Skip to main content

Set Your Cluster's IP in a Variable

Throughout these lessons we'll be using sslip.io to dynamically map a hostname to a local IP address. The IP address of my node is different from yours, so whenever possible, I'll reference a URL like: dashboard.traefik.$CLUSTERIP.sslip.io. For examples with kubectl and curl, this will work if you set the variable CLUSTERIP to the address of your cluster. For pages loaded in the browser you'll have to make that substitution yourself.

PRO TIP: If you don't know the IP address of your cluster, you can look in your kubectl config file.

grep server: $KUBECONFIG
      server: "https://10.68.0.70:6443"

# bash
export CLUSTERIP=10.68.0.70

# fish
set -x CLUSTERIP 10.68.0.70

Put Yourself Into Traefik Proxy's Namespace

K3s places Traefik Proxy into the kube-system namespace. If you installed with Helm, it might be in traefik-system or a namespace of your own choosing. You can either append the namespace to all of the commands below, or you can set that namespace as part of your context.

➤ kubectl config set-context --current --namespace kube-system

Context "demo" modified.

Create the Service

The port for the Traefik Proxy dashboard is not included in the default traefik service created when Helm installs Traefik. We need this as a target for our Ingress, so we'll create a new Service.

➤ kubectl expose deploy/traefik -n kube-system --port=9000 --target-port=9000 --name=traefik-dashboard

service/traefik-dashboard exposed

Create the Ingress

With the Service created, we can create an Ingress that exposes the dashboard outside of the cluster.

➤ kubectl create ingress traefik-dashboard --rule="dashboard.traefik.$CLUSTERIP.sslip.io/*=traefik-dashboard:9000"

ingress.networking.k8s.io/traefik-dashboard created

Visit the Dashboard

You can visit the dashboard with curl to verify that it returns a 200 response code.

➤ curl -si http://dashboard.traefik.$CLUSTERIP.sslip.io/dashboard/ | head -n 1

HTTP/1.1 200 OK

Visit the dashboard in a browser. Look at the Routers under the HTTP section and find our Ingress. Which entrypoints is it listening on?

Add the Annotations

If you don't specify an entrypoint, Traefik will answer for the Ingress on all entrypoints. This usually doesn't make sense, since we have different entrypoints for a reason. To control this behavior, we'll add an annotation that tells Traefik the exact entrypoint from which we want this Ingress to be served.

➤ kubectl annotate ingress traefik-dashboard traefik.ingress.kubernetes.io/router.entrypoints=web

ingress.networking.k8s.io/traefik-dashboard annotated

Reload the Routers page. Where is the entrypoint for the Ingress now?

What other applications are listening? Can you access any of them with a browser?

Why Did We Disable The websecure Entrypoint?

We want to control what our cluster does. When we created the Ingress, Traefik assigned it to all entrypoints, which in this case was just web and websecure. What if we had an entrypoint for SMTP or IMAP? By specifying the entrypoint, we control what Traefik does, now and in the future.

We'll add configuration for HTTPS later in this class, and when we do, we'll redirect HTTP to HTTPS. To do that, we need separate configuration for each entrypoint, so it makes the most sense to start with the minimum and build it up instead of starting with more than we need and tearing it apart later.