This is a fairly complicated process. Both traefik and metallb has documentation of their own. I’m just going to try to get you going fast. The goal here is to deploy a traefik high available instance in your cluster that will source ip’s from your dhcp router via metallb. This setup will allow multiple instances to listen to requests on the same ip which will allow us to loadbalance and provide high availability.
In this example I’m reserving the range 192.168.50.2-5. In reality, we only need one ip, the range just gives you options in the feature for other services that may want to be setup with ingress rather than traefik.
We’re going to do config files first
metallb.yaml
apiVersion: metallb.io/v1beta1 kind: IPAddressPool metadata: name: metallb-pool namespace: metallb-system spec: addresses: - 192.168.50.2-192.168.50.5 --- apiVersion: metallb.io/v1beta1 kind: L2Advertisement metadata: name: metallb-advertisement namespace: metallb-system spec: ipAddressPools: - metallb-pool
values\traefik.yaml
providers: kubernetesIngress: publishedService: enabled: true additionalArguments: - "--serversTransport.insecureSkipVerify=true" # for authentik forward auth, can skip - "--log.level=INFO" logs: access: enabled: true # Puts a pod on each node, meaning my cluster will always have the traefik service running as long as at least 1 node survives deployment: kind: DaemonSet rbac: enabled: true resources: requests: memory: "256Mi" limits: memory: "256Mi" service: spec: externalTrafficPolicy: Local annotations: metallb.universe.tf/loadBalancerIPs: 192.168.50.5 # this is how we tell metallb that traefik will consume all the traffic on this ip. Metallb will create an ingress for us at this ip # Automatically redirect http to https # Not required but handy ports: web: redirectTo: port: websecure websecure: tls: enabled: true ingressRoute: dashboard: enabled: false entryPoints: ["web", "websecure"]
We’re going to test our config by exposing our dashboard via a host.
dashboard.yaml
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: traefik-dashboard namespace: network annotations: kubernetes.io/ingress.class: traefik traefik.ingress.kubernetes.io/router.entrypoints: websecure spec: rules: - host: traefik.yourdomain.com http: paths: - path: / pathType: Prefix backend: service: name: traefik port: number: 9000
Now lets deploy
kubectl create ns metallb-system kubectl create ns network helm repo add traefik https://traefik.github.io/charts helm repo add metallb https://metallb.github.io/metallb helm upgrade --install metallb metallb/metallb -n metallb-system helm upgrade --install --namespace network traefik traefik/traefik --values=.\values\traefik.yaml kubectl apply -f metallb.yaml kubectl apply -f dashboard.yaml
That should bring up, metallb, traefik and the dashboard. The dashboard may give you ssl issues but setting up certmanager and requesting certificates is out of the scope of this post. Hope this was able to help someone