Using Traefik As Your Ingress Controller Combined With MetalLB On Your Bare Metal Kubernetes Cluster – Part 2

1 Star2 Stars3 Stars4 Stars5 Stars (5 votes, average: 4.00 out of 5)
Loading...

Using Traefik As Your Ingress Controller Behind MetalLB On Your Bare Metal Kubernetes Cluster – Part 2

This is Part 2 – Using Traefik As Your Ingress Controller Behind MetalLB On Your Bare Metal Kubernetes Cluster.

In Part 1 you can see how to install / configure MetalLBon your Kubernetes Cluster, in Part 2 I am going to show you how to install and configure Traefik combined working together with MetalLB as your Kubernetes internal / ingress controller.

Installing Traefik with helm

Traefik can also be installed by using helm similar to shown in part 1 – installing MetalLB.

Before using Helm to install, we need to generate a password, this password will be used to login to the Traefik Web-UI.

To generate a password (note SHA1 didn’t work for me i.e. -nbs), run the below (md5 hash)

htpasswd -nbm admin password1234
admin:$apr1$ZywpxeoS$6U80kYPG116slxBceEsVz0

Next, we are going to install traefik with helm, you do so by running the below.

helm install \
stable/traefik \
--set dashboard.enabled=true,serviceType=LoadBalancer,rbac.enabled=true,dashboard.auth.basic.admin='$apr1$ZywpxeoS$6U80kYPG116slxBceEsVz0',dashboard.domain=traefik.domain.com \
--name=traefik \
--namespace=kube-system --tls

Alturntivley it can be installed with values.yaml file

helm install \
--name=traefik \
--namespace kube-system \
--values values.yaml stable/traefik

Next, To be able to access the Traefik dashboard outside of the cluster, change ClusterIP to LoadBalancer.

kubectl -n kube-system edit service traefik-dashboard

Note: Note use the IP Address assigned in the EXTERNAL-IP column to access your traefik dashboard.

Installing Traefik manually

First, lets create the traffic controller and set as ingress controller

---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - pods
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
- kind: ServiceAccount
  name: traefik-ingress-controller
  namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: kube-system
  name: traefik-conf
data:
  traefik.toml: |
    # traefik.toml
    logLevel = "DEBUG"

    [traefikLog]
      filePath = "log/traefik.log"
      format   = "json"

    [accessLog]
      filePath = "log/access.log"
      format = "json"
    
    defaultEntryPoints = ["http"]
    
    [entryPoints]
        [entryPoints.http]
        users =  ['admin:$apr1$ZywpxeoS$6U80kYPG116slxBceEsVz0']
        address = ":9090"
    
    [web]
    address = ":8095"
    
    [backends]
      [backends.backend]
         [backends.backend.LoadBalancer]
           method = "wrr"
         [backends.backend.servers.server1]
         url = ":8080"
         weight = 1
    
    [frontends]
      [frontends.frontend1]
      backend = "backend"
        [frontends.frontend1.routes.test_1]
        rule = "Host:dashboard-traefik.domain.com"
---
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      volumes:
      - name: config
        configMap:
          name: traefik-conf
      # Enable this only if using static wildcard cert
      # stored in a k8s Secret instead of LetsEncrypt
      #- name: ssl
      #  secret:
      #    secretName: traefik-cert
      containers:
      - image: traefik
        name: traefik-ingress-lb
        resources:
          limits:
            cpu: 200m
            memory: 30Mi
          requests:
            cpu: 100m
            memory: 20Mi
        volumeMounts:
        - mountPath: "/config"
          name: "config"
        ports:
        - name: http
          containerPort: 80
        - name: admin
          containerPort: 8080
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
        - --web
        - --kubernetes
        - --configfile=/config/traefik.toml
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: web
    - protocol: TCP
      port: 8080
      name: admin
  type: LoadBalancer

Note: The type: LoadBalancer above this will cause the Traefik dashboard to automatically obtain an EXTERNAL-IP.

Next, apply / install traefik to your cluster, by running the below.

kubectl apply -f traefik-ds.yaml

You shuld now have a working Traefik configuration.

Traefik, MetalLB in action – Nginx deployment

Now that we have a working MetalLB and Traefik ingress controller, lets create an ingress Nginx Micro Service, to see all of this in action.

Create the below Nginx deployment.

# cat nginx-deployment.yaml
---
apiVersion: apps/v1beta2
kind: Deployment
metadata:
  name: nginx
  labels:
    app: nginx
spec:
  selector:
    matchLabels:
      app: nginx
  replicas: 2
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:1
        ports:
        - name: http
          containerPort: 80

---
apiVersion: v1
kind: Service
metadata:
  name: nginx
spec:
  selector:
    app: nginx
  ports:
  - name: http
    port: 80
    protocol: TCP
    targetPort: 80
  type: LoadBalancer

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/rule-type: "PathPrefixStrip"
  name: nginx
spec:
  rules:
  - host: nginx.bnh.com
    http:
      paths:
      - path: /
        backend:
          serviceName: nginx
          servicePort: 80

Deploy the Nginx deployment to your cluster by running the below.

kubectl apply -f nginx-deployment.yaml

The Nginx deployment above will now have a CLUSTER-IP visible in Trafic, as well as automatically obtain an EXTERNAL-IP by MetalLB.

You can test the configuration by running a curl to the external IP out side of the cluster. the results will automatically load balance between your Nginx instances.

Optional create obtain an external external/public-ip for the traefik-dashboard, by running the below.

First, create the deployment traefik-dashboard.yaml file.

# cat traefik-dashboard.yaml
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
  - name: web
    port: 80
    targetPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-dashboard
  namespace: kube-system
  annotations:
   kubernetes.io/ingress.class: "traefik"
spec:
  rules:
  - host: dashboard-traefik.bnh.com
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-web-ui
          servicePort: 80

Now, deploy the dashboard ingress rule.

kubectl apply -f traefik-dashboard.yaml

You should now be able to access the Traefik dashboard by an external/public-ip.

SSL termination / Lets Encrypt

I hope to update below in the next few days on how to configure SSL termination with (or without) Lets Encrypt.

I hope you enjoyed reading How to configure MetalLB And Traefik Load Balancing For Your Bare Metal Kubernetes Cluster, give it a thumbs up by rating the article or by just providing feedback.

You might also like – realted to Docker Kubernetes / micro-services.

4
Leave a Reply

avatar
3000
2 Comment threads
2 Thread replies
0 Followers
 
Most reacted comment
Hottest comment thread
3 Comment authors
Eli KleinmanLudovicMike Puglisi Recent comment authors
  Subscribe  
newest oldest most voted
Notify of
Mike Puglisi
Guest
Mike Puglisi

Great write up. I’m tasked with setting up a production kubernetes cluster and will be using your guide for the portion I’m currently stuck on (metallb combined with ingress). Two questions: 1) Ive been trying to incorporate ingress-nginx with metallb. Is there a reason you chose traefic (which seems less popular). 2) Is your LetsEncrypt follow up coming soon? We currently have our www sub domain hosted on godaddy serving our production site (without ssl) I’m wondering if I can route sub domains (such as stage, dev) to the new on premise cluster and still obtain a wildcard certificate using… Read more »

Ludovic
Guest
Ludovic

Hi Eli, thanks for your article. Just one thing I noticed: when you use the ingress traefik ressource with MetalLB, you can keep clusterIP service type on your app service. The LoadBalancer type is now applied on the ingress Traefik service which use your ingress rules to direct traffic to your app.