Using Traefik As Your Ingress Controller Behind MetalLB On Your Bare Metal Kubernetes Cluster – Part 2
This is
Part 2 – Using Traefik As Your Ingress Controller Behind MetalLB On Your Bare Metal Kubernetes Cluster.
In
Part 1 you can see how to install / configure
MetalLBon your Kubernetes Cluster, in
Part 2 I am going to show you how to install and configure Traefik combined working together with MetalLB as your Kubernetes internal / ingress controller.
Installing Traefik with helm
Traefik can also be installed by using helm similar to shown in
part 1 – installing
MetalLB.
Before using
Helm to install, we need to generate a password, this password will be used to login to the Traefik Web-UI.
To generate a password (note SHA1 didn’t work for me i.e. -nbs), run the below (md5 hash)
htpasswd -nbm admin password1234
admin:$apr1$ZywpxeoS$6U80kYPG116slxBceEsVz0
Next, we are going to install traefik with helm, you do so by running the below.
helm install \
stable/traefik \
--set dashboard.enabled=true,serviceType=LoadBalancer,rbac.enabled=true,dashboard.auth.basic.admin='$apr1$ZywpxeoS$6U80kYPG116slxBceEsVz0',dashboard.domain=traefik.domain.com \
--name=traefik \
--namespace=kube-system --tls
Alturntivley it can be installed with values.yaml file
helm install \
--name=traefik \
--namespace kube-system \
--values values.yaml stable/traefik
Next, To be able to access the Traefik dashboard outside of the cluster, change
ClusterIP to
LoadBalancer.
kubectl -n kube-system edit service traefik-dashboard
Note: Note use the IP Address assigned in the
EXTERNAL-IP column to access your traefik dashboard.
Installing Traefik manually
First, lets create the traffic controller and set as ingress controller
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
rules:
- apiGroups:
- ""
resources:
- pods
- services
- endpoints
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- extensions
resources:
- ingresses
verbs:
- get
- list
- watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: traefik-ingress-controller
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
name: traefik-ingress-controller
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-ingress-controller
namespace: kube-system
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: kube-system
name: traefik-conf
data:
traefik.toml: |
# traefik.toml
logLevel = "DEBUG"
[traefikLog]
filePath = "log/traefik.log"
format = "json"
[accessLog]
filePath = "log/access.log"
format = "json"
defaultEntryPoints = ["http"]
[entryPoints]
[entryPoints.http]
users = ['admin:$apr1$ZywpxeoS$6U80kYPG116slxBceEsVz0']
address = ":9090"
[web]
address = ":8095"
[backends]
[backends.backend]
[backends.backend.LoadBalancer]
method = "wrr"
[backends.backend.servers.server1]
url = ":8080"
weight = 1
[frontends]
[frontends.frontend1]
backend = "backend"
[frontends.frontend1.routes.test_1]
rule = "Host:dashboard-traefik.domain.com"
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
name: traefik-ingress-controller
namespace: kube-system
labels:
k8s-app: traefik-ingress-lb
spec:
template:
metadata:
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
volumes:
- name: config
configMap:
name: traefik-conf
# Enable this only if using static wildcard cert
# stored in a k8s Secret instead of LetsEncrypt
#- name: ssl
# secret:
# secretName: traefik-cert
containers:
- image: traefik
name: traefik-ingress-lb
resources:
limits:
cpu: 200m
memory: 30Mi
requests:
cpu: 100m
memory: 20Mi
volumeMounts:
- mountPath: "/config"
name: "config"
ports:
- name: http
containerPort: 80
- name: admin
containerPort: 8080
args:
- --api
- --kubernetes
- --logLevel=INFO
- --web
- --kubernetes
- --configfile=/config/traefik.toml
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- protocol: TCP
port: 80
name: web
- protocol: TCP
port: 8080
name: admin
type: LoadBalancer
Note: The
type: LoadBalancer above this will cause the Traefik dashboard to automatically obtain an
EXTERNAL-IP.
Next, apply / install traefik to your cluster, by running the below.
kubectl apply -f traefik-ds.yaml
You shuld now have a working Traefik configuration.
Traefik, MetalLB in action – Nginx deployment
Now that we have a working MetalLB and Traefik ingress controller, lets create an ingress Nginx Micro Service, to see all of this in action.
Create the below
Nginx deployment.
# cat nginx-deployment.yaml
---
apiVersion: apps/v1beta2
kind: Deployment
metadata:
name: nginx
labels:
app: nginx
spec:
selector:
matchLabels:
app: nginx
replicas: 2
template:
metadata:
labels:
app: nginx
spec:
containers:
- name: nginx
image: nginx:1
ports:
- name: http
containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
name: nginx
spec:
selector:
app: nginx
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
type: LoadBalancer
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/rule-type: "PathPrefixStrip"
name: nginx
spec:
rules:
- host: nginx.bnh.com
http:
paths:
- path: /
backend:
serviceName: nginx
servicePort: 80
Deploy the Nginx deployment to your cluster by running the below.
kubectl apply -f nginx-deployment.yaml
The
Nginx deployment above will now have a
CLUSTER-IP visible in Trafic, as well as automatically obtain an
EXTERNAL-IP by MetalLB.
You can test the configuration by running a curl to the external IP out side of the cluster. the results will automatically load balance between your Nginx instances.
Optional create obtain an external external/public-ip for the traefik-dashboard, by running the below.
First, create the deployment traefik-dashboard.yaml file.
# cat traefik-dashboard.yaml
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-ui
namespace: kube-system
spec:
selector:
k8s-app: traefik-ingress-lb
ports:
- name: web
port: 80
targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: traefik-dashboard
namespace: kube-system
annotations:
kubernetes.io/ingress.class: "traefik"
spec:
rules:
- host: dashboard-traefik.bnh.com
http:
paths:
- path: /
backend:
serviceName: traefik-web-ui
servicePort: 80
Now, deploy the dashboard ingress rule.
kubectl apply -f traefik-dashboard.yaml
You should now be able to access the Traefik dashboard by an external/public-ip.
SSL termination / Lets Encrypt
I hope to update below in the next few days on how to configure SSL termination with (or without) Lets Encrypt.
I hope you enjoyed reading
How to configure MetalLB And Traefik Load Balancing For Your Bare Metal Kubernetes Cluster, give it a thumbs up by rating the article or by just providing feedback.
You might also like –
realted to Docker Kubernetes / micro-services.
Loading...
Great write up. I’m tasked with setting up a production kubernetes cluster and will be using your guide for the portion I’m currently stuck on (metallb combined with ingress). Two questions: 1) Ive been trying to incorporate ingress-nginx with metallb. Is there a reason you chose traefic (which seems less popular). 2) Is your LetsEncrypt follow up coming soon? We currently have our www sub domain hosted on godaddy serving our production site (without ssl) I’m wondering if I can route sub domains (such as stage, dev) to the new on premise cluster and still obtain a wildcard certificate using… Read more »
Hi and welcome to my Blog, Sorry for the delayed response. I am really swamped with work and didn’t have an extra minute to reply. 1) You are correct Nginx is very popular and will indeed work. However I have selected Traefic due to my use case and of some of the unique features. The Traefic environment I am/was working with has many microservices, and many more being added all the time. with Traefic in place (with the proper rules) no restart are required it all gets discovered dynamically. vs Nginx a restart will be required. granted Nginx is/was known… Read more »
Hi Eli, thanks for your article. Just one thing I noticed: when you use the ingress traefik ressource with MetalLB, you can keep clusterIP service type on your app service. The LoadBalancer type is now applied on the ingress Traefik service which use your ingress rules to direct traffic to your app.
Hi and welcome to my blog,
Great advice, I will dafently try this once I get back to the office, and update accordingly.
Eli