Giovanni Silva

Installing Traefik Ingress

Giovanni Silva's photo
Giovanni Silva
·

2 min read

Let's start adding the helm charts

helm repo add traefik https://helm.traefik.io/traefik
helm repo update

Create a file named values.yaml with the content:

---
deployment:
  kind: DaemonSet
ports:
  web:
    port: 80
  websecure:
    port: 443
service:
  enabled: false
nodeSelector:
  ingress: true
hostNetwork: true
ingressRoute:
  dashboard:
    enabled: false # We will use a custom inrgessRoute with basic auth instead of the default one

# The following lines are needed if you have an error like: error while building entryPoint web: error preparing server: error opening listener: listen tcp :80: bind: permission denied
# It just means that Traefik is unable to listen to connections on the host because of a lack of permissions.
# Hence the need for aditionnal permissions.
securityContext:
  capabilities:
    drop: [ALL]
    add: [NET_BIND_SERVICE]
  readOnlyRootFilesystem: true
  runAsGroup: 0
  runAsNonRoot: false
  runAsUser: 0

Note that we are using hostNetwork and change the ports to 80 and 443, that way we can point your DNS directly to the node

Create a file name dashboard-ingress.yaml with the content:

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: traefik-system
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`traefik.internal.yourdomain.com`) # Hostname to match
      kind: Rule
      services: # Service to redirect requests to
        - name: api@internal # Special service created by Traefik pod
          kind: TraefikService
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: auth
  namespace: traefik-system
spec:
  basicAuth:
    namespace: traefik-system
    secret: traefik-auth

Change your domain and point a DNS to ip of one os the nodes running traefik

Install htpassword and generate a user for the dashboard

sudo apt install apache2-utils
htpasswd -c users admin

Enter a secure password

Create a kustomization file with the contents:

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: traefik-system

secretGenerator:
- name: traefik-auth
  files:
  - users

generatorOptions:
  disableNameSuffixHash: true

resources:
- dashboard-ingress.yaml

Select the nodes you want the ingress installed by label them with command

kubectl label nodes node ingress=true

Now lest install:

helm install --namespace=traefik-system --create-namespace traefik traefik/traefik -f values.yaml

Check the installation:

kubectl -n traefik-system get daemonset
curl http://ip-node

Apply the dashboard ingress

kubectl apply -k .

Now you can test you ingress

Next post we will put a load balancer with cloudflare service in front of the ingress nodes.

If your cloud provider offers a managed kubernetes or is a cloud supported tech like openstack you should probably use the service type LoadBalacer.

In this case you can remove the config:

service:
  enabled: false

and also the ports overrides since you will use your loadbalancer ip to access the content.

If you plan to use acme letsencrypt with traefik you should read this post https://www.padok.fr/en/blog/traefik-kubernetes-certmanager

Kubernetesk8s