Provide more insight on Traefik 2 guide (#78)

* minhtt159 update k3s-traefik-rancher

* minhtt159 update k3s-traefik-rancher

Author: minhtt159

_posts/2021-04-11-k3s-traefik-rancher.md

@@ -65,21 +65,31 @@ export INSTALL_K3S_VERSION=v1.20.5+k3s1
 curl -sfL https://get.k3s.io | sh -s - server --node-taint CriticalAddonsOnly=true:NoExecute --tls-san your.load.balancer.ip --write-kubeconfig-mode 644 --disable traefik --disable servicelb
 ```
 
-This should reconfigure your servers.  I ran it on all servers in my cluster.
+This should reconfigure your servers.  Just run it on all server nodes, not agent nodes.
 
 ## Install Metal LB
 
 [Metal LB installation](https://metallb.universe.tf/installation/)
 
+You can follow [Self-Hosting Your Homelab Services with SSL](https://www.youtube.com/watch?v=pAM2GBCDGTo) to get the idea of Metal LB. It's recommended to:
+
+* Install with [helm](https://metallb.universe.tf/installation/#installation-with-helm)
+* Use [Layer2 configuration](https://metallb.universe.tf/configuration/#layer-2-configuration) if you follow this series
 
 ## Exposing Rancher directly to your Metal LB 
 
-It's a good idea to do this until traefik is configured otherwise you won't have access to the Rancher Ui
+It's a good idea to do this until traefik is configured otherwise you won't have access to the Rancher UI
 
 ```bash
 kubectl expose deployment rancher -n cattle-system --type=LoadBalancer --name=rancher-lb --port=443
 ```
 
+Then, you can access Rancher UI after getting external-IP
+
+```bash
+kubectl get service/rancher-lb -n cattle-system
+```
+
 ## Install Traefik 2
 
 You can can choose between creating `Ingress` in Rancher or `IngresRoute` with `traefik` 
@@ -91,116 +101,130 @@ If you choose `IngressRoute` see [IngressRoute](#exposing-a-service-with-traefik
 * This will get wildcard certs
 * This is pointed at staging, if you want production be sure comment staging the line (and delete your staging certs)
 
-We will be installing this into the `kube-system` namespace, which already exists.  If you are going to use anther namespace you will need change it everywhere.
+We will be installing this into the `kube-system` namespace, which already exists. If you are going to use anther namespace you will need change it everywhere.
 
-add `traefik` helm repo and update
+### (Opional) Make sure that persistent volume claim is available
 
-```bash
-helm repo add traefik https://helm.traefik.io/traefik
-helm repo update
-```
+The dynamic configuration for Traefik is stored in a persistent volume. If you want to persist the certificate, it's better to create one now to claim later.
 
-create `traefik-config.yaml` with the contents of `/config/traefik-config.yaml` from [/config](https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik2-k3s-rancher/config)
+To create a persistent volume, it's better to check out [Cloud Native Distributed Storage in Kubernetes with Longhorn](https://www.youtube.com/watch?v=eKBBHc0t7bc).
 
-this holds our cloudflare secrets along with a configmap
+If not, just create one from `Rancher UI > Clusters (Choose your cluster) > Storage > Persistent Volume > Add volume`
 
-update this file with your values
-
-apply the config
+### Add `traefik` helm repo and update
 
 ```bash
-kubectl apply -f traefik-config.yaml
+helm repo add traefik https://helm.traefik.io/traefik
+helm repo update
 ```
 
-create `traefik-chart-values.yaml` with the contents of `/config/traefik-chart-values.yaml` from [/config](https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik2-k3s-rancher/config)
-
-Update `loadBalancerIP` in `traefik-chart-values.yaml` with your Metal LB IP
-
-
-Before running this, be sure you only have one default storage class set.  If you are using Rancher it is Cluster>Storage>Storage Classes.  Make sure only one is default.
-
+### Edit & apply ConfigMap
 
-create config then update the values
+* Create `traefik-config.yaml` with the contents of `/config/traefik-config.yaml` from [/config](https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik2-k3s-rancher/config)
+* This holds our cloudflare secrets along with a configmap
+* Update this file with your values
+* Re-check if you have a persistent volume ready to claim
+* Apply the config
 
 ```bash
 kubectl apply -f traefik-config.yaml
 ```
 
-```bash
-helm install traefik traefik/traefik --namespace=kube-system --values=traefik-chart-values.yaml
-```
-
-If all went well, you should now have traefik 2 installed and configured.
+###  Edit & install Traefik helm chart
 
+* Create `traefik-chart-values.yaml` with the contents of `/config/traefik-chart-values.yaml` from [/config](https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik2-k3s-rancher/config)
+* Update `loadBalancerIP` in `traefik-chart-values.yaml` with your Metal LB IP
 
-## Exposing a service with traefik and Rancher Ingress
+Before running this, be sure you only have one default storage class set.
 
-In Rancher go to Load Balancing
+If you are using Rancher it is `Cluster > Storage > Storage Classes`. Make sure only one is default.
 
-* create ingress
-* choose a host name (service.example.com)
-* choose a target (your workload)
-* set the port to the exposed port within the container
-* go to labels and annotations and add `kubernetes.io/ingress.class` = `traefik-external`
-* note, `traefik-external` comes from `--providers.kubernetesingress.ingressclass=traefik-external` in `traefik-chart-values.yml`.  If you used something else, you will need to set your label properly.
-* when you visit your website (`https://service.example.com`) you should now see a certificate issues.  If it's a staging cert, see the note about switching to production in `traefik-chart-values.yaml`.  After changing, you will need to delete your certs in storage and reapply that file
+* Install Traefik with chart values
 
 ```bash
-kubectl delete -n kube-system persistentvolumeclaims acme-json-certs
-kubectl apply -f traefik-config.yaml
+helm install traefik traefik/traefik --namespace=kube-system --values=traefik-chart-values.yaml
 ```
 
-## Exposing a service with traefik IngressRoute
+More configuration value can be add from this [default-value.yaml](https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml) from Traefik github.
 
-copy the contents of [config-ingress-route/kubernetes](https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik2-k3s-rancher/config-ingress-route) to your local machine
+If all went well, you should now have traefik 2 installed and configured.
 
-then run
+### Check for container logs
+
+To check if the Traefik instance is running correctly, see the logs:
 
 ```bash
-kubectl apply -f kubernetes
+kubectl -n kube-system logs $(kubectl -n kube-system get pods --selector "app.kubernetes.io/name=traefik" --output=name)
 ```
 
-This will create the deployment, service, and ingress.
+It should be `level=info msg="Configuration loaded from flags."`
 
+## Traefik Dashboard
 
-## Dashboard
+To see all router to Traefik, we can install and expose Traefik Dashboard.
 
-First you will need `htpassword` to generate a password for your dashboard
+First you will need `htpassword` to generate a password for your dashboard.
 
 ```bash
 sudo apt-get update
 sudo apt-get install apache2-utils
 ```
 
-You can then generate one using this, be sure to swap your username and password
+You can then generate one using this, be sure to swap your username and password.
 
 ```bash
 htpasswd -nb techno password | openssl base64
 ```
 
-it should output
+It should output:
 
 ```bash
 dGVjaG5vOiRhcHIxJFRnVVJ0N2E1JFpoTFFGeDRLMk8uYVNaVWNueG41eTAKCg==
 ```
 
-copy `traefik-dashboard-secret.yaml` locally and update it with your credentials
+Save this in a secure place, it will be the password you use to access the traefik dashboard.
 
+Copy `traefik-dashboard-secret.yaml` locally and update it with your credentials.
 
-then apply
+Copy `traefik-dashboard-ingressroute.yaml` and update it with your hostname, then apply:
 
 ```bash
-kubectl apply -f traefik-config.yaml
+kubectl apply -f traefik-dashboard-secret.yaml
+kubectl apply -f traefik-dashboard-ingressroute.yaml
 ```
 
-copy `traefik-dashboard-ingressroute.yaml` and update it with your hostname
+This should create:
+* A secret in Kubernetes cluster name `traefik-dashboard-auth`
+* A middleware for Traefik name `traefik-dashboard-basicauth`
+* An ingress route for Traefik name `dashboard`
 
+Check out the Traefik Dashboard with the URL you specify earlier.
 
-Save this in a secure place, it will be the password you use to access the traefik dashboard
+## Exposing a service with traefik and Rancher Ingress
 
+In Rancher go to Load Balancing
 
-## files
+* create ingress
+* choose a host name (service.example.com)
+* choose a target (your workload)
+* set the port to the exposed port within the container
+* go to labels and annotations and add `kubernetes.io/ingress.class` = `traefik-external`
+* note, `traefik-external` comes from `--providers.kubernetesingress.ingressclass=traefik-external` in `traefik-chart-values.yml`.  If you used something else, you will need to set your label properly.
+* when you visit your website (`https://service.example.com`) you should now see a certificate issues.  If it's a staging cert, see the note about switching to production in `traefik-chart-values.yaml`.  After changing, you will need to delete your certs in storage and reapply that file
+
+```bash
+kubectl delete -n kube-system persistentvolumeclaims acme-json-certs
+kubectl apply -f traefik-config.yaml
+```
+
+## Exposing a service with traefik IngressRoute
 
-## Putting Rancher behind Traefik 2
+copy the contents of [config-ingress-route/kubernetes](https://github.com/techno-tim/techno-tim.github.io/tree/master/reference_files/traefik2-k3s-rancher/config-ingress-route) to your local machine
+
+then run
+
+```bash
+kubectl apply -f kubernetes
+```
 
-TBD
+This will create the deployment, service, and ingress.

reference_files/traefik2-k3s-rancher/config/traefik-chart-values.yml

@@ -9,7 +9,6 @@ additionalArguments:
   - --certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
   # comment the line above when going to production
   - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
-  - --certificatesresolvers.cloudflare.acme.email=youremail@example.com
   - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53
   - --certificatesresolvers.cloudflare.acme.storage=/certs/acme.json
   - --serversTransport.insecureSkipVerify=true
@@ -50,14 +49,20 @@ env:
       secretKeyRef:
         key: apiKey
         name: cloudflare-apikey-secret
+  - name: CF_API_EMAIL
+    valueFrom:
+      secretKeyRef:
+        key: email
+        name: cloudflare-apikey-secret
 ingressRoute:
   dashboard:
     enabled: false
 persistence:
   enabled: true
+# make sure this claim is existed
+  existingClaim: acme-json-certs
   accessMode: ReadWriteOnce
   size: 128Mi
-  existingClaim: acme-json-certs
   path: /certs
 volumes:
   - mountPath: /data

reference_files/traefik2-k3s-rancher/config/traefik-dashboard-ingressroute.yml

@@ -10,6 +10,8 @@ spec:
   routes:
     - match: Host(`traefik.example.com`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
       kind: Rule
+      middlewares:
+        - traefik-dashboard-basicauth
       services:
         - name: api@internal
           kind: TraefikService