Blog

Install And Configure Traefik Proxy with Helm

Guest post by Traefik Ambassadors, Robin Scherrer and Daniele Di Rosa (aka Containeroo)

Originally published: October 2020
Updated: March 2022


When we started our container journey with Docker some years ago, we looked for an easy to configure reverse proxy to expose our services to the internet. Daniele had seen a video about the best Docker projects where Emile Vauge, founder of Traefik Labs, delivered a presentation about Traefik Proxy. And so we decided to give Traefik Proxy a shot. We started with using Traefik Proxy 1.x, and then moved to Traefik Proxy 2.0 a couple of years later.

When Traefik Proxy 2.0 was released, we spent the weekend figuring out how it works, and the next week, decided to help others have a tremendous getting started experience by writing a simple step-by-step guide. And, with our roles on the Kubernetes team at work, we went on to replace the existing reverse proxy Ambassador with Traefik Proxy.

Ready to Simplify Cloud Networking ... for Free?2B+ downloads and 30k+ stars on GitHub say it all.Explore Traefik Proxy

The tutorial

To make good on our promise, we are here to deliver this tutorial where we will show you how to install and configure Traefik Proxy using the official Helm chart. We will also show you how to configure Traefik Proxy with Cloudflare which makes wildcard Let's Encrypt certificates possible.

Helm makes it easy to deploy applications on your Kubernetes cluster. Even though Traefik Proxy supports both Ingress and Traefik IngressRoute, we prefer to use the CRD instead of Ingress, which results in a lot of annotations.

Prerequisites

Before we get started, here’s what you need to have to follow through with the tutorial:

  • A Kubernetes Cluster
  • Helm official docs
  • Kubeconfig file for Helm to access your Kubernetes Cluster (~/.kube/config)

Prepare Helm chart

First, you need to add the official Helm repository to your Helm client. You can do that by issuing the following command:

helm repo add traefik https://helm.traefik.io/traefik
helm repo update

In order to configure the Helm chart, you need to specify certain values. You can find all the values possible here. These values will mostly set the static configuration of Traefik Proxy. For the complete static configuration, please consult the Traefik docs.

Open your favorite editor and set the values you want to change. Here is an example traefik-chart-values.yaml file:

---
additionalArguments:
  - --entrypoints.websecure.http.tls.certresolver=cloudflare
  - --entrypoints.websecure.http.tls.domains[0].main=example.com
  - --entrypoints.websecure.http.tls.domains[0].sans=*.example.com
  - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
  - --certificatesresolvers.cloudflare.acme.email=mail@example.com
  - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
  - --certificatesresolvers.cloudflare.acme.storage=/certs/acme.json

ports:
  web:
    redirectTo: websecure

env:
  - name: CF_API_EMAIL
    valueFrom:
      secretKeyRef:
        key: email
        name: cloudflare-api-credentials
  - name: CF_API_KEY
    valueFrom:
      secretKeyRef:
        key: apiKey
        name: cloudflare-api-credentials

ingressRoute:
  dashboard:
    enabled: false

persistence:
  enabled: true
  path: /certs
  size: 128Mi

With these values file, you are configuring Traefik Proxy to:

  • use Cloudflare as a certificates resolver
  • set the domain example.com as the certificate's main domain
  • set *.example.com as the certificates sans
  • store the certificates in /certs/acme.json

Install Traefik Proxy

As a first step, create a Kubernetes namespace:

kubectl create namespace traefik

Before you deploy the Helm chart, add the secret containing the Cloudflare credentials.

Create a traefik-config.yaml file with the following content:

---
apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-api-credentials
  namespace: traefik

type: Opaque
stringData:
  email: your@cloudflare.email
  apiKey: YOURCLOUDFLAREAPIKEY

Next, apply the secret and middleware you created above:

kubectl apply -f traefik-config.yaml

This will create the secret in the traefik namespace.

Now it's time to deploy Traefik Proxy! The following command will install Traefik in the traefik namespace and with the configuration you created above:

helm install traefik traefik/traefik --namespace=traefik --values=traefik-chart-values.yaml

Make the dashboard accessible

In order to access the Traefik dashboard, you first need to create an HTTP basic auth middleware. This also requires a secret with the htpasswd credentials.

Use the following command to create a base64 encoded htpasswd file with a kangoroo user and the password jack:

htpasswd -nb kangoroo jack | openssl base64

Now, create the secret and the middleware in a traefik-dashboard-auth.yaml:

---
apiVersion: v1
kind: Secret
metadata:
  name: traefik-dashboard-auth
  namespace: traefik

data:
  users: a2FuZ29yb286JGFwcjEkdGlQbFBINXYkYlJrUHBSUlYuYUxUWnhFRzdYbmduMAoK

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-dashboard-basicauth
  namespace: traefik

spec:
  basicAuth:
    secret: traefik-dashboard-auth

Now you can apply the following traefik-dashboard-ingressroute.yaml file:

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: traefik

spec:
  entryPoints:
    - websecure

  routes:
    - match: Host(`traefik.example.com`)
      kind: Rule
      middlewares:
        - name: traefik-dashboard-basicauth
          namespace: traefik
      services:
        - name: api@internal
          kind: TraefikService

Make sure to change the matching host rule accordingly under the routes section. Since Traefik Proxy exposes the dashboard in a special way, you’ll need to tell the IngressRoute to use the preconfigured service named api@internal with kind TraefikService.

The IngressRoute CRD

As we've mentioned above, Traefik Proxy supports both Ingress and IngressRoute as a configuration. The CRD has a few advantages:

  • It eliminates or reduces the number of annotations on the Ingress controllers
  • It abstracts commonly used rules and configurations
  • It separates concerns across multiple use-cases and configurations

To deploy a simple whoami application service, you can refer to the appendix.

Here is an example IngressRoute for the whoami service along with a headers-default middleware:

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: headers-default
  namespace: traefik

spec:
  headers:
    browserXssFilter: true
    contentTypeNosniff: true
    forceSTSHeader: true
    stsIncludeSubdomains: true
    stsPreload: true
    stsSeconds: 15552000
    customFrameOptionsValue: SAMEORIGIN

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
  namespace: traefik

spec:
  entryPoints:
    - websecure

  routes:
    - match: Host(`whoami.example.com`)
      kind: Rule
      middlewares:
        - name: headers-default
          namespace: traefik
      services:
        - name: whoami
          port: 80

This IngressRoute tells Traefik Proxy to listen via the websecure entrypoint and forward all the traffic matching the host whoami.example.com to the whoami Kubernetes service. It also configures the route to use the headers-default middleware.

Conclusion

As you can see, getting started with Traefik Proxy as an Ingress controller isn't that hard. 🙂

Helm makes it really easy to reconfigure or update Traefik Proxy.

The Traefik Proxy documentation has a lot of good information and can be a great resource, once you’re all set up with the help of this guide. We bet it will answer most of your questions!

You can find us on Twitter, Medium or GitHub. Feel free to ask any questions regarding Traefik Proxy and Kubernetes — we are happy to help!

Appendix

Whoami example deployment

---
apiVersion: v1
kind: Pod
metadata:
  name: whoami
  namespace: traefik
  labels:
    app: whoami

spec:
  containers:
    - name: whoami
      image: containous/whoami:latest
      ports:
        - containerPort: 80

---
apiVersion: v1
kind: Service
metadata:
  name: whoami
  namespace: traefik

spec:
  ports:
    - port: 80
      protocol: TCP
      targetPort: 80

  selector:
    app: whoami

  type: ClusterIP

About us

Because of our knowledge in Docker, we were able to switch departments at work, and are now working in the Kubernetes department. One of the first things we did was to eliminate the existing reverse proxy and switch to Traefik Proxy. 😃

Robin:

Swiss IT nerd since forever. Interested in open source technologies like Ansible, Docker, Kubernetes, Traefik, Python, and Golang. Maintainer of several GitHub repos and Docker images for Containeroo. Addicted to music, TV shows, and YouTube. Speaking German and English. Twitter, Reddit or GitHub.

Daniele:

Couch potato, film and series junky, hobby-columnist for Containeroo, likes Traefik, Ansible, Docker, and K8s. Hates corn and dill. Born and raised in Switzerland. Star me on GitHub.

Traefik Labs uses cookies to improve your experience. By continuing to browse the site you are agreeing to our use of cookies. Find out more in the Cookie Policy.