This recipe utilises the traefik helm chart to proving LetsEncrypt-secured HTTPS access to multiple containers within your cluster.
Clone helm charts¶
Clone the helm charts, by running:
Change to stable/traefik:
The beauty of the helm approach is that all the complexity of the Kubernetes elements' YAML files are hidden from you (created using templates), and all your changes go into values.yaml.
These are my values, you'll need to adjust for your own situation:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58
The helm chart doesn't enable the Traefik dashboard by default. I intend to add an oauth_proxy pod to secure this, in a future recipe update.
Prepare phone-home pod¶
Remember how our load balancer design ties a phone-home container to another container using a pod, so that the phone-home container can tell our external load balancer (using a webhook) where to send our traffic?
Since we deployed Traefik using helm, we need to take a slightly different approach, so we'll create a pod with an affinity which ensures it runs on the same host which runs the Traefik container (more precisely, containers with the label app=traefik).
Create phone-home.yaml as follows:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35
Create your webhook token secret by running:
Yes, the "-n" in the echo statement is needed. Read here for why.
Install the chart¶
To install the chart, simply run
helm install stable/traefik --name traefik --namespace kube-system
That's it, traefik is running.
You can confirm this by running
kubectl get pods, and even watch the traefik logs, by running
kubectl logs -f traefik<tab-to-autocomplete>
Deploy the phone-home pod¶
We still can't access traefik yet, since it's listening on port 30443 on node it happens to be running on. We'll launch our phone-home pod, to tell our load balancer where to send incoming traffic on port 443.
Optionally, on your loadbalancer VM, run
journalctl -u webhook -f to watch for the container calling the webhook.
kubectl create -f phone-home.yaml to create the pod.
kubectl get pods -o wide to confirm that both the phone-home pod and the traefik pod are on the same node:
1 2 3 4
Now browse to https://
If you change a value in values.yaml, and want to update the traefik pod, run:
We're doneburgers! 🍔 We now have all the pieces to safely deploy recipes into our Kubernetes cluster, knowing:
- Our HTTPS traffic will be secured with LetsEncrypt (thanks Traefik!)
- Our non-HTTPS ports (like UniFi adoption) will be load-balanced using an free-to-scale external load balancer
- Our persistent data will be automatically backed up
Here's a recap:
- Start - Why Kubernetes?
- Design - How does it fit together?
- Cluster - Setup a basic cluster
- Load Balancer Setup inbound access
- Snapshots - Automatically backup your persistent data
- Helm - Uber-recipes from fellow geeks
- Traefik (this page) - Traefik Ingress via Helm
Where to next?¶
I'll be adding more Kubernetes versions of existing recipes soon. Check out the MQTT recipe for a start!
- It's kinda lame to be able to bring up Traefik but not to use it. I'll be adding the oauth_proxy element shortly, which will make this last step a little more conclusive and exciting!
Tip your waiter (support me) 👏¶
Did you receive excellent service? Want to make your waiter happy? (..and support development of current and future recipes!) See the support page for (free or paid) ways to say thank you! 👏