Posted on Fr 15 November 2019

TL;DR: You can use Traefik 2.0 on MicroK8s by running it as a DaemonSet.

Experimenting with Kubernetes, i found MicroK8s very promising. Build by Canonical, running on Ubuntu, it wants to be a productive single node cluster. MicroK8s comes with Nginx as built in ingress, which makes deploying very easy. But i wanted to use Traefik as ingress controller and did not find any useful Documentation.

I tried to follow the Traefik & CRD & Let's Encrypt Howto, until i came to the kubectl port-forward part, which did't look good.

So i looked into the git repo and found ingress.yaml, describing how nginx ingress is deployed as DaemonSet. So instead of the 03-deployments.yml in the example, i used following 03-daemonset.yml, moved 03-deployment.yml into 04-deployment.yml and left the whoami deployment there.

---
apiVersion: v1
kind: ServiceAccount
metadata:
  namespace: default
  name: traefik-ingress-controller

---
apiVersion: apps/v1
kind: DaemonSet
metadata:
  namespace: default
  name: traefik
  labels:
    app: traefik

spec:
  selector:
    matchLabels:
      name: traefik
  template:
    metadata:
      labels:
        name: traefik
    spec:
      terminationGracePeriodSeconds: 60
      # hostPort doesnt work with CNI, so we have to use hostNetwork instead
      # see https://github.com/kubernetes/kubernetes/issues/23920
      dnsPolicy: ClusterFirstWithHostNet
      hostNetwork: true
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
          image: traefik:v2.0
          args:
            - "--api.insecure"
            - "--accesslog"
            - "--entrypoints.web.Address=:80"
            - "--entrypoints.websecure.Address=:443"
            - "--providers.kubernetescrd"
            - "--certificatesresolvers.default.acme.tlschallenge"
            - "--certificatesresolvers.default.acme.email=foo@you.com"
            - "--certificatesresolvers.default.acme.storage=acme.json"
            # Please note that this is the staging Let's Encrypt server.
            # Once you get things working, you should remove that whole line altogether.
            - "--certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
          ports:
            - name: web
              containerPort: 80
            - name: websecure
              containerPort: 443
            - name: admin
              containerPort: 8080

Conclusion: it is easy to use Traefik instead of nginx on microk8s, by deploying it as a DaemonSet.