K3s: Question: how to install with Traefik HTTP disabled.

Created on 26 Jul 2019  路  4Comments  路  Source: k3s-io/k3s

I'm looking to just have HTTPS enabled for the Traefik service, so I don't have to go back after deployment and disable it. Is there a simple way to do this?

picture clarktlaugh

Most helpful comment

@clarktlaugh Yeah, I use four extra bits in my setup:

  • metallb to provide load balancers
  • cert-manager to manage LetsEncrypt wildcard certs via DNS01 and GCP
  • kubernetes-replicator to copy the certs to all namespaces that declare ingresses
  • external-dns to magically make hostnames that map to the loadbalancer pointer at traefik

For traefik, these are the complete set of values I override in my helm deployment:

    loadBalancerIP: 192.168.10.0  #聽provided by metallb, first IP in my /24 iBGP service subnet
    externalTrafficPolicy: Local  # makes cluster-external traffic appear from the actual IP
    rbac:
      enabled: true
    ssl:
      enabled: true
      enforced: true
    dashboard:
      enabled: true
      statistics:
        recentErrors: 10
      domain: traefik.mydomain
      ingress:
        tls:
        - secretName: mydomain-tls
    kubernetes:
      ingressEndpoint:
        useDefaultPublishedService: true  # makes traefik map ingress IPs correctly
picture dewet22 on 30 Jul 2019
👍3

All 4 comments

I had the same need, so I run the k3s server with --no-deploy=traefik and deploy my own customised helm chart instead with the local modifications I need:

apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  namespace: kube-system
  name: traefik
spec:
  chart: stable/traefik
  valuesContent: |-
    ...
    ssl:
      enabled: true
      enforced: true
    ...
dewet22 picture dewet22 on 28 Jul 2019
👍1

@dewet22 Thank you -- I will try that. Were you also able to provide the SSL cert/key that way as well?

I had the same need, so I run the k3s server with --no-deploy=traefik and deploy my own customised helm chart instead with the local modifications I need:

clarktlaugh picture clarktlaugh on 29 Jul 2019

@clarktlaugh Yeah, I use four extra bits in my setup:

  • metallb to provide load balancers
  • cert-manager to manage LetsEncrypt wildcard certs via DNS01 and GCP
  • kubernetes-replicator to copy the certs to all namespaces that declare ingresses
  • external-dns to magically make hostnames that map to the loadbalancer pointer at traefik

For traefik, these are the complete set of values I override in my helm deployment:

    loadBalancerIP: 192.168.10.0  #聽provided by metallb, first IP in my /24 iBGP service subnet
    externalTrafficPolicy: Local  # makes cluster-external traffic appear from the actual IP
    rbac:
      enabled: true
    ssl:
      enabled: true
      enforced: true
    dashboard:
      enabled: true
      statistics:
        recentErrors: 10
      domain: traefik.mydomain
      ingress:
        tls:
        - secretName: mydomain-tls
    kubernetes:
      ingressEndpoint:
        useDefaultPublishedService: true  # makes traefik map ingress IPs correctly
dewet22 picture dewet22 on 30 Jul 2019
👍3

Closing due to age.

brandond picture brandond on 5 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

wpwoodjr picture wpwoodjr  路  3Comments
ewoutp picture ewoutp  路  4Comments
theonewolf picture theonewolf  路  3Comments
weber-software picture weber-software  路  3Comments
davidnuzik picture davidnuzik  路  3Comments