Note: There is an updated tutorial on installing traefik + cert-manager on Kubernetes here. However, if you want to store your certificates on disk, this tutorial here is perfectly fine.
This guide is for installing
traefik 2 on
k3s. If you’re not using rancher, that’s fine, just skip to
It assumes you have followed:
- Fully Automated K3S etcd High Availability Install
- (or) HIGH AVAILABILITY k3s (Kubernetes) in minutes!
- (if you need rancher) High Availability Rancher on a Kubernetes Cluster
There is a little bit of “undoing” we’ll have to do since k3s ships with
traefik and Rancher doesn’t play well with service load balancer. So, we’ll pick up after instaling these two.
Make note of your version of Rancher
1 helm uninstall rancher
(replace with version above)
1 2 3 4 helm install rancher rancher-stable/rancher \ --namespace cattle-system \ --set hostname=rancher.example.com \ --version 2.5.6
Get the version of
k3s that’s currently running
1 2 k3s --version export INSTALL_K3S_VERSION=v1.20.5+k3s1
Run the same command you ran initially to install
k3s on your servers but add
--disable traefik --disable servicelb and be sure to set your version.
example (be sure you are using the right version)
1 export INSTALL_K3S_VERSION=v1.20.5+k3s1
1 curl -sfL https://get.k3s.io | sh -s - server --node-taint CriticalAddonsOnly=true:NoExecute --tls-san your.load.balancer.ip --write-kubeconfig-mode 644 --disable traefik --disable servicelb
This should reconfigure your servers. Just run it on all server nodes, not agent nodes.
You can follow Self-Hosting Your Homelab Services with SSL to get the idea of Metal LB. It’s recommended to:
It’s a good idea to do this until traefik is configured otherwise you won’t have access to the Rancher UI
1 kubectl expose deployment rancher -n cattle-system --type=LoadBalancer --name=rancher-lb --port=443
Then, you can access Rancher UI after getting external-IP
1 kubectl get service/rancher-lb -n cattle-system
You can can choose between creating
Ingress in Rancher or
If you choose
IngressRoute see IngressRoute otherwise continue on.
- You must have a persistent volume set up already for
- This uses cloudflare, check providers if you want to switch
- This will get wildcard certs
- This is pointed at staging, if you want production be sure comment staging the line (and delete your staging certs)
We will be installing this into the
kube-system namespace, which already exists. If you are going to use anther namespace you will need change it everywhere.
The dynamic configuration for Traefik is stored in a persistent volume. If you want to persist the certificate, it’s better to create one now to claim later.
To create a persistent volume, it’s better to check out Cloud Native Distributed Storage in Kubernetes with Longhorn.
If not, just create one from
Rancher UI > Clusters (Choose your cluster) > Storage > Persistent Volume > Add volume
1 2 helm repo add traefik https://helm.traefik.io/traefik helm repo update
traefik-config.yamlwith the contents of
- This holds our cloudflare secrets along with a configmap
- Update this file with your values
- Re-check if you have a persistent volume ready to claim
- Apply the config
1 kubectl apply -f traefik-config.yaml
traefik-chart-values.yamlwith the contents of
traefik-chart-values.yamlwith your Metal LB IP
Before running this, be sure you only have one default storage class set.
If you are using Rancher it is
Cluster > Storage > Storage Classes. Make sure only one is default.
- Install Traefik with chart values
1 helm install traefik traefik/traefik --namespace=kube-system --values=traefik-chart-values.yaml
More configuration value can be add from this default-value.yaml from Traefik github.
If all went well, you should now have traefik 2 installed and configured.
To check if the Traefik instance is running correctly, see the logs:
1 kubectl -n kube-system logs $(kubectl -n kube-system get pods --selector "app.kubernetes.io/name=traefik" --output=name)
It should be
level=info msg="Configuration loaded from flags."
To see all router to Traefik, we can install and expose Traefik Dashboard.
First you will need
htpassword to generate a password for your dashboard.
1 2 sudo apt-get update sudo apt-get install apache2-utils
You can then generate one using this, be sure to swap your username and password.
1 htpasswd -nb techno password | openssl base64
It should output:
Save this in a secure place, it will be the password you use to access the traefik dashboard.
traefik-dashboard-secret.yaml locally and update it with your credentials.
traefik-dashboard-ingressroute.yaml and update it with your hostname, then apply:
1 2 kubectl apply -f traefik-dashboard-secret.yaml kubectl apply -f traefik-dashboard-ingressroute.yaml
This should create:
- A secret in Kubernetes cluster name
- A middleware for Traefik name
- An ingress route for Traefik name
Check out the Traefik Dashboard with the URL you specify earlier.
In Rancher go to Load Balancing
- create ingress
- choose a host name (service.example.com)
- choose a target (your workload)
- set the port to the exposed port within the container
- go to labels and annotations and add
traefik-chart-values.yml. If you used something else, you will need to set your label properly.
- when you visit your website (
https://service.example.com) you should now see a certificate issues. If it’s a staging cert, see the note about switching to production in
traefik-chart-values.yaml. After changing, you will need to delete your certs in storage and reapply that file
1 2 kubectl delete -n kube-system persistentvolumeclaims acme-json-certs kubectl apply -f traefik-config.yaml
copy the contents of config-ingress-route/kubernetes to your local machine
1 kubectl apply -f kubernetes
This will create the deployment, service, and ingress.
See all the hardware I recommend at https://l.technotim.live/gear
Don’t forget to check out the 🚀Launchpad repo with all of the quick start source files.