Replace ingress-nginx references with Traefik

Update documentation across multiple pages to recommend Traefik
as the default ingress controller instead of ingress-nginx:

- Switch ingress controller references from nginx to Traefik
- Update installation commands to use arkade install traefik2
- Replace nginx-specific annotations with Traefik equivalents
- Update ingressClassName from nginx to traefik
- Add Traefik timeout configuration guide

Signed-off-by: Han Verstraete (OpenFaaS Ltd) <han@openfaas.com>

Author: welteki

docs/architecture/production.md

@@ -193,9 +193,7 @@ Whether you need to configure new networking for your OpenFaaS deployments, or i
 
 It is recommended that you use an IngressController and TLS so that traffic between your clients and your OpenFaaS Gateway is encrypted.
 
-You may already have opinions about what IngressController you want to use, the maintainers like to use Nginx given its broad adoption and relative ubiquity.
-
-> See also: [Nginx IngressController](https://github.com/kubernetes/ingress-nginx) 
+> See also: [Traefik Proxy](https://doc.traefik.io/traefik/) 
 
 Heptio Contour also includes automatic retries and additional Ingress extensions which you may find useful:
 

docs/deployment/kubernetes.md

@@ -74,7 +74,7 @@ There are three recommended ways to install OpenFaaS and you can pick whatever m
 
 #### 1) Deploy the Chart with `arkade` (fastest option)
 
-The `arkade install` command installs OpenFaaS using its official helm chart. arkade can also install other important software for OpenFaaS users such as `cert-manager` and `nginx-ingress`. It's the easiest and quickest way to get up and running.
+The `arkade install` command installs OpenFaaS using its official helm chart. arkade can also install other important software for OpenFaaS users such as `cert-manager` and `traefik`. It's the easiest and quickest way to get up and running.
 
 You can use [arkade](https://arkade.dev/) to install OpenFaaS to a regular cloud cluster, your laptop, a VM, a Raspberry Pi, or a 64-bit Arm machine.
 
@@ -197,7 +197,7 @@ Also, ensure any [default load-balancer timeouts within GKE](https://cloud.googl
 To enable TLS while using Helm, try one of the following references:
 
 * [Get TLS for OpenFaaS the easy way with arkade](https://blog.alexellis.io/tls-the-easy-way-with-openfaas-and-k3sup/)
-* [Configure TLS with nginx-ingress and cert-manager](/reference/tls-openfaas)
+* [Configure TLS with Traefik and cert-manager](/reference/tls-openfaas)
 
 ### Setting an Image Pull Policy for your functions
 

docs/reference/tls-openfaas.md

@@ -26,22 +26,24 @@ If you are running on a local or private network, you can use [inlets-operator](
 
 ### Set up an Ingress Controller
 
-We recommend ingress-nginx for OpenFaaS, however any Ingress controller will work, or you can use Istio with separate instructions.
+We recommend Traefik for OpenFaaS, however any Ingress controller will work, or you can use Istio with separate instructions.
 
-To install ingress-nginx, use either the Helm chart, or arkade:
+To install Traefik, use either the Helm chart, or arkade:
 
 ```sh
-$ arkade install ingress-nginx
+$ arkade install traefik2
 ```
 
-See also: [ingress-nginx installation](https://kubernetes.github.io/ingress-nginx/deploy/)
+See also: [Traefik installation](https://doc.traefik.io/traefik/getting-started/install-traefik/)
 
 
 #### Timeouts for synchronous invocations
 
 Despite configuring OpenFaaS and your functions for [extended timeouts](/tutorials/expanded-timeouts.md), you may find that your Ingress Controller, Istio Gateway, or Cloud Load Balancer implements its own timeouts on connections. If you think you have everything configured correctly for OpenFaaS, but see a timeout at a very specific number such as 30s or 60s, then check the timeouts on your Ingress Controller or Load Balancer.
 
-For Ingress Nginx, to extend a synchronous invocation beyond one minute, add the `nginx.ingress.kubernetes.io/proxy-read-timeout` annotation to your Ingress resource. This annotation is specified in seconds - for example, to extend the timeout to 30 minutes, use `nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"`. 
+For Traefik, timeouts are typically configured at the EntryPoint level in the static configuration. See the [expanded timeouts guide](/tutorials/expanded-timeouts.md#load-balancers-ingress-and-service-meshes) for more details on configuring Traefik timeouts.
+
+Ingress Nginx is now a retired project and should not be used for new installations. If you are still using Ingress Nginx, to extend a synchronous invocation beyond one minute, add the `nginx.ingress.kubernetes.io/proxy-read-timeout` annotation to your Ingress resource. This annotation is specified in seconds - for example, to extend the timeout to 30 minutes, use `nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"`.
 
 ### Install cert-manager
 
@@ -80,7 +82,7 @@ spec:
     - selector: {}
       http01:
         ingress:
-          class: nginx
+          class: traefik
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
@@ -97,7 +99,7 @@ spec:
     - selector: {}
       http01:
         ingress:
-          class: nginx
+          class: traefik
 ---
 
 EOF
@@ -113,13 +115,13 @@ $ kubectl apply -f issuer.yaml
 
 You will need to create an A or CNAME record for your domain, pointing to the public IP address of your Ingress controller.
 
-If you created the Ingress Controller with arkade, you'll see a new service in the default namespace called `ingress-nginx-controller`. You can find the public IP address with:
+If you created the Ingress Controller with arkade, you'll see a new service in the kube-system namespace called `traefik. You can find the public IP address with:
 
 ```sh
-$ kubectl get svc -n default ingress-nginx-controller
+$ kubectl get svc/traefik -n kube-system
 
-NAME                       TYPE           CLUSTER-IP   EXTERNAL-IP     PORT(S)                      AGE
-ingress-nginx-controller   LoadBalancer   10.43.87.4   18.136.136.18   80:31876/TCP,443:30108/TCP   28d
+NAME      TYPE           CLUSTER-IP   EXTERNAL-IP     PORT(S)                      AGE
+traefik   LoadBalancer   10.43.87.4   18.136.136.18   80:31876/TCP,443:31706/TCP   28d
 ```
 
 Take the IP address from the `EXTERNAL-IP` column and create an A record for your domain in your domain management software, or a CNAME record if you're using AWS EKS, and see a domain name in this field.
@@ -129,18 +131,17 @@ All users should create an entry for: `gateway.example.com` and then OpenFaaS da
 ### Configure TLS for the OpenFaaS gateway
 
 You can now configure the OpenFaaS gateway to use TLS by setting the following Helm values, you can save them in a file called `tls.yaml`:
-
+ 
 ```sh
 export DOMAIN="gw.example.com"
-export NGINX_TIMEOUT_SECS="1800" # 30 minutes
 
 cat > tls.yaml <<EOF
 ingress:
   enabled: true
-  ingressClassName: nginx
+  ingressClassName: traefik
   annotations:
     cert-manager.io/issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "$NGINX_TIMEOUT_SECS"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
   tls:
     - hosts:
         - $DOMAIN
@@ -159,10 +160,12 @@ ingress:
 EOF
 ```
 
-If you're using something other than ingress-nginx, then change the `ingressClassName` field accordingly. Note that the `kubernetes.io/ingress.class` annotation is deprecated and should not be used.
+If you're using something other than Traefik, then change the `ingressClassName` field accordingly. Note that the `kubernetes.io/ingress.class` annotation is deprecated and should not be used.
 
 The `cert-manager.io/issuer` annotation is used to pick between the staging and production Issuers for Let's Encrypt. If this is your first time working with cert-manager, you may want to use the staging issuer first to avoid running into rate limits if you have something misconfigured.
 
+> Note: For extended timeouts beyond Traefik's defaults, see the [expanded timeouts guide](/tutorials/expanded-timeouts.md#load-balancers-ingress-and-service-meshes) for information on configuring Traefik's EntryPoint timeouts.
+
 Now upgrade OpenFaaS via helm, use any custom values.yaml files that you have saved from a previous installation:
 
 ```sh
@@ -182,15 +185,14 @@ Edit the previous example:
 ```sh
 export DOMAIN="gw.example.com"
 export DOMAIN_DASHBOARD="dashboard.example.com"
-export NGINX_TIMEOUT_SECS="1800" # 30 minutes
 
 cat > tls.yaml <<EOF
 ingress:
   enabled: true
-  ingressClassName: nginx
+  ingressClassName: traefik
   annotations:
     cert-manager.io/issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "$NGINX_TIMEOUT_SECS"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
   tls:
     - hosts:
         - $DOMAIN

docs/tutorials/expanded-timeouts.md

@@ -86,7 +86,17 @@ AWS EKS is configured to use an [Elastic Load Balancer (ELB)](https://aws.amazon
 
 Google Cloud's various Load Balancer options have their [own configuration options too](https://cloud.google.com/load-balancing/docs/https).
 
-For Ingress Nginx, set the `nginx.ingress.kubernetes.io/proxy-read-timeout` annotation to extend the timeout. This annotation is specified in seconds - for example, to extend the timeout to 30 minutes, use `nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"`.
+For Traefik, see [Configuring Traefik timeouts](#configuring-traefik-timeouts) below.
+
+Ingress Nginx is now a retired project and should not be used for new installations. If you are still using it, set the `nginx.ingress.kubernetes.io/proxy-read-timeout` annotation to extend the timeout. This annotation is specified in seconds - for example, to extend the timeout to 30 minutes, use `nginx.ingress.kubernetes.io/proxy-read-timeout: "1800"`.
+
+### Configuring Traefik timeouts
+
+Traefik has two separate sets of timeouts to be aware of:
+
+**Client-to-Traefik (EntryPoints)** - configured in the static configuration (CLI flags or Helm values). Controls how long Traefik waits for the client to send a request or receive a response. The key fields are `readTimeout` (default 60s), `writeTimeout` (default 0s) and `idleTimeout` (default 180s). See [EntryPoints - RespondingTimeouts](https://doc.traefik.io/traefik/routing/entrypoints/#respondingtimeouts).
+
+**Traefik-to-App (ServersTransport)** - configured in the dynamic configuration using a [ServersTransport CRD](https://doc.traefik.io/traefik/reference/routing-configuration/kubernetes/crd/http/serverstransport/), and referenced via the `traefik.ingress.kubernetes.io/service.serverstransport` annotation on the Ingress. By default there is no timeout on how long Traefik waits for a backend to respond (`responseHeaderTimeout` is 0s). Consider setting `responseHeaderTimeout` to match the gateway's `upstreamTimeout` so that Traefik returns a 504 quickly when a function hangs, rather than waiting indefinitely.
 
 Finally, if you need to invoke a function for longer than one of your infrastructure components allows, then you should use an [asynchronous invocation](/reference/async). Asynchronous function invocations bypass these components because they are eventually invoked from the queue-worker, not the Internet. The queue-worker for OpenFaaS Standard will also retry invocations if required.
 

docs/tutorials/local-kind-ingress.md

@@ -2,7 +2,7 @@
 
 Most users will use port-forwarding to access the OpenFaaS gateway, it's the simplest option and works everywhere.
 
-However, in this tutorial, we will show you how to deploy OpenFaaS with ingress-nginx.
+However, in this tutorial, we will show you how to deploy OpenFaaS with Traefik ingress.
 
 When you use an Ingress Controller:
 
@@ -53,12 +53,12 @@ EOF
 kind create cluster --name openfaas --config kind-config.yaml
 ```
 
-## Install the ingress-nginx IngressController
+## Install the Traefik IngressController
 
-Use arkade, or [install ingress-nginx manually](https://kubernetes.github.io/ingress-nginx/deploy/).
+Use arkade, or [install Traefik manually](https://doc.traefik.io/traefik/getting-started/install-traefik/).
 
 ```sh
-arkade install ingress-nginx
+arkade install traefik2
 ```
 
 ## Install OpenFaaS with local Ingress enabled
@@ -77,7 +77,7 @@ ingress:
       serviceName: gateway
       servicePort: 8080
       path: /
-  ingressClassName: nginx
+  ingressClassName: traefik
 ```
 
 > Note: if you're migrating from an older version of Kubernetes, the `annotations.kubernetes.io/ingress.class` [annotation is deprecated](https://kubernetes.io/docs/concepts/services-networking/ingress/#deprecated-annotation), use `ingressClassName` instead.
@@ -103,4 +103,3 @@ faas-cli store deploy env
 
 faas-cli list
 ```
-