To install Traefik (v2) on Kubernetes, we will be using the official Traefik helm chart. This install will also depend on our dynamic DNS provider, which allows network traffic into our cluster. If you haven't seen it already, be sure to check out my tutorial on DuckDNS on Kubernetes. You'll need this if you want externally accessible host names, and free SSL certificates via LetsEncrypt. I will install Traefik to the ingress namespace on my cluster.
Configuration Values
Traefik requires a lot of custom configuration, since we need to teach it about our domain names, and which certificates we want it to request from LetsEncrypt. We also need to provide our DuckDNS token if we want a wildcard SSL certificate.
Here is an example of my traefik helm chart values:
additionalArguments:
- "--certificatesresolvers.letsencrypt.acme.storage=/certs/acme.json"
- "[email protected]"
- "--certificatesresolvers.letsencrypt.acme.dnsChallenge.provider=duckdns"
env:
- name: DUCKDNS_TOKEN
valueFrom:
secretKeyRef:
name: duckdns
key: token
ingressRoute:
dashboard:
enabled: false
persistence:
enabled: true
path: /certs
size: 128Mi
ports.websecure.tls:
enabled: true
certResolver: "letsencrypt"
domains:
- main: primary.duckdns.org
sans:
- "*.primary.duckdns.org"
- main: secondary.duckdns.org
sans:
- "*.secondary.duckdns.org"
spec:
# Request this permanent IP address for traefik with MetalLB.
# Kubernetes Master Node has this ip address mapped in /etc/avahi/hosts
loadBalancerIP: 192.168.2.77
podSecurityContext:
fsGroup: null # Temporary workaround for certificate file permissions
If you have a different Dynamic DNS provider, be sure to check the official docs for the list of supported providers along with how to configure.
Notice that I keep my DUCKDNS_TOKEN as a Kubernetes secret for additional security.
You can create this same secret with the following command:
kubectl create secret generic duckdns --from-literal=token={your-token-here} -n ingressAfter you have created this secret, if you intend to have SSL certificates generated for your cluster, you will want to ensure you have DuckDNS configured, and at least port 443 opened on your router, and pointed to your Traefik install.
This is the beauty of MetalLB - it allows us to pick a load balancer IP address in it's range - 192.168.2.77, and so the only place external network traffic is allowed to go is directly to Traefik.
With those additional bits configured, just run the helm install command:
# First time only
helm repo add traefik https://helm.traefik.io/traefik
#Subsequent times
helm repo update
helm upgrade --install -n ingress -f traefik-chart-values.yaml traefik traefik/traefik
The parameter after the -f is the path to the values file we created above. This command installs or upgrades the traefik/traefik chart, to a release named traefik, in the ingress namespace, with our configuration file.
You'll want to tail the traefik logs after you install this, so that you can ensure it created your SSL certificates correctly. It will complain if it failed.
After you've installed Traefik, you'll have new cluster resource definitions (CRDs), which are special means of interacting with your Kubernetes cluster. Traefik's CRDs make it easier than ever to add new ingresses to your cluster. Here's an example of how we might expose the Traefik dashboard:
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard-external
namespace: ingress
spec:
entryPoints:
- web
- websecure
routes:
- match: Host(`traefik.primary.duckdns.org`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
kind: Rule
services:
- name: api@internal
kind: TraefikService
middlewares:
- name: external-admin
tls:
certResolver: letsencrypt
domains:
- main: primary.duckdns.org
sans: [ "*.primary.duckdns.org"]
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: external-admin
namespace: ingress
spec:
basicAuth:
secret: external-traefik-secret
IngressRoute and Middleware are both from the Traefik CRDs, but it allows us host / path matching, along with custom rules to apply to an incoming request.
Let's break down this configuration. We expose https://traefik.primary.duckdns.org with a few paths, and tell Traefik to route those requests to the Traefik Dashboard. We tell it which certificate to use, and since we have a wildcard certificate, our sub-domain is covered under our main primary certificate. Next, since we are exposing potentially sensitive information to the internet, we add a middleware to require basic auth to access this page. I do not recommend exposing the Traefik dashboard unprotected, this is just an example.
You can read up on this here - IngressRoute and here - Middleware. The Traefik docs in general are excellent for additional things you need to do!
If you're still with me, following along from the k3s master post, you now have the core of an awesome home server! 🎉
If you've stuck with me this long, I thank you, and I truly hope this multi-part series was useful and helpful for you!
