Deploy Traefik as Ingress Controller

Reading Time: 6 minutes read

This guide will go through step-by-step how to deploy the popular reverse proxy / edge router Traefik v.1.7.14 as an ingress controller routing web traffic in a Kubernetes cluster.

Prerequisite

  • A Kubernetes cluster up and running on DigitalOcean.
  • Knowledge about deployments, services, ingresses, secrets and rbac.

This tutorial will use DigitalOcean Kubernetes however this can be applied in a similar way in Minikube. One compute node will be sufficient.

You can create a cluster by signing up here to get 50$ credits for FREE the first 30 days of usage.

Getting Started

In this tutorial will we use two fictional DNS entries to reach two different services through Traefik ingress by editing /etc/hosts.

whoami.k8s.phrenetic.se – Main web application
dashboard.k8s.phrenetic.se – Traefik dashboard

Step 1: Enabling RBAC

First we need to grant permissions to the ServiceAccount that Traefik uses in the cluster.

kubectl apply -f https://gist.github.com/mekstrem/321093fdbc51c042c2e3da1610d48f33/raw/04cfdab09b395f049189f95995b71c8726d0ef51/traefik-rbac.yaml

clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created
clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created

Step 2: Deploy Traefik

Now that required RBAC resources has been deployed in the cluster to grant the Traefik ingress controller the permissions it needs it is time to deploy Traefik itself!

kubectl apply -f https://gist.githubusercontent.com/mekstrem/6b6f134a26eabbfe0c0e26d39dd38803/raw/0ab89301dc26a30f0792815ec2f922475e8b7513/traefik-deployment.yaml

serviceaccount/traefik-ingress-controller created
deployment.extensions/traefik-ingress-controller created
service/traefik-ingress-service created

Verify that everything looks good. You should now similar output as below with Traefik up and running.

kubectl get all -n kube-system
NAME                                              READY   STATUS    RESTARTS   AGE
pod/cilium-operator-57586bb7cb-46z4g              1/1     Running   0          15m
pod/cilium-vbg95                                  1/1     Running   0          14m
pod/coredns-9d6bf9876-jg27n                       1/1     Running   0          15m
pod/coredns-9d6bf9876-v578q                       1/1     Running   0          15m
pod/csi-do-node-7kqqs                             2/2     Running   0          14m
pod/do-node-agent-g6x99                           1/1     Running   0          14m
pod/kube-proxy-7lskf                              1/1     Running   0          14m
pod/traefik-ingress-controller-668df9b887-pr9w5   1/1     Running   0          2m28s


NAME                              TYPE           CLUSTER-IP     EXTERNAL-IP      PORT(S)                       AGE
service/kube-dns                  ClusterIP      10.245.0.10    <none>           53/UDP,53/TCP,9153/TCP        15m
service/traefik-ingress-service   LoadBalancer   10.245.5.249   <REDACTED>   80:30089/TCP,8080:31123/TCP   2m28s

NAME                           DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR                 AGE
daemonset.apps/cilium          1         1         1       1            1           <none>                        15m
daemonset.apps/csi-do-node     1         1         1       1            1           <none>                        15m
daemonset.apps/do-node-agent   1         1         1       1            1           beta.kubernetes.io/os=linux   15m
daemonset.apps/kube-proxy      1         1         1       1            1           <none>                        16m

NAME                                         READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/cilium-operator              1/1     1            1           15m
deployment.apps/coredns                      2/2     2            2           15m
deployment.apps/traefik-ingress-controller   1/1     1            1           2m28s

NAME                                                    DESIRED   CURRENT   READY   AGE
replicaset.apps/cilium-operator-57586bb7cb              1         1         1       15m
replicaset.apps/coredns-9d6bf9876                       2         2         2       15m
replicaset.apps/traefik-ingress-controller-668df9b887   1         1         1       2m28s

As seen in the output above do we now have a pod up and running as well a service of type LoadBalancer with an External-IP. This is great success!

Our cluster is now reachable from the outside via the IP-address shown in the External-IP field. To continue on with the tutorial is it mandatory to update the /etc/hosts file with the External-IP and the fictional DNS names.

NOTE! If you see External-IP as <pending>. Don’t worry, it takes sometimes a bit longer for DigitalOcean to provision a load balancer for you that provides the IP-addresses. Be patient!

# Must be root user to modify /etc/hosts
echo "<EXTERNAL-IP> dashboard.k8s.phrenetic.se whoami.k8s.phrenetic.se" >> /etc/hosts

Step 3: Deploy Traefik Dashboard

Traefik comes with a dashboard (optional) for an easy overall glimpse of the ingress controller displaying which resources that Traefik handles along with some metrics showing routes, back end services and more. This dashboard is updated in real-time so any changes made to the resources that Traefik handles will automatically be updated on the dashboard. By default is this dashboard accessible to anyone with the URL so to secure things up will we implement authentication to the dashboard in form of basic auth.

Create The Authentication Secrets

Step 1. Use the htpasswd tool to create a file containing the MD5-encoded password. You will be prompted to enter a password twice.

# Create file dashboard-auth containing credentials
htpasswd -c dashboard-auth traefik

# File contents
cat dashboard-auth
traefik:$apr1$aDsMSn/C$SIKwE4CPnzVhLoVDNN6Zo1

Step 2. Create a Kubernetes Secret to store the credentials. It must be created in the same namespace as the ingress and controller. In this case the kube-system namespace.

kubectl create secret generic traefik-dashboard -n kube-system --from-file dashboard-auth

Step 3. Deploy the dashboard service and ingress resources to Kubernetes.

kubectl apply -f https://gist.githubusercontent.com/mekstrem/194995ded6c34bfb068751f28b5bcb93/raw/552b8730b9664526b1bcce24b5118314c11d42d9/traefik-dashboard.yaml

service/traefik-web-ui created
ingress.extensions/traefik-web-ui created

A new service traefik-web-ui has been created allowing us now to route external traffic to the dashboard with the help of an Ingress resource. As you can see in the ingress resource have we added annotations telling Traefik to handle the ingress routing, use basic-auth authentication and grab the credentials from the secret traefik-dashboard.

Visit dashboard.k8s.phrenetic.se and if the dashboard has been successfully deploy will you be greeted by a pop–up window asking for credentials. Enter the credentials created in the previous step and you will now have access to the Traefik dashboard.

More information about the dashboard and configuration options can be found here.

Traefik dashboard displaying information about the ingress controller.

Step 4: Deploy whoami Web Application

If you have come this far in this tutorial then you are ready to deploy your first web application managed by Traefik (except the dashboard).

Lets get on deploying the web application whoami with a replica count of five pods made by Containous!

kubectl apply -f https://gist.githubusercontent.com/mekstrem/7e64247ddfa0f053ca8074f914eb331c/raw/f6ec5218c8299c22cfc17f49290a5e2ead4e7583/whoami-deployment.yaml

deployment.extensions/whoami-deployment created
service/whoami-service created
ingress.extensions/whoami-ingress created

The web application is now accessible at whoami.k8s.phrenetic.se and you can now see various HTTP header information along with the IP address of the pod that has actually received the routed traffic from Traefik.

If you now refresh the website you’ll see that the HostName and IP changes on each reload of the web application. This is Traefik magic in action doing load balancing of traffic across the five pods that we defined in the deployment!

With all this said and done. You have now successfully deployed Traefik as an ingress controller in your Kubernetes cluster with both routing and load balancing of a running web application.

In the upcoming post are we going to take a look at on how create certificates and enable SSL/TLS in Traefik. Stay tuned!

Did you like this? Share it: