Installing and using Traefik in Kubernetes

Traefik is a popular open-source reverse proxy and load balancer, designed for microservices and containerized applications. Traefik can automatically discover the services running in a Kubernetes cluster and route traffic to these services using various load balancing algorithms.

Traefik operates for other services within your Kubernetes cluster. With Traefik, you can host multiple applications on a Kubernetes cluster, and their traffic flows through Traefik. Traefik can then function as a single load balancer for all these applications and also provide Let's Encrypt SSL certificates.

In this tutorial, we'll show you how to install and use Traefik on your Kubernetes cluster.

Installing Traefik

Step 1

Add the official Traefik repository and update your Helm repositories to be able to use it:

helm repo add traefik https://helm.traefik.io/traefik
helm repo update

Step 2

Traefik can generate Let's Encrypt certificates for applications communicating through Traefik. In this tutorial, we assume that you also want to use this for your use case. For this, you use an ACME DNS challenge provider. We support this option via our API. Please note that the provider you choose must support this functionality and that the domains you use are registered with that provider in the account you use for this guide.

Create a directory where you will store your TransIP API key, for example:

mkdir transip

Then create a file in the directory you just created containing a private key of your account for the TransIP API, for example:

cat << EOF > transip/transip.key
-----BEGIN PRIVATEKEY-----
MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQDKoaYJtbVnJw58
PYGH8WIJ7ZjWd2lke0IbMV+dNGs=
-----ENDPRIVATEKEY-----
EOF

In this example, only a small fragment of a private key is included. Your private key will be much longer.

Step 3

Create a namespace for Traefik within your cluster:

kubectl create ns traefik

Step 4

Generate a secret based on your API Private Key that Traefik can use to communicate with the TransIP API. Optionally replace the following information:

• -n traefik: Use the name of the namespace you created in step 3.
• transip/transip.key: Change to the directory and filename you created in step 2.

kubectl create -n traefik secret generic transip-key --from-file transip/transip.key

Step 5

For the installation of Traefik, we will use the official Helm Chart in the next step. In addition, we will make a few adjustments. Create a .yaml file for this, for example:

nano traefik.yaml

Give the file the contents below, in which you adjust two values:

• youraccount: Change youraccount to the name of your TransIP account.
• /transip/transip.key: Change (if necessary) to the directory and filename you created in step 2.

additionalArguments:
  - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=transip"
  - "--certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=120"
  - "--certificatesresolvers.myresolver.acme.storage=/data/acme.json"
env:
  - name: TRANSIP_ACCOUNT_NAME
    value: youraccount
  - name: TRANSIP_PRIVATE_KEY_PATH
    value: /transip/transip.key
volumes:
  - name: transip-key
    mountPath: "/transip"
    type: secret
rbac:
  enabled: true
ports:
  websecure:
    tls:
      enabled: true
dashboard:
  enable: true
  ingressRoute: false
podAnnotations:
  prometheus.io/port: "8082"
  prometheus.io/scrape: "true"
providers:
  kubernetesIngress:
    publishedService:
      enabled: true
priorityClassName: "system-cluster-critical"
image:
  name: "rancher/library-traefik"
tolerations:
- key: "CriticalAddonsOnly"
  operator: "Exists"
- key: "node-role.kubernetes.io/control-plane"
  operator: "Exists"
  effect: "NoSchedule"
- key: "node-role.kubernetes.io/master"
  operator: "Exists"
  effect: "NoSchedule"

Code explanation

• --certificatesresolvers.myresolver.acme.dnschallenge.provider=transip: Configures the DNS challenge provider for Let's Encrypt to use the TransIP DNS API
• --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=120: 120 seconds delay before checking for DNS propagation
• --certificatesresolvers.myresolver.acme.storage=/data/acme.json: Storage location for generated certificates env.name.value:
• youraccount: The TransIP account name used for DNS challenge authentication
• env.name.value: /transip/transip.key: Where the private key for the TransIP account is located
• volumes.name: transip-key: Configure a volume to mount the TransIP private key in the Traefik container. This is necessary to communicate with the TransIP DNS API
• rbac.enabled: true: Enables Role Based Access Control for Traefik. This provides detailed control over Kubernetes resources and the Kubernetes API
• ports.websecure.tls: enabled: true: Enables TLS for the Traefik dashboard. This is optional if you only access it locally (see next step)
• dashboard: enable: true: Enables the Traefik dashboard
• dashboard.ingressRoute: false: Disables creating an IngressRoute for the dashboard
• podAnnotations: prometheus.io/port: "8082": Configures the port used for exposing Prometheus metrics
• podAnnotations:prometheus.io/scrape: "true": Enables Prometheus scraping for the Traefik pod
• providers: kubernetesIngress: publishedService: enabled: true: Enables the option for Traefik to discover Kubernetes Ingress resources
• priorityClassName: "system-cluster-critical": Sets a priority class for Traefik
• image: name: "rancher/library-traefik": The image used for the deployment
• Tolerations: - key: "CriticalAddonsOnly": Taint key only for critical add-ons
• Tolerations: - key: "node-role.kubernetes.io/control-plane": Taint key for the control plane nodes operator. With "NoSchedule", scheduling is disabled.
• Tolerations- key: "node-role.kubernetes.io/master": Taint key for the master nodes operator where scheduling is also disabled using "NoSchedule".

Step 6

Install the Traefik Helm Chart with the command below.

helm install -f traefik.yaml traefik traefik/traefik -n traefik

• helm install: Installs the Helm Chart.
• -f traefik.yaml: The file from step 5 that we use to customize the installation.
• traefik: The name of the Helm 'release', can be checked with the command 'helm list'.
• traefik/traefik: The name of the repository and Helm Chart to be installed, respectively.
• -n traefik: The namespace in which the Helm release is installed, see step 3.

The Traefik dashboard

Traefik comes with a web interface that provides insight into the status of your Kubernetes cluster and the traffic processed by your cluster. It displays information about the routers and services used to process traffic and the load balancing algorithms used. The dashboard also provides the ability to view logs and metrics generated by Traefik. The dashboard is a useful tool for monitoring and troubleshooting Traefik.

To use the Traefik dashboard, use the following command:

kubectl port-forward pod/traefik-6598fc985c-tg748 9000:9000 -n traefik

Replace traefik at the end with the namespace where Traefik is located and traefik-6598f985-tg748 with the name of the Traefik pod. You can check both with the following commands, respectively:

kubectl get ns kubectl get pods -n traefik

You can now view the Traefik dashboard in a browser on the computer where you executed the first command at the address: http://127.0.0.1:9000/dashboard/