Installing Traefik Ingress Controller

You can configure k0s with the Traefik ingress controller, a MetalLB service loadbalancer, and deploy the Traefik Dashboard using a service sample. To do this you leverage Helm’s extensible bootstrapping functionality to add the correct extensions to the k0s.yaml file during cluster configuration.

1. Configure k0s.yaml

Configure k0s to install Traefik and MetalLB during cluster bootstrapping by adding their Helm charts as extensions in the k0s configuration file (k0s.yaml).

Note:

A good practice is to have a small range of IP addresses that are addressable on your network, preferably outside the assignment pool your DHCP server allocates (though any valid IP range should work locally on your machine). Providing an addressable range allows you to access your load balancer and Ingress services from anywhere on your local network.

  1. extensions:
  2. helm:
  3. repositories:
  4. - name: traefik
  5. url: https://traefik.github.io/charts
  6. - name: bitnami
  7. url: https://charts.bitnami.com/bitnami
  8. charts:
  9. - name: traefik
  10. chartname: traefik/traefik
  11. version: "20.5.3"
  12. namespace: default
  13. - name: metallb
  14. chartname: bitnami/metallb
  15. version: "2.5.4"
  16. namespace: default
  17. values: |2
  18. configInline:
  19. address-pools:
  20. - name: generic-cluster-pool
  21. protocol: layer2
  22. addresses:
  23. - 192.168.0.5-192.168.0.10

2. Retrieve the Load Balancer IP

After you start your cluster, run kubectl get all to confirm the deployment of Traefik and MetalLB. The command should return a response with the metallb and traefik resources, along with a service load balancer that has an assigned EXTERNAL-IP.

  1. kubectl get all

Output:

  1. NAME READY STATUS RESTARTS AGE
  2. pod/metallb-1607085578-controller-864c9757f6-bpx6r 1/1 Running 0 81s
  3. pod/metallb-1607085578-speaker-245c2 1/1 Running 0 60s
  4. pod/traefik-1607085579-77bbc57699-b2f2t 1/1 Running 0 81s
  5. NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
  6. service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 96s
  7. service/traefik-1607085579 LoadBalancer 10.105.119.102 192.168.0.5 80:32153/TCP,443:30791/TCP 84s
  8. NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
  9. daemonset.apps/metallb-1607085578-speaker 1 1 1 1 1 kubernetes.io/os=linux 87s
  10. NAME READY UP-TO-DATE AVAILABLE AGE
  11. deployment.apps/metallb-1607085578-controller 1/1 1 1 87s
  12. deployment.apps/traefik-1607085579 1/1 1 1 84s
  13. NAME DESIRED CURRENT READY AGE
  14. replicaset.apps/metallb-1607085578-controller-864c9757f6 1 1 1 81s
  15. replicaset.apps/traefik-1607085579-77bbc57699 1 1 1 81s

Take note of the EXTERNAL-IP given to the service/traefik-n load balancer. In this example, 192.168.0.5 has been assigned and can be used to access services via the Ingress proxy:

  1. NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
  2. service/traefik-1607085579 LoadBalancer 10.105.119.102 192.168.0.5 80:32153/TCP,443:30791/TCP 84s

Receiving a 404 response here is normal, as you’ve not configured any Ingress resources to respond yet:

  1. curl http://192.168.0.5
  1. 404 page not found

3. Deploy and access the Traefik Dashboard

With an available and addressable load balancer present on your cluster, now you can quickly deploy the Traefik dashboard and access it from anywhere on your LAN (assuming that MetalLB is configured with an addressable range).

  1. Create the Traefik Dashboard IngressRoute in a YAML file:

    1. apiVersion: traefik.containo.us/v1alpha1
    2. kind: IngressRoute
    3. metadata:
    4. name: dashboard
    5. spec:
    6. entryPoints:
    7. - web
    8. routes:
    9. - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
    10. kind: Rule
    11. services:
    12. - name: api@internal
    13. kind: TraefikService
  2. Deploy the resource:

    1. kubectl apply -f traefik-dashboard.yaml

    Output:

    1. ingressroute.traefik.containo.us/dashboard created

    At this point you should be able to access the dashboard using the EXTERNAL-IP that you noted above by visiting http://192.168.0.5/dashboard/ in your browser:

    Traefik Dashboard

  3. Create a simple whoami Deployment, Service, and Ingress manifest:

    1. apiVersion: apps/v1
    2. kind: Deployment
    3. metadata:
    4. name: whoami-deployment
    5. spec:
    6. replicas: 1
    7. selector:
    8. matchLabels:
    9. app: whoami
    10. template:
    11. metadata:
    12. labels:
    13. app: whoami
    14. spec:
    15. containers:
    16. - name: whoami-container
    17. image: containous/whoami
    18. ---
    19. apiVersion: v1
    20. kind: Service
    21. metadata:
    22. name: whoami-service
    23. spec:
    24. ports:
    25. - name: http
    26. targetPort: 80
    27. port: 80
    28. selector:
    29. app: whoami
    30. ---
    31. apiVersion: networking.k8s.io/v1
    32. kind: Ingress
    33. metadata:
    34. name: whoami-ingress
    35. spec:
    36. rules:
    37. - http:
    38. paths:
    39. - path: /whoami
    40. pathType: Exact
    41. backend:
    42. service:
    43. name: whoami-service
    44. port:
    45. number: 80
  4. Apply the manifests:

    1. kubectl apply -f whoami.yaml

    Output:

    1. deployment.apps/whoami-deployment created
    2. service/whoami-service created
    3. ingress.networking.k8s.io/whoami-ingress created
  5. Test the ingress and service:

    1. curl http://192.168.0.5/whoami

    Output:

    1. Hostname: whoami-deployment-85bfbd48f-7l77c
    2. IP: 127.0.0.1
    3. IP: ::1
    4. IP: 10.244.214.198
    5. IP: fe80::b049:f8ff:fe77:3e64
    6. RemoteAddr: 10.244.214.196:34858
    7. GET /whoami HTTP/1.1
    8. Host: 192.168.0.5
    9. User-Agent: curl/7.68.0
    10. Accept: */*
    11. Accept-Encoding: gzip
    12. X-Forwarded-For: 192.168.0.82
    13. X-Forwarded-Host: 192.168.0.5
    14. X-Forwarded-Port: 80
    15. X-Forwarded-Proto: http
    16. X-Forwarded-Server: traefik-1607085579-77bbc57699-b2f2t
    17. X-Real-Ip: 192.168.0.82

Further details

With the Traefik Ingress Controller it is possible to use 3rd party tools, such as ngrok, to go further and expose your load balancer to the world. In doing this you enable dynamic certificate provisioning through Let’s Encrypt, using either cert-manager or Traefik’s own built-in ACME provider.