Reading Time: 6 minutes read
- A Kubernetes cluster up and running on DigitalOcean.
- Knowledge about deployments, services, ingresses, secrets and rbac.
This tutorial will use DigitalOcean Kubernetes however this can be applied in a similar way in Minikube. One compute node will be sufficient.
You can create a cluster by signing up here to get 50$ credits for FREE the first 30 days of usage.
In this tutorial will we use two fictional DNS entries to reach two different services through Traefik ingress by editing
whoami.k8s.phrenetic.se – Main web application
dashboard.k8s.phrenetic.se – Traefik dashboard
First we need to grant permissions to the
ServiceAccount that Traefik uses in the cluster.
kubectl apply -f https://gist.github.com/mekstrem/321093fdbc51c042c2e3da1610d48f33/raw/04cfdab09b395f049189f95995b71c8726d0ef51/traefik-rbac.yaml clusterrole.rbac.authorization.k8s.io/traefik-ingress-controller created clusterrolebinding.rbac.authorization.k8s.io/traefik-ingress-controller created
Now that required RBAC resources has been deployed in the cluster to grant the Traefik ingress controller the permissions it needs it is time to deploy Traefik itself!
kubectl apply -f https://gist.githubusercontent.com/mekstrem/6b6f134a26eabbfe0c0e26d39dd38803/raw/0ab89301dc26a30f0792815ec2f922475e8b7513/traefik-deployment.yaml serviceaccount/traefik-ingress-controller created deployment.extensions/traefik-ingress-controller created service/traefik-ingress-service created
Verify that everything looks good. You should now similar output as below with Traefik up and running.
kubectl get all -n kube-system NAME READY STATUS RESTARTS AGE pod/cilium-operator-57586bb7cb-46z4g 1/1 Running 0 15m pod/cilium-vbg95 1/1 Running 0 14m pod/coredns-9d6bf9876-jg27n 1/1 Running 0 15m pod/coredns-9d6bf9876-v578q 1/1 Running 0 15m pod/csi-do-node-7kqqs 2/2 Running 0 14m pod/do-node-agent-g6x99 1/1 Running 0 14m pod/kube-proxy-7lskf 1/1 Running 0 14m pod/traefik-ingress-controller-668df9b887-pr9w5 1/1 Running 0 2m28s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/kube-dns ClusterIP 10.245.0.10 <none> 53/UDP,53/TCP,9153/TCP 15m service/traefik-ingress-service LoadBalancer 10.245.5.249 <REDACTED> 80:30089/TCP,8080:31123/TCP 2m28s NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE daemonset.apps/cilium 1 1 1 1 1 <none> 15m daemonset.apps/csi-do-node 1 1 1 1 1 <none> 15m daemonset.apps/do-node-agent 1 1 1 1 1 beta.kubernetes.io/os=linux 15m daemonset.apps/kube-proxy 1 1 1 1 1 <none> 16m NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/cilium-operator 1/1 1 1 15m deployment.apps/coredns 2/2 2 2 15m deployment.apps/traefik-ingress-controller 1/1 1 1 2m28s NAME DESIRED CURRENT READY AGE replicaset.apps/cilium-operator-57586bb7cb 1 1 1 15m replicaset.apps/coredns-9d6bf9876 2 2 2 15m replicaset.apps/traefik-ingress-controller-668df9b887 1 1 1 2m28s
As seen in the output above do we now have a pod up and running as well a service of type
LoadBalancer with an
External-IP. This is great success!
Our cluster is now reachable from the outside via the IP-address shown in the
External-IP field. To continue on with the tutorial is it mandatory to update the
/etc/hosts file with the
External-IP and the fictional DNS names.
NOTE! If you see External-IP as <pending>. Don’t worry, it takes sometimes a bit longer for DigitalOcean to provision a load balancer for you that provides the IP-addresses. Be patient!
# Must be root user to modify /etc/hosts echo "<EXTERNAL-IP> dashboard.k8s.phrenetic.se whoami.k8s.phrenetic.se" >> /etc/hosts
Traefik comes with a dashboard (optional) for an easy overall glimpse of the ingress controller displaying which resources that Traefik handles along with some metrics showing routes, back end services and more. This dashboard is updated in real-time so any changes made to the resources that Traefik handles will automatically be updated on the dashboard. By default is this dashboard accessible to anyone with the URL so to secure things up will we implement authentication to the dashboard in form of basic auth.
Create The Authentication Secrets
Step 1. Use the
htpasswd tool to create a file containing the MD5-encoded password. You will be prompted to enter a password twice.
# Create file dashboard-auth containing credentials htpasswd -c dashboard-auth traefik # File contents cat dashboard-auth traefik:$apr1$aDsMSn/C$SIKwE4CPnzVhLoVDNN6Zo1
Step 2. Create a Kubernetes Secret to store the credentials. It must be created in the same namespace as the ingress and controller. In this case the
kubectl create secret generic traefik-dashboard -n kube-system --from-file dashboard-auth
Step 3. Deploy the dashboard service and ingress resources to Kubernetes.
kubectl apply -f https://gist.githubusercontent.com/mekstrem/194995ded6c34bfb068751f28b5bcb93/raw/552b8730b9664526b1bcce24b5118314c11d42d9/traefik-dashboard.yaml service/traefik-web-ui created ingress.extensions/traefik-web-ui created
A new service
traefik-web-ui has been created allowing us now to route external traffic to the dashboard with the help of an
Ingress resource. As you can see in the ingress resource have we added annotations telling Traefik to handle the ingress routing, use
basic-auth authentication and grab the credentials from the secret
dashboard.k8s.phrenetic.se and if the dashboard has been successfully deploy will you be greeted by a pop–up window asking for credentials. Enter the credentials created in the previous step and you will now have access to the Traefik dashboard.
More information about the dashboard and configuration options can be found here.
Deploy whoami Web Application
If you have come this far in this tutorial then you are ready to deploy your first web application managed by Traefik (except the dashboard).
Lets get on deploying the web application whoami with a replica count of five pods made by Containous!
kubectl apply -f https://gist.githubusercontent.com/mekstrem/7e64247ddfa0f053ca8074f914eb331c/raw/f6ec5218c8299c22cfc17f49290a5e2ead4e7583/whoami-deployment.yaml deployment.extensions/whoami-deployment created service/whoami-service created ingress.extensions/whoami-ingress created
The web application is now accessible at
whoami.k8s.phrenetic.se and you can now see various HTTP header information along with the IP address of the pod that has actually received the routed traffic from Traefik.
If you now refresh the website you’ll see that the
IP changes on each reload of the web application. This is Traefik magic in action doing load balancing of traffic across the five pods that we defined in the deployment!
With all this said and done. You have now successfully deployed Traefik as an ingress controller in your Kubernetes cluster with both routing and load balancing of a running web application.
In the upcoming post are we going to take a look at on how create certificates and enable SSL/TLS in Traefik. Stay tuned!