Traefik on Kubernetes

Traefik on k3s

By Bwvolleyball | Awesome Self-Hosted | 6 Apr 2021

To install Traefik (v2) on Kubernetes, we will be using the official Traefik helm chart. This install will also depend on our dynamic DNS provider, which allows network traffic into our cluster. If you haven't seen it already, be sure to check out my tutorial on DuckDNS on Kubernetes. You'll need this if you want externally accessible host names, and free SSL certificates via LetsEncrypt. I will install Traefik to the ingress namespace on my cluster.

Configuration Values

Traefik requires a lot of custom configuration, since we need to teach it about our domain names, and which certificates we want it to request from LetsEncrypt.  We also need to provide our DuckDNS token if we want a wildcard SSL certificate.

Here is an example of my traefik helm chart values:

  - ""
  - "[email protected]"
  - "--certificatesresolvers.letsencrypt.acme.dnsChallenge.provider=duckdns"
        name: duckdns
        key: token
    enabled: false
  enabled: true
  path: /certs
  size: 128Mi
  enabled: true
  certResolver: "letsencrypt"
    - main:
        - "*"
    - main:
        - "*"
  # Request this permanent IP address for traefik with MetalLB.
  # Kubernetes Master Node has this ip address mapped in /etc/avahi/hosts

  fsGroup: null # Temporary workaround for certificate file permissions

If you have a different Dynamic DNS provider, be sure to check the official docs for the list of supported providers along with how to configure

Notice that I keep my DUCKDNS_TOKEN as a Kubernetes secret for additional security.

You can create this same secret with the following command:

kubectl create secret generic duckdns --from-literal=token={your-token-here} -n ingress

After you have created this secret, if you intend to have SSL certificates generated for your cluster, you will want to ensure you have DuckDNS configured, and at least port 443 opened on your router, and pointed to your Traefik install.

This is the beauty of MetalLB - it allows us to pick a load balancer IP address in it's range -, and so the only place external network traffic is allowed to go is directly to Traefik.

With those additional bits configured, just run the helm install command:


# First time only

helm repo add traefik

#Subsequent times

helm repo update
helm upgrade --install -n ingress -f traefik-chart-values.yaml traefik traefik/traefik


The parameter after the -f is the path to the values file we created above.  This command installs or upgrades the traefik/traefik chart, to a release named traefik, in the ingress namespace, with our configuration file.

You'll want to tail the traefik logs after you install this, so that you can ensure it created your SSL certificates correctly. It will complain if it failed.

After you've installed Traefik, you'll have new cluster resource definitions (CRDs), which are special means of interacting with your Kubernetes cluster.  Traefik's CRDs make it easier than ever to add new ingresses to your cluster.  Here's an example of how we might expose the Traefik dashboard:

kind: IngressRoute
  name: traefik-dashboard-external
  namespace: ingress
    - web
    - websecure
    - match: Host(``) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
      kind: Rule
        - name: api@internal
          kind: TraefikService
        - name: external-admin
    certResolver: letsencrypt
      - main:
        sans: [ "*"]
kind: Middleware
  name: external-admin
  namespace: ingress
    secret: external-traefik-secret

IngressRoute and Middleware are both from the Traefik CRDs, but it allows us host / path matching, along with custom rules to apply to an incoming request.

Let's break down this configuration.  We expose with a few paths, and tell Traefik to route those requests to the Traefik Dashboard.  We tell it which certificate to use, and since we have a wildcard certificate, our sub-domain is covered under our main primary certificate.  Next, since we are exposing potentially sensitive information to the internet, we add a middleware to require basic auth to access this page.  I do not recommend exposing the Traefik dashboard unprotected, this is just an example.

You can read up on this here - IngressRoute and here - Middleware.  The Traefik docs in general are excellent for additional things you need to do!

If you're still with me, following along from the k3s master post, you now have the core of an awesome home server! 🎉

If you've stuck with me this long, I thank you, and I truly hope this multi-part series was useful and helpful for you!


How do you rate this article?



I am a software engineer by trade, with 7 years of experience in the industry. I have a Master's degree in the field as well. I love all things technology, from smart home things, to cryptocurrency. If there is code, you will find me there!

Awesome Self-Hosted
Awesome Self-Hosted

I run a self-hosted Kubernetes cluster in my basement, and I'd love to share all the neat things I've done here! This blog will contain different topics from my core setup, to fun things I'm running on my cluster and how I use these tools to stay productive! Are you a self-hoster? Let me know in the comments! The best thing about self-hosting is that it's your rules, your way! Technology is fun!

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.