Reading Time: 6 minutes read
This guide will go through step-by-step how to deploy the popular reverse proxy / edge router Traefik v.1.7.14 as an ingress controller routing web traffic in a Kubernetes cluster.
Prerequisite
- A Kubernetes cluster up and running on DigitalOcean.
- Knowledge about deployments, services, ingresses, secrets and rbac.
This tutorial will use DigitalOcean Kubernetes however this can be applied in a similar way in Minikube. One compute node will be sufficient.
You can create a cluster by signing up here to get 50$ credits for FREE the first 30 days of usage.
Getting Started
In this tutorial will we use two fictional DNS entries to reach two different services through Traefik ingress by editing /etc/hosts.whoami.k8s.phrenetic.se – Main web applicationdashboard.k8s.phrenetic.se – Traefik dashboard
Step 1: Enabling RBAC
First we need to grant permissions to the ServiceAccount that Traefik uses in the cluster.
kubectl apply -f https://gist.github.com/mekstrem/321093fdbc51c042c2e3da1610d48f33/raw/04cfdab09b395f049189f95995b71c8726d0ef51/traefik-rbac.yaml
clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller createdStep 2: Deploy Traefik
Now that required RBAC resources has been deployed in the cluster to grant the Traefik ingress controller the permissions it needs it is time to deploy Traefik itself!
kubectl apply -f https://gist.githubusercontent.com/mekstrem/6b6f134a26eabbfe0c0e26d39dd38803/raw/0ab89301dc26a30f0792815ec2f922475e8b7513/traefik-deployment.yaml
serviceaccount/traefik-ingress-controller created
deployment.extensions/traefik-ingress-controller created
service/traefik-ingress-service created
Verify that everything looks good. You should now similar output as below with Traefik up and running.
kubectl get all -n kube-system
NAME READY STATUS RESTARTS AGE
pod/cilium-operator-57586bb7cb-46z4g 1/1 Running 0 15m
pod/cilium-vbg95 1/1 Running 0 14m
pod/coredns-9d6bf9876-jg27n 1/1 Running 0 15m
pod/coredns-9d6bf9876-v578q 1/1 Running 0 15m
pod/csi-do-node-7kqqs 2/2 Running 0 14m
pod/do-node-agent-g6x99 1/1 Running 0 14m
pod/kube-proxy-7lskf 1/1 Running 0 14m
pod/traefik-ingress-controller-668df9b887-pr9w5 1/1 Running 0 2m28s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kube-dns ClusterIP 10.245.0.10 <none> 53/UDP,53/TCP,9153/TCP 15m
service/traefik-ingress-service LoadBalancer 10.245.5.249 <REDACTED> 80:30089/TCP,8080:31123/TCP 2m28s
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/cilium 1 1 1 1 1 <none> 15m
daemonset.apps/csi-do-node 1 1 1 1 1 <none> 15m
daemonset.apps/do-node-agent 1 1 1 1 1 beta.kubernetes.io/os=linux 15m
daemonset.apps/kube-proxy 1 1 1 1 1 <none> 16m
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/cilium-operator 1/1 1 1 15m
deployment.apps/coredns 2/2 2 2 15m
deployment.apps/traefik-ingress-controller 1/1 1 1 2m28s
NAME DESIRED CURRENT READY AGE
replicaset.apps/cilium-operator-57586bb7cb 1 1 1 15m
replicaset.apps/coredns-9d6bf9876 2 2 2 15m
replicaset.apps/traefik-ingress-controller-668df9b887 1 1 1 2m28s
As seen in the output above do we now have a pod up and running as well a service of type LoadBalancer with an External-IP. This is great success!
Our cluster is now reachable from the outside via the IP-address shown in the External-IP field. To continue on with the tutorial is it mandatory to update the /etc/hosts file with the External-IP and the fictional DNS names.
NOTE! If you see External-IP as <pending>. Don’t worry, it takes sometimes a bit longer for DigitalOcean to provision a load balancer for you that provides the IP-addresses. Be patient!
# Must be root user to modify /etc/hosts
echo "<EXTERNAL-IP> dashboard.k8s.phrenetic.se whoami.k8s.phrenetic.se" >> /etc/hostsStep 3: Deploy Traefik Dashboard
Traefik comes with a dashboard (optional) for an easy overall glimpse of the ingress controller displaying which resources that Traefik handles along with some metrics showing routes, back end services and more. This dashboard is updated in real-time so any changes made to the resources that Traefik handles will automatically be updated on the dashboard. By default is this dashboard accessible to anyone with the URL so to secure things up will we implement authentication to the dashboard in form of basic auth.
Create The Authentication Secrets
Step 1. Use the htpasswd tool to create a file containing the MD5-encoded password. You will be prompted to enter a password twice.
# Create file dashboard-auth containing credentials
htpasswd -c dashboard-auth traefik
# File contents
cat dashboard-auth
traefik:$apr1$aDsMSn/C$SIKwE4CPnzVhLoVDNN6Zo1Step 2. Create a Kubernetes Secret to store the credentials. It must be created in the same namespace as the ingress and controller. In this case the kube-system namespace.
kubectl create secret generic traefik-dashboard -n kube-system --from-file dashboard-authStep 3. Deploy the dashboard service and ingress resources to Kubernetes.
kubectl apply -f https://gist.githubusercontent.com/mekstrem/194995ded6c34bfb068751f28b5bcb93/raw/552b8730b9664526b1bcce24b5118314c11d42d9/traefik-dashboard.yaml
service/traefik-web-ui created
ingress.extensions/traefik-web-ui createdA new service traefik-web-ui has been created allowing us now to route external traffic to the dashboard with the help of an Ingress resource. As you can see in the ingress resource have we added annotations telling Traefik to handle the ingress routing, use basic-auth authentication and grab the credentials from the secret traefik-dashboard.
Visit dashboard.k8s.phrenetic.se and if the dashboard has been successfully deploy will you be greeted by a pop–up window asking for credentials. Enter the credentials created in the previous step and you will now have access to the Traefik dashboard.
More information about the dashboard and configuration options can be found here.
Step 4: Deploy whoami Web Application
If you have come this far in this tutorial then you are ready to deploy your first web application managed by Traefik (except the dashboard).
Lets get on deploying the web application whoami with a replica count of five pods made by Containous!
kubectl apply -f https://gist.githubusercontent.com/mekstrem/7e64247ddfa0f053ca8074f914eb331c/raw/f6ec5218c8299c22cfc17f49290a5e2ead4e7583/whoami-deployment.yaml
deployment.extensions/whoami-deployment created
service/whoami-service created
ingress.extensions/whoami-ingress createdThe web application is now accessible at whoami.k8s.phrenetic.se and you can now see various HTTP header information along with the IP address of the pod that has actually received the routed traffic from Traefik.
If you now refresh the website you’ll see that the HostName and IP changes on each reload of the web application. This is Traefik magic in action doing load balancing of traffic across the five pods that we defined in the deployment!
With all this said and done. You have now successfully deployed Traefik as an ingress controller in your Kubernetes cluster with both routing and load balancing of a running web application.
In the upcoming post are we going to take a look at on how create certificates and enable SSL/TLS in Traefik. Stay tuned!