Skip to content

Install and Validate Traefik

Published by admin on 22. November 2021

For new (sub)domains which need Let’s Encrypt authentication, the default Traefik certificate will be used until Traefik is restarted and Let’s Encrypt can reach your Nodes via Internet Connection. So for local testing the default Traefik certificate is quite useful.

References:

Scripts and setup files are copied from
https://traefik.io/resources/workshop-advanced-load-balancing-with-traefik-2-5-access/
https://www.youtube.com/watch?v=eUlAS-FdELg
https://github.com/jakubhajek/traefik-workshop-2

Prepare Traefik Repository

Setup Environment Variables
# echo "export KUBERNETES_MASTER=$( grep server: /etc/rancher/k3s/k3s.yaml | cut -c13-)" >> ~/.bashrc
# echo "export KUBECONFIG=/etc/rancher/k3s/k3s.yaml" >> ~/.bashrc

# . ~/.bashrc

Prepare Helm repository 
# helm repo add traefik https://helm.traefik.io/traefik
"traefik" already exists with the same configuration, skipping

# helm repo update
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "traefik" chart repository
Update Complete. ⎈Happy Helming!⎈

# helm repo list
NAME   	URL                            
traefik	https://helm.traefik.io/traefik

Deinstall old Traefik Version

Note: Newer kubernetes Version has Traefik 2.4 already installed
We want to install Traefik 2.5 – so older traefik version needs to be deinstalled !

# helm uninstall traefik-crd -n kube-system
# helm uninstall  traefik -n kube-system

Download Setup files

# git clone https://github.com/hhutzler/kubernetes-setup
Cloning into 'kubernetes-setup'...
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (9/9), done.
remote: Total 12 (delta 1), reused 9 (delta 1), pack-reused 0
Unpacking objects: 100% (12/12), 2.15 KiB | 137.00 KiB/s, done.

# tree .
.
├── 00-namespace.yaml
├── 01-deployment.yaml
├── 03-ingressroute.yaml
└── traefik-values
    ├── values.yaml
    └── values.yaml-Orig

Install and Validate Traefik

# helm upgrade --install traefik -f  traefik-values/values.yaml traefik/traefik -n traefik
Release "traefik" does not exist. Installing it now.
NAME: traefik
LAST DEPLOYED: Mon Nov 22 18:45:37 2021
NAMESPACE: traefik
STATUS: deployed
REVISION: 1
TEST SUITE: None

# kubectl get all -n traefik
NAME                          READY   STATUS    RESTARTS   AGE
pod/svclb-traefik-ks5t5       2/2     Running   0          16m
pod/traefik-dc584d7fc-r7ss4   1/1     Running   0          16m

NAME              TYPE           CLUSTER-IP     EXTERNAL-IP   PORT(S)                      AGE
service/traefik   LoadBalancer   10.43.144.34   10.0.2.15     80:31396/TCP,443:31627/TCP   16m

NAME                           DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
daemonset.apps/svclb-traefik   1         1         1       1            1           <none>          16m

NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/traefik   1/1     1            1           16m

NAME                                DESIRED   CURRENT   READY   AGE
replicaset.apps/traefik-dc584d7fc   1         1         1       16m

Deploy and Test https Services

Perpare /etc/hosts
# grep myloc /etc/hosts
127.0.1.1       v1.mylocalhost.com
127.0.1.1       v2.mylocalhost.com

Create Application Namespace
# k3s kubectl apply -f  00-namespace.yaml
namespace/app created

Deploy Services and Pods 
# kubectl apply -f  01-deployment.yaml

deployment.apps/whoamiv1 created
deployment.apps/whoamiv2 created
service/whoamiv1 created
service/whoamiv2 created


Create Ingress Routes
# k3s kubectl apply -f   03-ingressroute.yaml
ingressroute.traefik.containo.us/whoamiv1 created
ingressroute.traefik.containo.us/whoamiv2 created


Valdate Https Access with curl
# curl -v  --insecure https://v1.mylocalhost.com/
*   Trying 127.0.1.1:443...
* TCP_NODELAY set
* Connected to v1.mylocalhost.com (127.0.1.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=TRAEFIK DEFAULT CERT
*  start date: Nov 28 16:43:27 2021 GMT
*  expire date: Nov 28 16:43:27 2022 GMT
*  issuer: CN=TRAEFIK DEFAULT CERT
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x560c244c1e10)
> GET / HTTP/2
> Host: v1.mylocalhost.com
> user-agent: curl/7.68.0
> accept: */*
> 
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200 
< content-type: text/plain; charset=utf-8
< date: Sun, 28 Nov 2021 16:43:36 GMT
< content-length: 411
< 
  _____    ___     ___
 |  ___|  / _ \   / _ \
 | |_    | | | | | | | |
 |  _|   | |_| | | |_| |
 |_|      \___/   \___/

GET / HTTP/1.1
Host: v1.mylocalhost.com
User-Agent: curl/7.68.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 10.42.0.27
X-Forwarded-Host: v1.mylocalhost.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-dc584d7fc-c2lgk
X-Real-Ip: 10.42.0.27

* Connection #0 to host v1.mylocalhost.com left intact

# curl -v  --insecure https://v2.mylocalhost.com/

....
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 200 
< content-type: text/plain; charset=utf-8
< date: Sun, 28 Nov 2021 16:44:05 GMT
< content-length: 421
< 
  ____       _      ____
 | __ )     / \    |  _ \
 |  _ \    / _ \   | |_) |
 | |_) |  / ___ \  |  _ <
 |____/  /_/   \_\ |_| \_\

GET / HTTP/1.1
Host: v2.mylocalhost.com
User-Agent: curl/7.68.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 10.42.0.27
X-Forwarded-Host: v2.mylocalhost.com
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-dc584d7fc-c2lgk
X-Real-Ip: 10.42.0.27

* Connection #0 to host v2.mylocalhost.com left intact

Validate

Validate Setup Details

Locate Traefik Pod
# kubectl get all -n traefik
NAME                          READY   STATUS    RESTARTS   AGE
pod/svclb-traefik-nc7gl       2/2     Running   2          8h
pod/traefik-dc584d7fc-c2lgk   1/1     Running   1          8h

...

# kubectl describe pod/traefik-dc584d7fc-c2lgk -n traefik
Name:         traefik-dc584d7fc-c2lgk
Namespace:    traefik
Priority:     0
Node:         helmut-virtualbox/10.0.2.15
Start Time:   Sun, 28 Nov 2021 11:34:02 +0100
Labels:       app.kubernetes.io/instance=traefik
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=traefik
              helm.sh/chart=traefik-10.6.2
              pod-template-hash=dc584d7fc
...
Controlled By:  ReplicaSet/traefik-dc584d7fc
Containers:
  traefik:
    Container ID:  containerd://910adea2a3f2558751bb7ed224f75d1301060c4876f6d838800612a8fbd0b439
    Image:         traefik:2.5.3
    Image ID:      docker.io/library/traefik@sha256:f40028d9771cb29a35392b4cbdd655625596a319b915061e306c503059d0b6f4
    Ports:         9100/TCP, 9000/TCP, 8000/TCP, 8443/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP, 0/TCP
    Args:
      --global.checknewversion
      --global.sendanonymoususage
      --entryPoints.metrics.address=:9100/tcp
      --entryPoints.traefik.address=:9000/tcp
      --entryPoints.web.address=:8000/tcp
      --entryPoints.websecure.address=:8443/tcp
      --api.dashboard=true
      --ping=true
      --metrics.prometheus=true
      --metrics.prometheus.entrypoint=metrics
      --providers.kubernetescrd
      --providers.kubernetescrd.allowCrossNamespace=true
      --providers.kubernetesingress
      --accesslog=true
      --accesslog.fields.defaultmode=keep
      --accesslog.fields.headers.defaultmode=drop
      --certificatesresolvers.le-staging.acme.tlschallenge=true
      --certificatesresolvers.le-staging.acme.email=Helmut.Hutzler@gmail.com
      --certificatesresolvers.le-staging.acme.storage=/data/acme.json
      --certificatesresolvers.le-staging.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      --certificatesresolvers.le.acme.tlschallenge=true
      --certificatesresolvers.le.acme.email=Helmut.Hutzler@gmail.com
      --certificatesresolvers.le.acme.storage=/data/acme.json
..

Validate Traefik Dashbord settings

Open Port it Traefik Dashboard

# kubectl get pods -n traefik
NAME                      READY   STATUS    RESTARTS   AGE
svclb-traefik-nc7gl       2/2     Running   2          8h
traefik-dc584d7fc-c2lgk   1/1     Running   1          8h

# kubectl port-forward traefik-dc584d7fc-c2lgk 9000:9000 -n traefik
Forwarding from 127.0.0.1:9000 -> 9000
Forwarding from [::1]:9000 -> 9000

Access Dashboard at URL : http://localhost:9000/dashboard/#/

Published inKubernetes

Be First to Comment

Leave a Reply Cancel reply

You must be logged in to post a comment.