Deploying Traefik with Helm for Simplified Kubernetes Ingress

Traefik is an open source reverse proxy and load-balancing tool that efficiently manages traffic to applications and microservices within cluster environments. It is natively cloud compliant and can be used with Kubernetes, Docker Swarm, and other orchestration system deployments.

Traefik is popular because it is easy to use and configure. The tool automatically listens for services and routing requests. This enables the autodiscovery of routing rules and dynamic updates, whether creating or deleting routes, in real time. Traefik is optimized for lightweight performance, ensuring it operates efficiently even in resource-constrained environments. With its own Kubernetes Custom Resource Definitions (CRDs), Traefik offers the building blocks to extend and manage routing within your complex environments.

‍

In this article, you'll explore how to deploy Traefik as an Ingress controller within your Kubernetes environment using official Helm charts.

‍

Deploying Traefik Using Helm

Before deploying Traefik, you'll need the following:

• A functional Kubernetes cluster (v1.22+)
• ‍Helm (v3 > 3.9.0) installed on your local machine or environment
• kubectl configured to interact with your Kubernetes cluster

The following commands install the default Traefik configuration:

‍

‍

These commands add the official Helm repository to your environment. They then create a dedicated Kubernetes namespace for your Traefik deployment and execute Traefik within this namespace.

‍

To set up your unique values and customize the installation, you can either edit the standard values.yaml or provide your own YAML file on installation:

‍

‍

Configuring Traefik

There are two configuration categories to note within Traefik: static and dynamic. The static configuration, also known as the startup configuration, deals with the connections to your providers and the specific EntryPoints Traefik should monitor. These elements won't change much as you scale. Your dynamic configurations in Traefik focus on how requests are handled and routed by the system. They may change as new routes and services are added. Traefik ensures these changes are implemented in real time without any request interruption or connection loss.

‍

Let's dive into Traefik's configuration categories and how they are set up for your Helm chart deployment.

‍

Static Configuration

Traefik offers three mutually exclusive methods for defining your static configurations. You can utilize configuration files (YAML), command line arguments, or environment variables. On startup, Traefik will check for each of these methods in that order for your configuration values and set defaults if no values are found. Let's look at the values available within your static configuration and how they are set within the Traefik Helm chart.

‍

EntryPoints

EntryPoints are Traefik's network gateways, defining the ports and protocols (TCP or UDP) to listen for incoming traffic. You can use them to expose services and configure their specific access settings. If a service doesn't specify an EntryPoint, Traefik will use the default EntryPoint you've set.

‍

Within the Helm chart, you can set EntryPoints under the ports section:

‍

‍

The above configuration defines three EntryPoints in your Helm chart: the TCP port 8000 exposed on port 80, another TCP port 8443 exposed on port 443, and the UDP port exposed on port 1704 within your Traefik deployment. The configuration also defines a default EntryPoint at port 8000, routing traffic through that EntryPoint unless otherwise specified.

Traefik offers a number of configuration options with your Entrypoints, allowing you to redirect requests, enforce secure access with TLS and proxies, and define custom behaviors for individual endpoints within your deployment.

‍

Global Settings

Your Traefik environment can include hundreds of resources running against different pods and services. While each resource can be configured individually for flexibility, Traefik also offers global settings to ensure compatibility between resources and alleviate resource management complexities. The Traefik Helm chart offers global arguments and shared labels to pass settings to all Traefik pods and ease management of all Helm-created resources:

‍

‍

The global arguments set your resources to periodically check if a new version has been released and send anonymous usage statistics. Utilize the commonLabels and additionalArguments sections to tag all your Traefik resources for management, and attach additional configuration, such as routing or security, to all your Traefik pods.

Environmental variables can also be passed into your deployments and declared within the Helm chart or from ConfigMaps and Kubernetes Secrets.

‍

Providers

Providers in Traefik are essential as they act as the link between your infrastructure and Traefik, providing routing and configuration details Traefik needs to manage traffic. Traefik relies on providers to automatically discover services and dynamically update the routing rules as things change. Depending on your environment, you use supported providers to query relevant routing information for your Traefik deployment. You can configure your Providers in the Helm chart.

‍

Here's a Kubernetes CRD provider set up within the Helm chart to monitor all your Kubernetes namespaces for changes in routing and services:

‍

‍

Enabling and executing the Kubernetes IngressRoute provider also sets CRDs to provision your cluster. Kubernetes Ingress, Kubernetes Gateway, and file providers are also available through the Helm chart deployment.

‍

TLS/SSL Configuration

Most Traefik resources can be configured to use TLS for secure connections and routing. This is important to protect your sensitive data from exposure or interception between clients and your services. Secure access and connections may be a requirement in your use cases when you're working with sensitive and regulated data.

‍

Within the static configuration, you can define certificate resolvers and integrate with an ACME provider (like Let's Encrypt) to automate the generation and retrieval of security certificates. You can then use these generated certificates within your resources. Traefik uses the set dynamic configuration to obtain certificates based on the domains for which it's routing traffic. You can also use Traefik custom resources, such as TLS options and TLS stores, to dynamically set and store default and alternate security certificates for your resources.

‍

The following YAML sets up a certificate resolver within your Helm chart and calls it for use within your TLS configurations:

‍

‍

Here, a Let's Encrypt account is added to the configuration with a set server directory and storage for generated certificates. The generated certificate can then be queried whenever a TLS connection is needed.

‍

Traefik Dashboard

The Traefik dashboard provides a visual interface to monitor your routing configuration and active routes. This feature can help you manage your Traefik deployment and observe its operations within your environment. It's disabled by default but can be enabled in your static configuration. It is recommended to either use your dashboard locally or secure access to the interface. Custom middleware aimed at authentication and allow-listing can be added to your dynamic configuration for the dashboard. You can also set match rules for your dashboard domain.

‍

Here's an example of how to expose the Traefik dashboard within your environment while applying security measures to protect the connection with your Helm chart:

‍

‍

The dashboard will be accessible through the custom domain (traefik-dashboard.example.com) and served via the websecure EntryPoint. Additionally, an authentication middleware is applied to ensure only authorized users can access the dashboard.

‍

Metrics and Monitoring

Traefik offers a comprehensive metrics suite to deliver insights into your system's performance and usage. This is important for management and optimization, providing a holistic view of your environment's operations. The metrics are served by default in the OpenTelemetry format. You can also integrate metrics into your vendor-specific monitoring systems, with Traefik supporting Prometheus, Datadog, InfluxDB 2.X, and StatsD. You need to enable metrics tracking within your environment. The Helm chart defines a metrics endpoint that is not exposed by default.

‍

Let's walk through enabling and configuring metrics in your Helm-based Traefik deployment:

‍

‍

In this configuration, metrics collection is turned on, with Prometheus enabled by default to provide visibility into your Traefik deployment. Additional labels are added for granular monitoring. The metrics are exposed on port 9100, allowing for easier integration with your monitoring systems.

‍

Observability

Traefik also offers other observability features, including logs for debugging operations and tracing to monitor the lifecycle of requests within your systems. Utilizing the full metrics, logs, and traces suite will help you gain complete visibility into your Traefik operations and speed up your optimization and debugging efforts.

‍

Traefik's standard logs record events happening within your Traefik environment, while access logs record the traffic Traefik receives. By default, logs are written to stdout, leaving you to set a file path within your environment. Within the Helm chart, you need to enable access logs and tracing. Traefik uses OpenTelemetry collectors for distributed tracing.

‍

Let's look at the associated logs and tracing variables within the Helm chart:

‍

‍

Here, the logs' file paths are specified. Internal access logs are enabled with the preferred buffering size set for optimal performance. Tracing is also activated with OpenTelemetry, including an external endpoint for seamless integration and monitoring of request lifecycles.

‍

These are the static configurations you will want to be enabled on startup within your Helm Traefik deployment, ensuring traffic routing, secure connections, and observability features.

‍

Dynamic Configuration

In Traefik, incoming requests first pass through EntryPoints, where they are routed based on defined rules and processed by any middleware that may modify the request or response. Once the requests are verified, they are forwarded to Services, which handle load balancing and route traffic to your applications and pods in the Kubernetes environment. The dynamic configuration — comprising routers, middleware, services, and the secure connection between them — is shaped by your infrastructure and environment, and it is dynamically discovered by providers within the Traefik setup, ensuring seamless integration with your architecture.

‍

Let's look at setting up your dynamic configuration using Traefik's Helm chart.

‍

IngressRoutes

IngressRoutes are custom Kubernetes resources that extend Traefik's functionality by specifying how requests should be connected to services. The Helm chart explicitly defines two IngressRoutes for the Dashboard, as you already saw,  and a health-check probe. This gives you a template for your basic routes.

‍

Here's a sample IngressRoute embedded into the Helm chart to redirect requests:

‍

‍

This IngressRoute redirects requests from the `web` endpoint to a more secure HTTPS domain. With the Helm chart, a match rule is set to control which requests will be redirected, and a middleware object is attached to perform the actual redirecting functionality.

‍

For more complex routing behavior, it's recommended that you create and deploy your IngressRoute as a separate resource after your Traefik instance has been set up.

‍

Here is a more complex IngressRoute sample that uses both path-based and host-based matching to route traffic to different services:

‍

‍

In this configuration, traffic can come through both web (HTTP) and websecure (HTTPS) EntryPoints. Requests to example.net with the path /bar will be load balanced between two services (s1 and s2) using the round-robin strategy, while requests to /misc will be routed to service s3, with middleware applied to modify the request path. The final routes handle traffic for /lb and /mirrored, directing it to Traefik internal services for more advanced traffic management. Additionally, TLS is configured for secure communication.

‍

Middleware

Traefik middleware offers the flexibility to modify requests to fit specific use cases. Rather than using routes as they are, you can add additional features to enhance security, control access, and optimize operations. This customization allows you to implement functionalities such as authentication, rate limiting, or path rewriting, all without altering your application code.

‍

There are official stores for TCP and HTTP middleware with a community gallery of third-party middleware. You can add in simple middleware, like redirects, as extraObjects in your Helm chart. You can then define the middleware in whichever resource you need to process requests through. You can also deploy middleware as a separate Kubernetes resource.

‍

For example, if you are running a web service within your Kubernetes environment and want to manage traffic spikes, you can configure rate-limiting middleware within the Helm chart, ensuring the processing of requests is controlled to protect your services:

‍

‍

Services

Services are the last component your incoming requests go through within the Traefik system. They are responsible for configuring how Traefik will reach your applications and eventually handle the incoming requests. Traefik offers a number of features within Services, allowing you to load balance and split traffic between application servers based on set priorities or weights. You can run multiple Traefik services within your cluster. For example, you could have an external-facing default service and another service only accessible internally by pods within the cluster.

‍

Within the Helm chart, you can add Services under the additionalServices option:

‍

‍

Conclusion

In this article, you explored deploying Traefik within Kubernetes using Helm, walking through the different configuration options available in Traefik, and how to set them within your Helm chart. Traefik is a flexible ingress control option that helps you implement complex and secure connections through your Kubernetes cluster.

‍

mogenius is a cloud-agnostic platform offering self-service workspaces that simplify your Kubernetes deployments. With an intuitive UI and quick setup, you can install a preconfigured Traefik ingress controller within mogenius with just one click. This Traefik setup uses Helm under the hood and gives you best practice configuration with an easy customization process.

‍

For more information about mogenius, check out our website or documentation.

‍