From 0 to Kubernetes – Step 3, deploying Traefik

The next step here is to deploy traefik.

Traefik is a http(s) and TCP/UDP loadbalancer, that basically does the same kind of job that the router in openshift does: it accepts http and https connections, as well as generic tcp and udp traffic, and routes it to the right pods according to rules.

As an example, you could deploy two separate web servers in K3s, and they would run in different pods on the same worker node, and traefik would look at the SNI information in the HTTP request, and redirect the request to the proper container.

If your K3s “cluster” is accessible from the outside (i.e. the internet) you can just follow the instructions in this article here. That will set you up with traefik on your K3s, and for HTTPS it would automatically create Let’s Encrypt certificates.

If your K3s is not reachable from the outside, you need to have your own way of doing certificates – hence that post about prerequisites.

Before I go into detail here’s the long awaited explanation as to why we actually disabled traefik during K3s installation: Simply said, the traefik version that gets deployed with K3s is not the most recent release… and we want that part of your setup to be up to date, after all, so let’s do it manually.

What you have to have ready at this point is all the stuff from the prerequisites post.

But first lets deploy the Custom Resources according to that article I mentioned earlier.

kubectl apply -f https://gist.githubusercontent.com/lfache/32dedac4afcbe0b51a18b2279966157c/raw/a49d1a5c03270c6a2c1bf3db48a5e8273444209f/CustomResourceDefinition.yaml

Next, we need to create a secret in K3s where we store the custom ssl certificate we created at the beginning (Step 1)

kubectl create secret tls appsrv --cert=/path/to/certificate/file --key=/path/to/key/file

The next step is to deploy Traefik:

kubectl apply -f /path/to/your/deployment/file.yaml

I’ve used the one here which will set up Traefik with enforced https via 301 redirects for all http hosts – so we definitely want that certificate we created to be the default for all https routes.

To get it to that point all we need is a tls store that is named “default” and points at the secret we created two steps ago:

Here is my yaml file for it, so a simple

kubectl apply -f https://gist.githubusercontent.com/lemmy04/5763033eff2b2fde8f3032bf17dc0453/raw/dfac7965d22a41fe3415084f838f557684cf0d9c/tlsstore.yaml

will do the trick nicely.

Finally, we need to test it, so let’s look at the traefik dashboard first, with should be at http://appsrv.my.lan:8080 and look like this:

For a full test we need to actually deploy something –  so here is a small deployment for the webserver that is also used in the original article on traefik. Of course you will have to change the rule in line 48 to match your own network – simply use any random hostname that gets handled by *.apps.yourdomain in your nameserver, see Step 1.

The one interesting bit is the part at the end, where it says “tls: {}” which basically tells traefik to use the default certificate for this route.

Once everything is deployed you should be able to access http://whoami.apps.my.lan/, get redirected to https://whoami.apps.my.lan/ and then get some output similar to this:

mathias@appsrv:~$ curl -k https://whoami.apps.my.lan
Hostname: whoami-app-7564dd9695-j48zn
IP: 127.0.0.1
IP: ::1
IP: 10.42.0.166
IP: fe80::5020:59ff:feda:a0de
RemoteAddr: 10.42.0.172:48084
GET / HTTP/1.1
Host: whoami.apps.my.lan
User-Agent: curl/7.64.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 10.42.0.1
X-Forwarded-Host: whoami.apps.my.lan
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-6dd5886ddf-hh9zh
X-Real-Ip: 10.42.0.1

Continued here.

1 thought on “From 0 to Kubernetes – Step 3, deploying Traefik

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: