Guest post by Traefik Ambassador, Robin Scherrer and Daniele Di Rosa aka Containeroo.
When we started our container journey with Docker some years ago, we looked for an easy to configure reverse proxy to expose our services to the internet. Daniele had seen a video about the best Docker projects where Emile Vauge, founder of Traefik, delivered a presentation about Traefik. And, we decided to give Traefik a shot. We started with using Traefik 1.x, and then moved to Traefik 2.0 a couple of years later.
When Traefik 2.0 was released, we spent the weekend figuring out how it works, and the next week, decided to help others have a tremendous “getting started” experience by writing a simple step by step guide. And, with our roles on the Kubernetes team at work, we went on to replace the existing reverse proxy Ambassador with Traefik.
In this tutorial, we will show you how to install and configure Traefik using the official Helm chart. We will also show you how to configure Traefik with Cloudflare. This makes wildcard Let's Encrypt certificates possible.
Helm makes it easy to deploy applications onto your Kubernetes cluster. Even though Traefik supports both Ingress as well as Traefik IngressRoute, we prefer to use the CRD instead of Ingress which results in a lot of annotations.
- Kubernetes Cluster
- Helm official docs
- Kubeconfig file for Helm to access your Kubernetes Cluster (
Prepare Helm Chart
First, you’ll need to add the official Helm repository to your Helm client. You can do that by issuing the following command:
helm repo add traefik https://helm.traefik.io/traefik helm repo update
In order to configure the Helm chart, you'll need to specify certain values. You can find all the values possible here.
Open your favourite editor and set the values you want to change. Here is an example
additionalArguments: - --providers.file.filename=/data/traefik-config.yaml - --entrypoints.websecure.http.tls.certresolver=cloudflare - --entrypoints.websecure.http.tls.domains.main=example.com - --entrypoints.websecure.http.tls.domains.sans=*.example.com - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare - --email@example.com - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=126.96.36.199 - --certificatesresolvers.cloudflare.acme.storage=/certs/acme.json ports: web: redirectTo: websecure env: - name: CF_API_EMAIL valueFrom: secretKeyRef: key: email name: cloudflare-api-credentials - name: CF_API_KEY valueFrom: secretKeyRef: key: apiKey name: cloudflare-api-credentials ingressRoute: dashboard: enabled: false persistence: enabled: true path: /certs size: 128Mi volumes: - mountPath: /data name: traefik-config type: configMap
With this values file, you are configuring Traefik to:
/data/traefik-config.yamlas a static configuration file
- use Cloudflare as a certificates resolver
- set the domain
example.comas the certificates main domain
*.example.comas the certificates sans
- store the certificates in
As a first step, you’ll need to create a Kubernetes namespace:
kubectl create namespace traefik
Before you deploy the Helm chart, you’ll need to add the secret containing the Cloudflare credentials along with the configmap including the static configuration.
traefik-config.yaml file with the following content:
--- apiVersion: v1 kind: Secret metadata: name: cloudflare-api-credentials namespace: traefik type: Opaque stringData: email: firstname.lastname@example.org apiKey: YOURCLOUDFLAREAPIKEY --- apiVersion: v1 kind: ConfigMap metadata: name: traefik-config namespace: traefik data: traefik-config.yaml: | http: middlewares: headers-default: headers: sslRedirect: true browserXssFilter: true contentTypeNosniff: true forceSTSHeader: true stsIncludeSubdomains: true stsPreload: true stsSeconds: 15552000 customFrameOptionsValue: SAMEORIGIN
As an example, we've added a
headers-default middleware. For the complete static configuration, please consult the Traefik docs.
Next, you can apply the secret and configmap you created above:
kubectl apply -f traefik-config.yaml
This will create the secret and configmap in the
Now it's time to deploy Traefik! The following command will install Traefik in the
traefik namespace and with the configuration you created above::
helm install traefik traefik/traefik --namespace=traefik --values=traefik-chart-values.yaml
Make the Dashboard Accessible
In order to access the Traefik dashboard, you’ll first need to create an HTTP basic auth middleware. This also requires a secret with the htpasswd credentials.
Use the following command to create a base64 encoded htpasswd file with a
kangoroo user and the password
htpasswd -nb kangoroo jack | openssl base64
Apply the secret and the middleware to your Kubernetes cluster:
--- apiVersion: v1 kind: Secret metadata: name: traefik-dashboard-auth namespace: traefik data: users: |2 a2FuZ29yb286JGFwcjEkdGlQbFBINXYkYlJrUHBSUlYuYUxUWnhFRzdYbmduMAoK --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: traefik-dashboard-basicauth namespace: traefik spec: basicAuth: secret: traefik-dashboard-auth
Now you can apply the following
apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: traefik-dashboard namespace: traefik spec: entryPoints: - websecure routes: - match: Host(`traefik.example.com`) kind: Rule middlewares: - name: traefik-dashboard-basicauth namespace: traefik services: - name: api@internal kind: TraefikService
Please change the matching host rule accordingly under the
Since Traefik exposes the dashboard in a special way, you’ll need to tell the IngressRoute to use the preconfigured service named
api@internal with kind
The IngressRoute CRD
As we've mentioned above, Traefik both supports Ingress and IngressRoute as a configuration.
The CRD has a few advantages:
- eliminate or reduce the number of annotations on the Ingress controllers
- abstract commonly used rules and configuration
- separate concerns across multiple use-cases and configurations
To deploy a simple
whoamiapplication service, please refer to the appendix.
Here is an example IngressRoute for the
apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: whoami namespace: traefik spec: entryPoints: - websecure routes: - match: Host(`whoami.example.com`) kind: Rule middlewares: - name: headers-default@file services: - name: whoami port: 80
This IngressRoute tells Traefik to listen via the
websecure entrypoint and forward all the traffic matching the host
whoami.example.com to the
whoami Kubernetes service. It also configures the route to use the
headers-default middleware you configured in
As you can see, getting started with Traefik as an Ingress controller isn't that hard :-) Helm makes it really easy to reconfigure or update Traefik.
Traefik documentation has a lot of good information and can be a great resource once you’ve gotten started using this guide. We bet it will answer most of your questions!
Whoami Example Deployment
--- apiVersion: v1 kind: Pod metadata: name: whoami namespace: traefik labels: app: whoami spec: containers: - name: whoami image: containous/whoami:latest ports: - containerPort: 80 --- apiVersion: v1 kind: Service metadata: name: whoami namespace: traefik spec: ports: - port: 80 protocol: TCP targetPort: 80 selector: app: whoami type: ClusterIP
Because of our knowledge in Docker, we were able to switch departments at work, and are now working in the Kubernetes department. One of the first things we did was eliminate the existing reverse proxy and switch to Traefik :-D
Swiss IT nerd since forever. Interested in open source technologies like Ansible, Docker, Kubernetes, Traefik, Python and Golang. Maintainer of several GitHub repos and Docker images for containeroo. Addicted to music, tv shows and YouTube. Speaking German and English. Twitter, Reddit or GitHub.
Couch potato, film and series junky, hobby-columnist for Containeroo, likes Traefik, Ansible, Docker and K8s. Hates corn and dill. Born and raised in Switzerland. Star me on GitHub.