This guide covers deploying Traefik as your Kubernetes ingress controller and configuring automated SSL certificate management with Let’s Encrypt.
Deploying Traefik
Install Helm Package Manager for Kubernetes
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3chmod 700 get_helm.sh./get_helm.shCreate Namespace for Traefik
kubectl create namespace traefikAdd Helm Repository and Update
helm repo add traefik https://helm.traefik.io/traefikhelm repo updateClone TechnoTim Launchpad Repository
git clone https://github.com/techno-tim/launchpadConfigure values.yaml for Traefik
Open the launchpad/kubernetes/traefik-cert-manager/ directory and check values.yaml. Most configurations are already set; you only need to specify the IP for the LoadBalancer service. Choose an IP from the MetalLB range defined in your setup.
Install Traefik Using Helm
helm install --namespace=traefik traefik traefik/traefik --values=values.yamlVerify Deployment
kubectl get svc --all-namespaces -o wideExpected output:
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTORcalico-system calico-typha ClusterIP 10.43.80.131 <none> 5473/TCP 2d20h k8s-app=calico-typhatraefik traefik LoadBalancer 10.43.185.67 10.57.57.80 80:32195/TCP,443:31598/TCP,443:31598/UDP 53s app.kubernetes.io/instance=traefik,app.kubernetes.io/name=traefikApply Middleware
kubectl apply -f default-headers.yamlkubectl get middlewareExpected output:
NAME AGEdefault-headers 4sDeploying Traefik Dashboard
Install htpasswd
sudo apt-get updatesudo apt-get install apache2-utilsGenerate a Base64-Encoded Credential
htpasswd -nb merox password | openssl base64Copy the generated password hash and replace abc123== with it in dashboard/secret-dashboard.yaml:
---apiVersion: v1kind: Secretmetadata: name: traefik-dashboard-auth namespace: traefiktype: Opaquedata: users: abc123==Apply secret:
kubectl apply -f secret-dashboard.yamlConfigure DNS Resolver
Ensure that your DNS server points to the MetalLB IP specified in values.yaml.
Example entry for pfSense DNS Resolver:
dashboard/ingress.yaml:
routes: - match: Host(`traefik.k3s.your.domain`)Apply Kubernetes Resources
From traefik/dashboard folder:
kubectl apply -f secret-dashboard.yamlkubectl get secrets --namespace traefikkubectl apply -f middleware.yamlkubectl apply -f ingress.yamlAt this point, you should be able to access the DNS entry you created. However, it will use a self-signed SSL certificate generated by Traefik. In the next steps, we will configure Let’s Encrypt certificates using Cloudflare as the provider.
Deploying Cert-Manager
From traefik-cert-manager/cert-manager folder:
Add Jetstack Helm Repository
helm repo add jetstack https://charts.jetstack.iohelm repo updateCreate Namespace for Cert-Manager
kubectl create namespace cert-managerApply CRDs (Custom Resource Definitions)
Note
Note: Ensure you use the latest version of Cert-Manager.
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.crds.yamlInstall Cert-Manager Using Helm
helm install cert-manager jetstack/cert-manager --namespace cert-manager --values=values.yaml --version v1.17.0Apply Cloudflare API Secret
Make sure you generate the correct API token if using Cloudflare (use an API Token, not a global key).
kubectl apply -f issuers/secret-cf-token.yamlDeploy Production Certificates
Fields to be edited before:
issuers/letsencrypt-production.yaml: email, dnsZones
certificates/production/your-domain-com.yaml: name, secretName, commonName, dnsNames
kubectl apply -f values.yamlkubectl apply -f issuers/letsencrypt-production.yamlkubectl apply -f certificates/production/your-domain-com.yamlVerify Logs and Challenges
kubectl logs -n cert-manager -f cert-manager-(your-instance-name)kubectl get challengesWith these steps completed, your K3s cluster now runs Traefik as an ingress controller, supports HTTPS with Let’s Encrypt, and manages certificates automatically. This setup ensures secure traffic routing and efficient load balancing for your Kubernetes applications.
Next Steps
Proceed to the Cluster Management guide to deploy Rancher for cluster administration and Longhorn for persistent storage.