NavigationContentFooter
Suggest an edit

Setting up Traefik v2 and cert-manager on Kapsule

Reviewed on 31 July 2024Published on 01 July 2020
  • k8s
  • Kapsule
  • Traefik
  • cert-manager
  • Load-Balancer

Traefik (pronounced traffic) is a modern HTTP reverse proxy and Load Balancer designed to make the deployment of microservices easy. Traefik integrates with any HTTP and TCP-based applications and every major cluster technology.

Our goal in this tutorial is to:

  • Expose Traefik 2 using a Scaleway Load Balancer
  • Deploy a test application on our cluster
  • Expose this test application through an ingress object, using Traefik 2 (deployed by Kapsule)
  • Expose this application securely (with https and Let’s Encrypt, using cert-manager)

Before you start

To complete the actions presented below, you must have:

  • A Scaleway account logged into the console
  • Owner status or IAM permissions allowing you to perform actions in the intended Organization
  • A Kubernetes Kapsule cluster with an ingress controller (Traefik 2)
  • Downloaded the corresponding kubeconfig file and ensured the kubectl is configured and working

Deploying Traefik 2 using the Easy Deploy feature

  1. Log into the Scaleway console and navigate to the Kubernetes section under Containers.
  2. Click on your cluster name to view the cluster overview.
  3. Go to the Easy Deploy tab.
  4. Click Deploy an Application.
  5. Search for Traefik in the Application Library, and select Traefik 2 Ingress.
  6. Name the application traefik and set the namespace to kube-system.
  7. Click Deploy an application to deploy Traefik 2.

Creating a wildcard DNS record

In this step, we will create a wildcard DNS record to point to the external IP address of our Traefik load balancer. This DNS record will allow us to route traffic to our Kubernetes services using custom domain names.

  1. Retrieve the external IP of your LoadBalancer:

    kubectl get svc traefik -n kube-system

    The external IP will be listed under the EXTERNAL-IP column.

  2. Use a DNS provider to create a wildcard DNS record pointing to your LoadBalancer’s IP address.

  3. Create a wildcard DNS entry (*.mytest.com) pointing to this IP address.

    • Using Scaleway’s Domains and DNS product:

      1. Navigate to the Domains and DNS product.
      2. Create a new DNS zone if you haven’t already.
      3. Add a new DNS record with the following details:
        • Type: A
        • Name: *
        • Value: your_loadbalancer_ip
    • Using another DNS provider

      1. Log in to your DNS account and select your domain.
      2. Go to the DNS tab.
      3. Add a new DNS record with the following details:
        • Type: A
        • Name: *
        • Value: your_loadbalancer_ip
      4. Save the record.

Installing cert-manager

  1. Install cert-manager:
    kubectl apply -f https://github.com/jetstack/cert-manager/releases/download/v1.0.0/cert-manager.yaml
  2. Verify the installation:
    kubectl get pods --namespace cert-manager

Creating a Let’s Encrypt issuer

  1. Open a text editor and create a new file for the ClusterIssuer:
    nano cluster-issuer.yaml
  2. Add the following content to the cluster-issuer.yaml file:
    apiVersion: cert-manager.io/v1
    kind: ClusterIssuer
    metadata:
    name: letsencrypt-prod
    spec:
    acme:
    email: mymail@test.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
    name: issuer-account-key
    solvers:
    - http01:
    ingress:
    class: traefik
  3. Apply the issuer configuration:
    kubectl apply -f cluster-issuer.yaml

Creating and using a Let’s Encrypt certificate

  1. Open a text editor and create a new file for the certificate:
    nano mycert.yaml
  2. Add the following content to the mycert.yaml file:
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
    name: teacoffee-cert
    namespace: default
    spec:
    commonName: teacoffee.mytest.com
    secretName: teacoffee-cert
    dnsNames:
    - teacoffee.mytest.com
    issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  3. Apply the certificate configuration:
    kubectl apply -f mycert.yaml
  4. Verify the certificate creation:
    kubectl describe certificate teacoffee-cert

Creating an HTTPS ingress

  1. Deploy the “tea coffee” test application:
    kubectl create -f https://raw.githubusercontent.com/nginxinc/kubernetes-ingress/main/examples/ingress-resources/complete-example/cafe.yaml
  2. Open a text editor and create a new file for the HTTPS ingress object:
    nano mysite.yaml
  3. Add the following content to the mysite.yaml file:
    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
    name: testcoffee
    namespace: default
    annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    spec:
    tls:
    - secretName: teacoffee-cert
    rules:
    - host: teacoffee.mytest.com
    http:
    paths:
    - path: /tea
    pathType: Prefix
    backend:
    service:
    name: tea-svc
    port:
    number: 80
    - path: /coffee
    pathType: Prefix
    backend:
    service:
    name: coffee-svc
    port:
    number: 80
  4. Apply the HTTPS ingress configuration:
    kubectl apply -f mysite.yaml
  5. Test the HTTPS endpoint:
    curl -v https://teacoffee.mytest.com/tea

Accessing the Traefik dashboard

  1. Retrieve the name of the Traefik pod:

    kubectl get pods -n kube-system --selector "app.kubernetes.io/name=traefik" --output=name

    An output similar to the following should display: pod/traefik-xxxxxxxxx-yyyyy.

  2. Use the exact pod name from the previous command to port-forward:

    kubectl port-forward -n kube-system <traefik-pod-name> 9000:9000

    For example:

    kubectl port-forward -n kube-system pod/traefik-xxxxxxxxx-yyyyy 9000:9000
  3. Access the Traefik dashboard at http://127.0.0.1:9000/dashboard/.

This corrected approach ensures you are specifying both the resource name and the ports correctly for the kubectl port-forward command.

Conclusion

You have successfully set up Traefik v2 and cert-manager on Scaleway Kubernetes Kapsule, exposed a test application using Traefik, and secured it with a Let’s Encrypt certificate. For further information, you may refer to the official documentation for Let’s Encrypt, Traefik 2, and cert-manager.

API DocsScaleway consoleDedibox consoleScaleway LearningScaleway.comPricingBlogCareers
© 2023-2024 – Scaleway