Traefik 2.0 on MicroK8s

TL;DR: You can use Traefik 2.0 on MicroK8s by running it as a DaemonSet.

Experimenting with Kubernetes, i found MicroK8s very promising. Build by Canonical, running on Ubuntu, it wants to be a productive single node cluster. MicroK8s comes with Nginx as built in ingress, which makes deploying very easy. But i wanted to use Traefik as ingress controller and did not find any useful Documentation.

I tried to follow the Traefik & CRD & Let’s Encrypt Howto, until i came to the kubectl port-forward part, which did’t look good.

So i looked into the git repo and found ingress.yaml, describing how nginx ingress is deployed as DaemonSet. So instead of the 03-deployments.yml in the example, i used following 03-daemonset.yml, moved 03-deployment.yml into 04-deployment.yml and left the whoami deployment there.

---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: traefik-ingress-controller

---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  namespace: default
  name: traefik
  labels:
    app: traefik

spec:
  selector:
    matchLabels:
      name: traefik
  template:
    metadata:
      labels:
        name: traefik
    spec:
      terminationGracePeriodSeconds: 60
      # hostPort doesn't work with CNI, so we have to use hostNetwork instead
      # see https://github.com/kubernetes/kubernetes/issues/23920
      dnsPolicy: ClusterFirstWithHostNet
      hostNetwork: true
      serviceAccountName: traefik-ingress-controller
      containers:
      - name: traefik
        image: traefik:v2.0
        args:
          - --api.insecure
          - --accesslog
          - --entrypoints.web.Address=:80
          - --entrypoints.websecure.Address=:443
          - --providers.kubernetescrd
          - --certificatesresolvers.default.acme.tlschallenge
          - --certificatesresolvers.default.acme.email=foo@you.com
          - --certificatesresolvers.default.acme.storage=acme.json
          # Please note that this is the staging Let's Encrypt server.
          # Once you get things working, you should remove that whole line altogether.
          - --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
        ports:
          - name: web
            containerPort: 80
          - name: websecure
            containerPort: 443
          - name: admin
            containerPort: 8080

Conclusion: it is easy to use Traefik instead of nginx on microk8s, by deploying it as a DaemonSet.

This entry was posted in software and tagged , , , , . Bookmark the permalink.