Home Configuring Traefik 2 Ingress for Kubernetes
Post
Cancel

Configuring Traefik 2 Ingress for Kubernetes

About

Note: There is an updated tutorial on installing traefik + cert-manager on Kubernetes here. However, if you want to store your certificates on disk, this tutorial here is perfectly fine.

This guide is for installing traefik 2 on k3s. If you’re not using rancher, that’s fine, just skip to Reconfiguring k3s

It assumes you have followed:

There is a little bit of “undoing” we’ll have to do since k3s ships with traefik and Rancher doesn’t play well with service load balancer. So, we’ll pick up after instaling these two.

Reconfigure Rancher

Make note of your version of Rancher

Remove Rancher

1
helm uninstall rancher

Install Rancher

(replace with version above)

1
2
3
4
helm install rancher rancher-stable/rancher \
  --namespace cattle-system \
  --set hostname=rancher.example.com \
  --version 2.5.6

Reconfiguring k3s

Get the version of k3s that’s currently running

1
2
k3s --version
export INSTALL_K3S_VERSION=v1.20.5+k3s1

Run the same command you ran initially to install k3s on your servers but add --disable traefik --disable servicelb and be sure to set your version.

example (be sure you are using the right version)

1
export INSTALL_K3S_VERSION=v1.20.5+k3s1
1
curl -sfL https://get.k3s.io | sh -s - server --node-taint CriticalAddonsOnly=true:NoExecute --tls-san your.load.balancer.ip --write-kubeconfig-mode 644 --disable traefik --disable servicelb

This should reconfigure your servers. Just run it on all server nodes, not agent nodes.

Install Metal LB

Metal LB installation

You can follow Self-Hosting Your Homelab Services with SSL to get the idea of Metal LB. It’s recommended to:

Exposing Rancher directly to your Metal LB

It’s a good idea to do this until traefik is configured otherwise you won’t have access to the Rancher UI

1
kubectl expose deployment rancher -n cattle-system --type=LoadBalancer --name=rancher-lb --port=443

Then, you can access Rancher UI after getting external-IP

1
kubectl get service/rancher-lb -n cattle-system

Install Traefik 2

You can can choose between creating Ingress in Rancher or IngresRoute with traefik

If you choose IngressRoute see IngressRoute otherwise continue on.

  • You must have a persistent volume set up already for acme.json certificate
  • This uses cloudflare, check providers if you want to switch
  • This will get wildcard certs
  • This is pointed at staging, if you want production be sure comment staging the line (and delete your staging certs)

We will be installing this into the kube-system namespace, which already exists. If you are going to use anther namespace you will need change it everywhere.

(Optional) Make sure that persistent volume claim is available

The dynamic configuration for Traefik is stored in a persistent volume. If you want to persist the certificate, it’s better to create one now to claim later.

To create a persistent volume, it’s better to check out Cloud Native Distributed Storage in Kubernetes with Longhorn.

If not, just create one from Rancher UI > Clusters (Choose your cluster) > Storage > Persistent Volume > Add volume

Add traefik helm repo and update

1
2
helm repo add traefik https://helm.traefik.io/traefik
helm repo update

Edit & apply ConfigMap

  • Create traefik-config.yaml with the contents of /config/traefik-config.yaml from /config
  • This holds our cloudflare secrets along with a configmap
  • Update this file with your values
  • Re-check if you have a persistent volume ready to claim
  • Apply the config
1
kubectl apply -f traefik-config.yaml

Edit & install Traefik helm chart

  • Create traefik-chart-values.yaml with the contents of /config/traefik-chart-values.yaml from /config
  • Update loadBalancerIP in traefik-chart-values.yaml with your Metal LB IP

Before running this, be sure you only have one default storage class set.

If you are using Rancher it is Cluster > Storage > Storage Classes. Make sure only one is default.

  • Install Traefik with chart values
1
helm install traefik traefik/traefik --namespace=kube-system --values=traefik-chart-values.yaml

More configuration value can be add from this default-value.yaml from Traefik github.

If all went well, you should now have traefik 2 installed and configured.

Check for container logs

To check if the Traefik instance is running correctly, see the logs:

1
kubectl -n kube-system logs $(kubectl -n kube-system get pods --selector "app.kubernetes.io/name=traefik" --output=name)

It should be level=info msg="Configuration loaded from flags."

Traefik Dashboard

To see all router to Traefik, we can install and expose Traefik Dashboard.

First you will need htpassword to generate a password for your dashboard.

1
2
sudo apt-get update
sudo apt-get install apache2-utils

You can then generate one using this, be sure to swap your username and password.

1
htpasswd -nb techno password | openssl base64

It should output:

1
dGVjaG5vOiRhcHIxJFRnVVJ0N2E1JFpoTFFGeDRLMk8uYVNaVWNueG41eTAKCg==

Save this in a secure place, it will be the password you use to access the traefik dashboard.

Copy traefik-dashboard-secret.yaml locally and update it with your credentials.

Copy traefik-dashboard-ingressroute.yaml and update it with your hostname, then apply:

1
2
kubectl apply -f traefik-dashboard-secret.yaml
kubectl apply -f traefik-dashboard-ingressroute.yaml

This should create:

  • A secret in Kubernetes cluster name traefik-dashboard-auth
  • A middleware for Traefik name traefik-dashboard-basicauth
  • An ingress route for Traefik name dashboard

Check out the Traefik Dashboard with the URL you specify earlier.

Exposing a service with traefik and Rancher Ingress

In Rancher go to Load Balancing

  • create ingress
  • choose a host name (service.example.com)
  • choose a target (your workload)
  • set the port to the exposed port within the container
  • go to labels and annotations and add kubernetes.io/ingress.class = traefik-external
  • note, traefik-external comes from --providers.kubernetesingress.ingressclass=traefik-external in traefik-chart-values.yml. If you used something else, you will need to set your label properly.
  • when you visit your website (https://service.example.com) you should now see a certificate issues. If it’s a staging cert, see the note about switching to production in traefik-chart-values.yaml. After changing, you will need to delete your certs in storage and reapply that file
1
2
kubectl delete -n kube-system persistentvolumeclaims acme-json-certs
kubectl apply -f traefik-config.yaml

Exposing a service with traefik IngressRoute

copy the contents of config-ingress-route/kubernetes to your local machine

then run

1
kubectl apply -f kubernetes

This will create the deployment, service, and ingress.

See all the hardware I recommend at https://l.technotim.live/gear

Don’t forget to check out the 🚀Launchpad repo with all of the quick start source files.

This post is licensed under CC BY 4.0 by the author.