Kubernetes Traefik Setup with MetalLB

Deploy traefik with MetalLb in your cluster

Wed, 28 Feb 2024

This is a fairly complicated process. Both traefik and metallb has documentation of their own. I’m just going to try to get you going fast. The goal here is to deploy a traefik high available instance in your cluster that will source ip’s from your dhcp router via metallb. This setup will allow multiple instances to listen to requests on the same ip which will allow us to loadbalance and provide high availability.

In this example I’m reserving the range 192.168.50.2-5. In reality we only need one ip, the range just gives you options in the feature for other services that may want to be setup with ingress rather than traefik.

We’re going to do config files first

metallb.yaml

apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: metallb-pool
  namespace: metallb-system
spec:
  addresses:
    - 192.168.50.2-192.168.50.5
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: metallb-advertisement
  namespace: metallb-system
spec:
  ipAddressPools:
    - metallb-pool

values\traefik.yaml

providers:
 kubernetesIngress:
   publishedService:
     enabled: true

additionalArguments:
 - "--serversTransport.insecureSkipVerify=true" # for authentik forward auth, can skip
 - "--log.level=INFO"

logs:
 access:
   enabled: true

# Puts a pod on each node, meaning my cluster will always have the traefik service running as long as at least 1 node survives
deployment:
 kind: DaemonSet

rbac:
 enabled: true

resources:
 requests:
   memory: "256Mi"
 limits:
   memory: "256Mi"

service:
 spec:
   externalTrafficPolicy: Local
 annotations:
   metallb.universe.tf/loadBalancerIPs: 192.168.50.5 # this is how we tell metallb that traefik will consume all the traffic on this ip.  Metallb will create an ingress for us at this ip

# Automatically redirect http to https
# Not required but handy
ports:
 web:
   redirectTo:
     port: websecure
 websecure:
   tls:
     enabled: true

ingressRoute:
 dashboard:
   enabled: false
   entryPoints: ["web", "websecure"]

We’re going to test our config by exposing our dashboard via a host.

dashboard.yaml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: traefik-dashboard
  namespace: network
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
  rules:
    - host: traefik.yourdomain.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: traefik
                port:
                  number: 9000

Now lets deploy

kubectl create ns metallb-system
kubectl create ns network
helm repo add traefik https://traefik.github.io/charts
helm repo add metallb https://metallb.github.io/metallb
helm upgrade --install metallb metallb/metallb -n metallb-system
helm upgrade --install --namespace network traefik traefik/traefik --values=.\values\traefik.yaml
kubectl apply -f metallb.yaml
kubectl apply -f dashboard.yaml

That should bring up, metallb, traefik and the dashboard. The dashboard may give you ssl issues but setting up certmanager and requesting certificates is out of the scope of this post. Hope this was able to help someone

Buy Me A CoffeeDigitalOcean Referral Badge
Loading...
Edward Beazer

Edward Beazer - I just like to build shit. Sometimes I get stuck for hours, even days while trying to figure out how to solve an issue or implement a new feature. Hope my tips and tutorials can save you some time.

DigitalOcean Referral Badge