Overview

This article provides a step-by-step guide to deploying Traefik, a modern reverse proxy and load balancer, on a Talos Linux Kubernetes cluster using Helm. It covers prerequisites like a running Talos cluster, kubectl, and Helm, then walks through installing Gateway API CRDs, Traefik via Helm, configuring a Gateway, deploying a test application (whoami), setting up an HTTPRoute, and testing the setup. The guide ensures Traefik is properly integrated with Kubernetes’ Gateway API for managing external traffic.

Deploying Traefik on a Talos Kubernetes Cluster: A Step-by-Step Guide

This guide explains how to deploy Traefik, a popular cloud-native reverse proxy and load balancer, on a Talos Linux Kubernetes cluster using Helm and the Gateway API. Traefik simplifies routing external traffic to services in your cluster while providing features like load balancing, TLS termination, and observability.

---

Prerequisites

Before starting, ensure you have the following:

• A running Talos Kubernetes cluster (see Getting Started or Production Cluster guides).
• kubectl installed and configured to interact with your cluster.
• Helm installed locally (follow the Helm installation guide).

Verify your setup by running:

kubectl get nodes

---

Step 1: Install Gateway API CRDs and Traefik RBAC

The Gateway API (a Kubernetes-native way to manage ingress traffic) is not included by default in Kubernetes. This step installs:

• Custom Resource Definitions (CRDs) for Gateway, HTTPRoute, and other Gateway API resources.
• RBAC permissions for Traefik to manage these resources.

Run the following commands:

kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml

---

Step 2: Install Traefik via Helm

Traefik is installed using its official Helm chart. Here’s how:

1. Create a values.yaml file to enable the Gateway API provider (Traefik’s integration with Kubernetes Gateway API):

   providers:
     kubernetesGateway:
       enabled: true
   

2. Add the Traefik Helm repository and install Traefik:

   helm repo add traefik https://traefik.github.io/charts
   helm repo update
   helm install traefik traefik/traefik -f values.yaml
   

   • When installed with kubernetesGateway enabled, Traefik automatically creates a GatewayClass named traefik, so you don’t need to define it manually.

---

Step 3: Create a Gateway

A Gateway defines how external traffic enters your cluster. In this example, we configure Traefik to listen for HTTP traffic on port 8000.

Create a gateway.yaml file:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: my-gateway
spec:
  gatewayClassName: traefik
  listeners:
    - name: web
      port: 8000
      protocol: HTTP

Apply it:

kubectl apply -f gateway.yaml

---

Step 4: Deploy a Test Application

To verify Traefik’s routing, deploy a simple whoami application (a lightweight HTTP server that returns request details).

Create a whoami.yaml file:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: whoami
spec:
  replicas: 2
  selector:
    matchLabels:
      app: whoami
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
        - name: whoami
          image: traefik/whoami
          ports:
            - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: whoami
spec:
  ports:
    - port: 80
      targetPort: 80
  selector:
    app: whoami

Apply it:

kubectl apply -f whoami.yaml

---

Step 5: Create an HTTPRoute

An HTTPRoute maps incoming traffic from the Gateway to the whoami service.

Create an httproute.yaml file:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: whoami-route
spec:
  parentRefs:
    - name: my-gateway
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
        - name: whoami
          port: 80

Apply it:

kubectl apply -f httproute.yaml

---

Step 6: Test the Setup

Verify that Traefik is correctly routing traffic:

1. Forward the Traefik service locally to port 8000:

   kubectl port-forward svc/traefik 8000:8000
   

2. Send a test request to the whoami application:

   curl http://localhost:8000
   

   • You should see a response with details about the request (e.g., hostname, IP, headers).

---

Key Takeaways

• Traefik simplifies ingress management in Kubernetes by integrating with the Gateway API.
• Helm makes installation easy, with customizable configurations via values.yaml.
• Testing with whoami ensures your routing setup works before deploying real applications.
• Gateway API is the future of Kubernetes ingress, replacing older Ingress resources with a more flexible and powerful model.

For production use, consider:

• Enabling TLS termination for HTTPS traffic.
• Configuring load balancing and rate limiting.
• Monitoring Traefik with Prometheus and Grafana.

Extra links

• https://doc.traefik.io/traefik/providers/kubernetes-gateway/
• https://gateway-api.sigs.k8s.io/
• https://www.talos.dev/v1.6/introduction/getting-started/
• https://helm.sh/docs/intro/using_helm/