Posted on 21 April 2021, updated on 21 September 2023.
Kubernetes is a powerful tool to which companies are migrating their old infrastructures.
But when it comes to accessing your applications using domain names from outside your cluster, Kubernetes is not that simple. To achieve this, you can use an ingress controller such as Traefik.
Prerequisites
- Basic understanding of Kubernetes
- A Kubernetes cluster with a load balancer (any cluster created on GCP will work wonderfully because the load balancer will be provisioned by the cloud provider)
- A domain name (better) but the tutorial can be done without one
- Helm 3 installed on your computer
Install Traefik
To install Traefik, we will use Helm 3. Helm is a wonderful tool to easilyinstall applications in Kubernetes. It allows you to version and configure your apps to fit your needs.
You have multiple ways to configure how your apps will be installed through Helm. One of them is the use of aconfiguration file. We will use it here because it gives more flexibility on the arguments you can use in the long term.
So first, create a file calledvalues.yaml and paste the following. In this file, we configure two entry points listening for outside web traffic on ports 80 and 443. We add a few more arguments to have a working and clean installation.
Now we can install Traefik in our cluster with Helm using the values file:
Traefik should be running as expected in the traefik-system namespace:
Take note of the external-ip of the service (35.233.25.26
in this case). This IP will become the entry point forall the apps routed by Traefik in your cluster.
For your information, the IP address was automatically given by the load balancer our Cloud provider provided because we created a service with the typeLoadBalancer
. If you do not have a load balancer, you may want to solve this issue first (bare-metal clusters can take a look at MetalLB for instance).
Access Traefik dashboard
Traefik has a dashboard tovisualize all the resources controlled by Traefik. It includes ingress, ingressRoutes, middlewares, ...
By default, when usingHelm, Traefik exposes a dashboard on the service IP so if you want to access it, create a record pointing to this IP. For this example, I created an entry called traefik.padok.fr in my file /etc/hosts:
The final step to be able to access the Traefik dashboard is tocreate an ingressRoute. An ingressRoute is Traefik's own implementation of an ingress and is used to redirect traffic.
Create a file calledingressroute.yaml
with the following content:
Apply your file with: kubectl apply -f ingressroute.yaml
And now you can access the dashboard in your browser.
Secure access to Traefik using basic auth
By default, the dashboard is accessible as it is. However, it is considered bad practice to expose traefik dashboard without any authentication. Fortunately, Traefik allows us to usemiddlewares to secure our applications.
Here, I will set up abasic auth middleware to block access to the dashboard without the correct credentials :
The credentials are stored in a secret and base64 encoded. Here, the username and password I set up are respectively admin
and Padok.
You also need to update the ingressRoute to use this middleware:
Finally, apply your manifests:
And you should see a prompt for your login and password when you connect.
Use Cert-manager to manage certificates in your cluster
By default, Traefik is able to handle certificates in your cluster but only if you have a single instance of the Traefik pod running. It is not a good practice because this pod becomes asingle point of failure in your infrastructure.
To solve this issue, we can useCert-manager to store and issue our certificates.
We can install it with helm. The default values will be enough for us here:
If everything went well, the resources should be created:
Next, we can create a certificate with an issuer and a certificate to serve our dashboard over HTTPS:
You also need to tell Traefik to use the secret created by Cert-manager to terminate the TLS connection:
And apply:
If everything went well, you can access the dashboard securely using HTTPS!
For this example, I used a self-signed certificate so I will get a warning when connecting over HTTPS. However, we can see that the certificate is correctly used.
Enable automatics HTTPS redirection
Because we do not want our users to use HTTP if HTTPS is available, the last step of our setup is toenable an automatic redirection to HTTPS. This redirection can be done in Traefik itself. We just need to modify our values file.
And upgrade our helm release:
helm upgrade traefik traefik/traefik -f values.yml
After following all these steps, you should now have a working Traefik instance running in your Kubernetes cluster ensuring HTTPS connection using certificates issued byCert-manager.
Deploy a 2048 app using Traefik
To test if your setup is working as expected, we will deploy a small2048 application in our cluster.
We create the components needed for our application to work correctly:
Let’s just apply the whole thing: kubectl apply -f 2048.yaml
After a few moments, you should see your new IngressRoute appear in the dashboard.
Finally, do not forget to add a DNS entry with your app domain name pointing to Traefik’s service IP address (2048.padok.fr → 35.233.25.26
in my case).
And… that’s all! Your new app is accessible securely in your browser.
Traefik is a wonderful tool but it can prove painful to set up initially so I hope this article will be helpful for you if you ever need to install Traefik in your cluster.