Skip to main content
Traefik Setup and SSL Configuration
Overview

Traefik Setup and SSL Configuration

2 min read

This covers deploying Traefik as the ingress controller and wiring up cert-manager with Let’s Encrypt via Cloudflare.

Deploying Traefik

Install Helm:

Terminal window
curl -fsSL -o get_helm.sh https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3
chmod 700 get_helm.sh
./get_helm.sh
Terminal window
kubectl create namespace traefik
helm repo add traefik https://helm.traefik.io/traefik
helm repo update
git clone https://github.com/techno-tim/launchpad

In launchpad/kubernetes/traefik-cert-manager/, open values.yaml and set the LoadBalancer IP to something from your MetalLB range, then install:

Terminal window
helm install --namespace=traefik traefik traefik/traefik --values=values.yaml

Verify:

Terminal window
kubectl get svc --all-namespaces -o wide

Expected output:

Terminal window
NAMESPACE          NAME                              TYPE           CLUSTER-IP      EXTERNAL-IP   PORT(S)                                    AGE     SELECTOR
calico-system      calico-typha                      ClusterIP      10.43.80.131    <none>        5473/TCP                                   2d20h   k8s-app=calico-typha
traefik            traefik                           LoadBalancer   10.43.185.67    10.57.57.80   80:32195/TCP,443:31598/TCP,443:31598/UDP   53s     app.kubernetes.io/instance=traefik,app.kubernetes.io/name=traefik

Apply middleware:

Terminal window
kubectl apply -f default-headers.yaml
kubectl get middleware

Expected output:

Terminal window
NAME              AGE
default-headers   4s

Traefik Dashboard

Generate a base64-encoded credential:

Terminal window
sudo apt-get install apache2-utils
htpasswd -nb merox password | openssl base64

Paste the output into dashboard/secret-dashboard.yaml:

---
apiVersion: v1
kind: Secret
metadata:
  name: traefik-dashboard-auth
  namespace: traefik
type: Opaque
data:
  users: abc123==

Point your DNS server to the MetalLB IP from values.yaml:

DNS Configuration

Set your domain in dashboard/ingress.yaml:

Terminal window
routes:
  - match: Host(`traefik.k3s.your.domain`)

Apply everything from the traefik/dashboard folder:

Terminal window
kubectl apply -f secret-dashboard.yaml
kubectl get secrets --namespace traefik
kubectl apply -f middleware.yaml
kubectl apply -f ingress.yaml

The dashboard will be up but using a self-signed cert. The next section fixes that.

Cert-Manager

From traefik-cert-manager/cert-manager:

Terminal window
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl create namespace cert-manager
Note

Check the releases page and use the latest version of cert-manager.

Terminal window
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.0/cert-manager.crds.yaml
helm install cert-manager jetstack/cert-manager --namespace cert-manager --values=values.yaml --version v1.17.0

Apply your Cloudflare API secret (use an API Token, not a global key):

Terminal window
kubectl apply -f issuers/secret-cf-token.yaml

Before applying the remaining files, edit:

  • issuers/letsencrypt-production.yaml: email, dnsZones
  • certificates/production/your-domain-com.yaml: name, secretName, commonName, dnsNames
Terminal window
kubectl apply -f values.yaml
kubectl apply -f issuers/letsencrypt-production.yaml
kubectl apply -f certificates/production/your-domain-com.yaml

Monitor progress:

Terminal window
kubectl logs -n cert-manager -f cert-manager-(your-instance-name)
kubectl get challenges

Traefik K3S Dashboard

Next Steps

Proceed to the Cluster Management guide.

Share this post

Share on Twitter/X Share on LinkedIn Share on Reddit Share on Facebook