Installing with the Helm Chart¶

Deployment Only

The Traefik Enterprise Helm Chart provides support for deploying and upgrading core components such as the Controllers, Proxies and Plugin Registry, without applying any runtime configuration by default.

Requirements¶

Helm version 3 installed
Kubernetes version 1.13 or greater

Adding the Traefik Enterprise repository¶

Run the following command to add the repository:

helm repo add traefik https://traefik.github.io/charts

Run the following command to update the repository:

helm repo update

Deploy the cluster¶

To deploy Traefik Enterprise in the default Kubernetes namespace:

helm install traefikee traefik/traefikee

Although, it is recommended to deploy Traefik Enterprise in a separate namespace:

helm install traefikee traefik/traefikee --namespace traefikee --create-namespace

The next step is to create the Kubernetes secret that will hold the Traefik Enterprise license key.

kubectl create secret generic $CLUSTERNAME-license --from-literal=license="$TRAEFIKEE_LICENSE" -n traefikee

The command above assumes two environment variables named $CLUSTERNAME and $TRAEFIKEE_LICENSE are already defined. By default, the expected value for $CLUSTERNAME is default.

Setting cluster name

The cluster name can customized with the cluster key on your deployment values file or directly as a flag:

helm install traefikee traefik/traefikee --set "cluster=mycluster" --namespace traefikee --create-namespace

Custom deploy parameters¶

The following command will display all available configuration parameters that can be changed according to the needs.

helm show values traefik/traefikee

The output of the command can be redirected to a file e.g. values.yaml and then modified accordingly and used with the Helm install command.

helm install traefikee traefik/traefikee -f values.yaml

HA Values¶

This chart provides an example of a high-availability set of defaults.

curl -L https://raw.githubusercontent.com/traefik/traefikee-helm-chart/master/traefikee/values-ha.yaml

One can apply it as custom values:

curl -O https://raw.githubusercontent.com/traefik/traefikee-helm-chart/master/traefikee/values-ha.yaml
# Update HA values accordingly to your needs
helm install traefikee traefik/traefikee -f values-ha.yaml

Applying a static configuration¶

After deploying, the cluster will be up and running, with a simple static configuration, set in values:

controller:
[...]
  staticConfig:
#    configMap:
#      name: traefik-config
#      key: "static.yml"
    content: |
      entrypoints:
        web:
          address: ":7000"
        websecure:
          tls: {}
          address: ":7443"
      ping: {}
      providers:
        kubernetesIngress:
          allowEmptyServices: true
        kubernetesCRD:
          allowEmptyServices: true

This configuration allows to run Traefik Enterprise securely, without using a privileged port, with liveness and readyness using /ping.

There are two main approaches for applying a static configuration to the cluster at this point:

by updating the static configuration set with values of Helm Chart
by creating another Kubernetes ConfigMap with its content, outside of the Helm Chart

Creating another Kubernetes ConfigMap¶

Create the config map by executing the following command:

kubectl create configmap --from-file=static.yaml $CLUSTERNAME-static-config -n traefikee

Once the ConfigMap is created, it must be mounted on the controllers with the proxy.staticConfig.configMap and proxy.staticConfig.configMapKey flags:

helm upgrade --install traefikee traefik/traefikee --set "cluster=$CLUSTERNAME,controller.staticConfig.content=null,controller.staticConfig.configMap.name=$CLUSTERNAME-static-config,controller.staticConfig.configMap.key=static.yaml" --namespace traefikee --create-namespace

Reloading the static configuration

Each time the config map is updated Traefik Enterprise will reload the changes automatically.

Static volume provisioning¶

Setting status PV name

There are cases where static PV name may require to match the following format:
${PVC_TEMPLATE_NAME}-${STATEFULSET_NAME}-${REPLICA_INDEX}

Below, examples for Traefik Enterprise using the local path provisioner or the EFS CSI driver as static provisioner:

Local path provisioner

# pv.yaml
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-controller-0
spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 10Gi
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: data-default-controller-0
    namespace: traefikee
  persistentVolumeReclaimPolicy: Delete
  storageClassName: standard
  volumeMode: Filesystem
  hostPath:
    path: /var/local-path-provisioner/pvc-controller-0_traefikee_data-default-controller-0
    type: DirectoryOrCreate

---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-registry-0
spec:
  accessModes:
  - ReadWriteOnce
  capacity:
    storage: 5Gi
  claimRef:
    apiVersion: v1
    kind: PersistentVolumeClaim
    name: plugin-data-default-plugin-registry-0
    namespace: traefikee
  persistentVolumeReclaimPolicy: Delete
  storageClassName: standard
  volumeMode: Filesystem
  hostPath:
    path: /var/local-path-provisioner/pvc-registry-0_traefikee_plugin-data-default-plugin-registry-0
    type: DirectoryOrCreate

EFS CSI driver

# pv.yaml
---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-controller-0
spec:
  capacity:
    storage: 10Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: efs-sc
  csi:
    driver: efs.csi.aws.com
    volumeHandle: fs-0dae47308e4b64b6c
  claimRef:
    name: data-default-controller-0
    namespace: traefikee

---
apiVersion: v1
kind: PersistentVolume
metadata:
  name: pv-registry-0
  namespace: traefikee
spec:
  capacity:
    storage: 5Gi
  volumeMode: Filesystem
  accessModes:
    - ReadWriteOnce
  storageClassName: efs-sc
  persistentVolumeReclaimPolicy: Retain
  csi:
    driver: efs.csi.aws.com
    volumeHandle: fs-0723cab9644700873
  claimRef:
    name: plugin-data-default-plugin-registry-0
    namespace: traefikee

Namespace and claimRef values

The namespace must be the same as the one defined in Helm release (by default traefikee).

spec.claimRef must match the volumeClaimTemplates value defined in the Helm chart.

EKS Fargate and persistent storage

EKS Fargate support only EFS for persistent storage provisioner, as detailed here. To run Traefik Enterprise pod on EKS Fargate, you should create the PV before deploying.

EFS provisioning

EFS provisioning need the EFS volume ID (in spec.csi.volumeHandle) to be declared in the PV definition. EFS volume ID is set when creating the volume and can be found in the AWS EFS dashboard or by aws CLI as detailed here.

Apply the YAML file described below to your cluster:

kubectl apply -f pv.yaml

Install Traefik Enterprise and the volumes will be automatically bound:

helm upgrade --install traefikee traefik/traefikee --namespace traefikee --create-namespace

Remote Access Through `teectl`¶

Once your cluster is ready, if you want to operate the cluster remotely using the teectl tool, you will need to generate credentials from your cluster using traefikee generate credentials on one of your controllers and use teectl to import the cluster credentials.

kubectl exec -n traefikee default-controller-0 -- /traefikee generate credentials --kubernetes.kubeconfig="${KUBECONFIG}"  --cluster=default > config.yaml
teectl cluster import --file="config.yaml"

You can now use teectl to operate your cluster.

Command

teectl get nodes

Expected output

ID                         NAME                            STATUS  ROLE
3l5xt87fkc2ztlqlkwcpavuev  default-proxy-6f488c84c5-cx9wj  Ready   Proxy / Ingress
52sje29l1zreu1h319vabtzmx  default-controller-1            Ready   Controller
c5j53krue2avv77ajr8h5bcoz  default-controller-0            Ready   Controller (Leader)
yjtz8kvnsgmqmuycup69vx180  default-proxy-6f488c84c5-2zwb7  Ready   Proxy / Ingress
yo4cycxshnuazwvmrfjtowugw  default-proxy-6f488c84c5-b2c9d  Ready   Proxy / Ingress
yqz838gxifzoh0czugxju2r4p  default-controller-2            Ready   Controller

Next steps¶

Take a look at the Operations guide for instructions on setting up the Traefik Dashboard and API
Deploy a sample application with an Ingress by following this guide

License Monitoring¶

When a Traefik Enterprise controller starts for the first time, it checks the license validity.

If the license is valid, another check is done once every 24 hours.

If the controller can't communicate with the license server, a 72-day grace period starts to recover from this situation.

Once the grace period is over, the controller stops updating the proxies configuration.

Please look at the FAQ to know how to implement the license monitoring.