Replace ingress-nginx references with Traefik

Update documentation across multiple pages to recommend Traefik
as the default ingress controller instead of ingress-nginx:

- Switch ingress controller references from nginx to Traefik
- Update installation commands to use arkade install traefik2
- Replace nginx-specific annotations with Traefik equivalents
- Update ingressClassName from nginx to traefik
- Add Traefik timeout configuration guide with Helm and arkade examples
- Update FunctionIngress ingressType from nginx to traefik
- Update service names and namespaces for Traefik

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>
Amp-Thread-ID: https://ampcode.com/threads/T-019c4cec-42e5-71c9-82d5-a1da8b78a945
Co-authored-by: Amp <amp@ampcode.com>

Author: welteki

docs/architecture/production.md

@@ -158,9 +158,9 @@ Whether you need to configure new networking for your OpenFaaS deployments, or i
 
 It is recommended that you use an IngressController and TLS so that traffic between your clients and your OpenFaaS Gateway is encrypted.
 
-You may already have opinions about what IngressController you want to use, the maintainers like to use Nginx given its broad adoption and relative ubiquity.
+You may already have opinions about what IngressController you want to use, the maintainers like to use Traefik given its broad adoption and relative ubiquity.
 
-> See also: [Nginx IngressController](https://github.com/kubernetes/ingress-nginx) 
+> See also: [Traefik Proxy](https://doc.traefik.io/traefik/) 
 
 Heptio Contour also includes automatic retries and additional Ingress extensions which you may find useful:
 

docs/deployment/kubernetes.md

@@ -74,7 +74,7 @@ There are three recommended ways to install OpenFaaS and you can pick whatever m
 
 #### 1) Deploy the Chart with `arkade` (fastest option)
 
-The `arkade install` command installs OpenFaaS using its official helm chart. arkade can also install other important software for OpenFaaS users such as `cert-manager` and `nginx-ingress`. It's the easiest and quickest way to get up and running.
+The `arkade install` command installs OpenFaaS using its official helm chart. arkade can also install other important software for OpenFaaS users such as `cert-manager` and `traefik`. It's the easiest and quickest way to get up and running.
 
 You can use [arkade](https://arkade.dev/) to install OpenFaaS to a regular cloud cluster, your laptop, a VM, a Raspberry Pi, or a 64-bit Arm machine.
 
@@ -197,7 +197,7 @@ Also, ensure any [default load-balancer timeouts within GKE](https://cloud.googl
 To enable TLS while using Helm, try one of the following references:
 
 * [Get TLS for OpenFaaS the easy way with arkade](https://blog.alexellis.io/tls-the-easy-way-with-openfaas-and-k3sup/)
-* [Configure TLS with nginx-ingress and cert-manager](/reference/tls-openfaas)
+* [Configure TLS with Traefik and cert-manager](/reference/tls-openfaas)
 
 ### Setting an Image Pull Policy for your functions
 

docs/reference/tls-functions.md

@@ -41,7 +41,7 @@ Let's deploy a function from the store:
 faas-cli store deploy env
 ```
 
-If you're using ingress-nginx, then check the public IP with `kubectl get svc/nginxingress-nginx-ingress-controller`, note down the `EXTERNAL-IP`.
+If you're using Traefik, then check the public IP with `kubectl get svc/traefik -n kube-system`, note down the `EXTERNAL-IP`.
 
 Create a DNS A record or CNAME `env.example.com` pointing to the `EXTERNAL-IP`
 
@@ -55,13 +55,13 @@ Edit the following fields:
 * `issuerRef.name` - as per the Issuer name created above
 * `issuerRef.kind` - optional: either `Issuer` or `ClusterIssuer`
 
-If you're not using ingress-nginx, then also change the `spec.ingressType` field.
+If you're not using Traefik, then also change the `spec.ingressType` field.
 
 The `FunctionIngress` currently makes use of the `HTTP01` challenge, so a separate TLS certificate will be obtained for each FunctionIngress you create.
 
 ```sh
 export DOMAIN="env.example.com"
-
+ 
 cat << EOF > env-fni.yaml
 apiVersion: openfaas.com/v1
 kind: FunctionIngress
@@ -71,7 +71,7 @@ metadata:
 spec:
   domain: "env.example.com"
   function: "env"
-  ingressType: "nginx"
+  ingressType: "traefik"
   tls:
     enabled: true
     issuerRef:
@@ -160,7 +160,7 @@ metadata:
 spec:
   domain: "$DOMAIN"
   function: "env"
-  ingressType: "nginx"
+  ingressType: "traefik"
   path: "/v1/env/(.*)"
   tls:
     enabled: true
@@ -176,7 +176,7 @@ metadata:
 spec:
   domain: "$DOMAIN"
   function: "nodeinfo"
-  ingressType: "nginx"
+  ingressType: "traefik"
   path: "/v1/nodeinfo/(.*)"
   tls:
     enabled: true
@@ -193,4 +193,3 @@ kubectl apply -f api-v1-fni.yaml
 ```
 
 You'll now be able to access the above functions via `https://api.example.com/v1/env/` and `https://api.example.com/v1/nodeinfo/`.
-

docs/reference/tls-openfaas.md

@@ -26,22 +26,22 @@ If you are running on a local or private network, you can use [inlets-operator](
 
 ### Set up an Ingress Controller
 
-We recommend ingress-nginx for OpenFaaS, however any Ingress controller will work, or you can use Istio with separate instructions.
+We recommend Traefik for OpenFaaS, however any Ingress controller will work, or you can use Istio with separate instructions.
 
-To install ingress-nginx, use either the Helm chart, or arkade:
+To install Traefik, use either the Helm chart, or arkade:
 
 ```sh
-$ arkade install ingress-nginx
+$ arkade install traefik2
 ```
 
-See also: [ingress-nginx installation](https://kubernetes.github.io/ingress-nginx/deploy/)
+See also: [Traefik installation](https://doc.traefik.io/traefik/getting-started/install-traefik/)
 
 
 #### Timeouts for synchronous invocations
 
 Despite configuring OpenFaaS and your functions for [extended timeouts](/tutorials/expanded-timeouts.md), you may find that your Ingress Controller, Istio Gateway, or Cloud Load Balancer implements its own timeouts on connections. If you think you have everything configured correctly for OpenFaaS, but see a timeout at a very specific number such as 30s or 60s, then check the timeouts on your Ingress Controller or Load Balancer.
 
-For Ingress Nginx, to extend a synchronous invocation beyond one minute, add the `nginx.ingress.kubernetes.io/proxy-read-timeout` annotation to your Ingress resource. This annotation is specified in seconds - for example, to extend the timeout to 30 minutes, use `nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"`. 
+For Traefik, timeouts are typically configured at the EntryPoint level in the static configuration. See the [expanded timeouts guide](/tutorials/expanded-timeouts.md#load-balancers-ingress-and-service-meshes) for more details on configuring Traefik timeouts. 
 
 ### Install cert-manager
 
@@ -80,7 +80,7 @@ spec:
     - selector: {}
       http01:
         ingress:
-          class: nginx
+          class: traefik
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
@@ -97,7 +97,7 @@ spec:
     - selector: {}
       http01:
         ingress:
-          class: nginx
+          class: traefik
 ---
 
 EOF
@@ -113,13 +113,13 @@ $ kubectl apply -f issuer.yaml
 
 You will need to create an A or CNAME record for your domain, pointing to the public IP address of your Ingress controller.
 
-If you created the Ingress Controller with arkade, you'll see a new service in the default namespace called `ingress-nginx-controller`. You can find the public IP address with:
+If you created the Ingress Controller with arkade, you'll see a new service in the kube-system namespace called `traefik. You can find the public IP address with:
 
 ```sh
-$ kubectl get svc -n default ingress-nginx-controller
+$ kubectl get svc/traefik -n kube-system
 
-NAME                       TYPE           CLUSTER-IP   EXTERNAL-IP     PORT(S)                      AGE
-ingress-nginx-controller   LoadBalancer   10.43.87.4   18.136.136.18   80:31876/TCP,443:30108/TCP   28d
+NAME      TYPE           CLUSTER-IP   EXTERNAL-IP     PORT(S)                      AGE
+traefik   LoadBalancer   10.43.87.4   18.136.136.18   80:31876/TCP,443:31706/TCP   28d
 ```
 
 Take the IP address from the `EXTERNAL-IP` column and create an A record for your domain in your domain management software, or a CNAME record if you're using AWS EKS, and see a domain name in this field.
@@ -129,18 +129,16 @@ All users should create an entry for: `gateway.example.com` and then OpenFaaS da
 ### Configure TLS for the OpenFaaS gateway
 
 You can now configure the OpenFaaS gateway to use TLS by setting the following Helm values, you can save them in a file called `tls.yaml`:
-
+ 
 ```sh
 export DOMAIN="gw.example.com"
-export NGINX_TIMEOUT_SECS="1800" # 30 minutes
 
 cat > tls.yaml <<EOF
 ingress:
   enabled: true
-  ingressClassName: nginx
+  ingressClassName: traefik
   annotations:
     cert-manager.io/issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "$NGINX_TIMEOUT_SECS"
   tls:
     - hosts:
         - $DOMAIN
@@ -159,10 +157,12 @@ ingress:
 EOF
 ```
 
-If you're using something other than ingress-nginx, then change the `ingressClassName` field accordingly. Note that the `kubernetes.io/ingress.class` annotation is deprecated and should not be used.
+If you're using something other than Traefik, then change the `ingressClassName` field accordingly. Note that the `kubernetes.io/ingress.class` annotation is deprecated and should not be used.
 
 The `cert-manager.io/issuer` annotation is used to pick between the staging and production Issuers for Let's Encrypt. If this is your first time working with cert-manager, you may want to use the staging issuer first to avoid running into rate limits if you have something misconfigured.
 
+> Note: For extended timeouts beyond Traefik's defaults, see the [expanded timeouts guide](/tutorials/expanded-timeouts.md#load-balancers-ingress-and-service-meshes) for information on configuring Traefik's EntryPoint timeouts.
+
 Now upgrade OpenFaaS via helm, use any custom values.yaml files that you have saved from a previous installation:
 
 ```sh
@@ -182,15 +182,13 @@ Edit the previous example:
 ```sh
 export DOMAIN="gw.example.com"
 export DOMAIN_DASHBOARD="dashboard.example.com"
-export NGINX_TIMEOUT_SECS="1800" # 30 minutes
 
 cat > tls.yaml <<EOF
 ingress:
   enabled: true
-  ingressClassName: nginx
+  ingressClassName: traefik
   annotations:
     cert-manager.io/issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "$NGINX_TIMEOUT_SECS"
   tls:
     - hosts:
         - $DOMAIN

docs/tutorials/expanded-timeouts.md

@@ -86,7 +86,51 @@ AWS EKS is configured to use an [Elastic Load Balancer (ELB)](https://aws.amazon
 
 Google Cloud's various Load Balancer options have their [own configuration options too](https://cloud.google.com/load-balancing/docs/https).
 
-For Ingress Nginx, set the `nginx.ingress.kubernetes.io/proxy-read-timeout` annotation to extend the timeout. This annotation is specified in seconds - for example, to extend the timeout to 30 minutes, use `nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"`.
+### Configuring Traefik timeouts
+
+For Traefik, timeouts are configured at the EntryPoint level in the static configuration. There are two main timeout values to consider:
+
+* `readTimeout` - Maximum duration for reading the entire request, including the body
+* `writeTimeout` - Maximum duration before timing out writes of the response
+
+These timeouts can be configured when installing Traefik via Helm or arkade. For example, to set 30-minute timeouts:
+
+**Using Helm values:**
+
+```yaml
+# traefik-values.yaml
+ports:
+  websecure:
+    port: 8443
+    expose: true
+    exposedPort: 443
+    protocol: TCP
+    tls:
+      enabled: true
+    transport:
+      respondingTimeouts:
+        readTimeout: 1800s
+        writeTimeout: 1800s
+```
+
+Then install or upgrade Traefik:
+
+```bash
+helm upgrade --install traefik traefik/traefik \
+  --namespace traefik \
+  --create-namespace \
+  -f traefik-values.yaml
+```
+
+**Using arkade with custom values:**
+
+```bash
+arkade install traefik2 \
+  --set "ports.websecure.transport.respondingTimeouts.readTimeout=1800s" \
+  --set "ports.websecure.transport.respondingTimeouts.writeTimeout=1800s"
+```
+
+> Note: Unlike ingress-nginx, Traefik does not support per-Ingress timeout annotations. Timeouts must be configured at the EntryPoint level or via advanced ServersTransport configuration. See the Traefik middleware.
 
 Finally, if you need to invoke a function for longer than one of your infrastructure components allows, then you should use an [asynchronous invocation](/reference/async). Asynchronous function invocations bypass these components because they are eventually invoked from the queue-worker, not the Internet. The queue-worker for OpenFaaS Standard will also retry invocations if required.
 

docs/tutorials/local-kind-ingress.md

@@ -2,7 +2,7 @@
 
 Most users will use port-forwarding to access the OpenFaaS gateway, it's the simplest option and works everywhere.
 
-However, in this tutorial, we will show you how to deploy OpenFaaS with ingress-nginx.
+However, in this tutorial, we will show you how to deploy OpenFaaS with Traefik ingress.
 
 When you use an Ingress Controller:
 
@@ -53,12 +53,12 @@ EOF
 kind create cluster --name openfaas --config kind-config.yaml
 ```
 
-## Install the ingress-nginx IngressController
+## Install the Traefik IngressController
 
-Use arkade, or [install ingress-nginx manually](https://kubernetes.github.io/ingress-nginx/deploy/).
+Use arkade, or [install Traefik manually](https://doc.traefik.io/traefik/getting-started/install-traefik/).
 
 ```sh
-arkade install ingress-nginx
+arkade install traefik2
 ```
 
 ## Install OpenFaaS with local Ingress enabled
@@ -77,7 +77,7 @@ ingress:
       serviceName: gateway
       servicePort: 8080
       path: /
-  ingressClassName: nginx
+  ingressClassName: traefik
 ```
 
 > Note: if you're migrating from an older version of Kubernetes, the `annotations.kubernetes.io/ingress.class` [annotation is deprecated](https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation), use `ingressClassName` instead.
@@ -103,4 +103,3 @@ faas-cli store deploy env
 
 faas-cli list
 ```
-