DEV Community

Tingwei
Tingwei

Posted on

1

Deploying Traefik Proxy with Cloudflare Origin CA Certificate on k0s

Objective:

To perform a minimal installation of k0s on a VPS, set up Traefik as a reverse proxy, and enable HTTPS.

Prerequisites:

  • A VPS (4GB RAM, 2 vCPUs)
  • A domain
  • k0s (v1.31.2+k0s.0)
  • Helm (v3.16.3)
  • MetalLB (v0.14.8)
  • Traefik (v3.2.0)
  • Traefik Helm Chart (v33.0.0)

Steps:

1. k0s Setup:

A single-node k0s installation is ideal for this minimal VPS setup to minimize resource usage. Below are the installation commands:

  • Download k0s
curl --proto '=https' --tlsv1.2 -sSf https://get.k0s.sh | sudo sh
Enter fullscreen mode Exit fullscreen mode
  • Install a single node k0s
# output k0s.yaml
sudo k0s config create > k0s.yaml
Enter fullscreen mode Exit fullscreen mode
  • Modify k0s.yaml to install MetalLB
  extensions:
    helm:
      concurrencyLevel: 5
      repositories:
        - name: metallb
          url: https://metallb.github.io/metallb
      charts:
        - name: metallb
          chartname: metallb/metallb
          version: "0.14.8"
          namespace: default
Enter fullscreen mode Exit fullscreen mode
  • Start k0s
sudo k0s install controller --single --force --config k0s.yaml

sudo k0s start
Enter fullscreen mode Exit fullscreen mode
  • Create ConfigMap for MetalLB

Remember to add your vps public ip

---
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: metallb-ip-pool
  namespace: default
spec:
  addresses:
    - [your_vps_public_ip]/32
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: metallb-l2-advertisment
  namespace: default
spec:
  ipAddressPools:
    - metallb-ip-pool
Enter fullscreen mode Exit fullscreen mode

After adding metallb-l2-pool.yaml, then

kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io metallb-webhook-configuration

kubectl apply -f metallb-l2-pool.yaml
Enter fullscreen mode Exit fullscreen mode

Why kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io metallb-webhook-configuration

2. Enabling HTTPS and Redirect HTTP to HTTPS:

kubectl create secret tls your-tls-secret --cert=your_origin_ca.pem --key=your_origin_ca.key --namespace=default

Enter fullscreen mode Exit fullscreen mode

3. Installing Traefik:

Install Traefik using the Helm chart.

  • Install Helm

  • Add your traefik_values.yaml

    • my-tls-secret is generated from the previous step.
    • redirectTo is used for redirecting HTTP to HTTPS.
    • nodeAffinity is because we need to schedule traefik pod in the controller node.
#  traefik_values.yaml
ports:
  web:
    redirectTo:
      port: websecure
tlsStore:
  default:
    defaultCertificate:
      secretName: my-tls-secret
affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
        - matchExpressions:
            - key: node-role.kubernetes.io/control-plane
              operator: Exists
Enter fullscreen mode Exit fullscreen mode

Then

helm repo add traefik https://traefik.github.io/charts

helm install -f traefik_values.yaml traefik traefik/traefik
Enter fullscreen mode Exit fullscreen mode

4. Test Deployment:

Deploy a simple whoami application to test if the setup is successful.

  • Add your whoami.yaml

    • port = 8001 (or whatever you want)
    • WHOAMI_PORT_NUMBER is necessary
apiVersion: apps/v1
kind: Deployment
metadata:
  name: whoami
  namespace: default
  labels:
    app: whoami
spec:
  replicas: 1
  selector:
    matchLabels:
      app: whoami
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
        - name: whoami
          image: traefik/whoami
          env:
            - name: WHOAMI_PORT_NUMBER
              value: "8001"
---
apiVersion: v1
kind: Service
metadata:
  name: whoami-service
  namespace: default
  labels:
    app: whoami
spec:
  ports:
    - port: 8001
      targetPort: 8001
  selector:
    app: whoami
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-ingress
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`your_domain`) && PathPrefix(`/whoami`)
      kind: Rule
      services:
        - name: whoami-service
          port: 8001
Enter fullscreen mode Exit fullscreen mode

Then

kubectl apply -f whoami.yaml
Enter fullscreen mode Exit fullscreen mode

So, you would see the whoami app from the url your_domain/whoami

References:

Do your career a big favor. Join DEV. (The website you're on right now)

It takes one minute, it's free, and is worth it for your career.

Get started

Community matters

Top comments (2)

Collapse
 
xandecodes profile image
Alexandre Fernandes dos Santos •

Great article! I liked the examples.

Collapse
 
tingwei628 profile image
Tingwei •

Thanks !!

👋 Kindness is contagious

Discover a treasure trove of wisdom within this insightful piece, highly respected in the nurturing DEV Community enviroment. Developers, whether novice or expert, are encouraged to participate and add to our shared knowledge basin.

A simple "thank you" can illuminate someone's day. Express your appreciation in the comments section!

On DEV, sharing ideas smoothens our journey and strengthens our community ties. Learn something useful? Offering a quick thanks to the author is deeply appreciated.

Okay