173e2c7 
Switch from custom nginx-ingress deployment to k3s built-in Traefik.

Background:
- nginx-ingress was added in March 2021 (#173) for bare-metal k3s deployment
- Used hostNetwork: true to bind directly to host ports 80/443
- This also exposed port 8443 (admission webhook) to the internet

Why migrate:
- BSI (German Federal Office for Information Security) flagged exposed port 8443
  as a security risk (CVE-2025-1974 "IngressNightmare")
- Traefik is built into k3s and doesn't expose admission webhooks
- Eliminates 642 lines of custom manifest to maintain
- Traefik auto-updates with k3s upgrades

Changes:
- Delete k8/nginx.yaml (custom nginx-ingress manifest)
- Update frontend-ingress.yaml to use Traefik
- Remove --disable traefik from k3s install (CI and README)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
@mxschmitt mxschmitt merged commit 4347513 into main Jan 29, 2026
10 checks passed
@mxschmitt mxschmitt deleted the migrate-to-traefik branch January 29, 2026 19:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mxschmitt