Traefik on a Google Kubernetes Engine Cluster managed by Terraform
Google Kubernetes Engine is a great and easy way to explore Kubernetes without having to worry about creating a cluster on your own.
While playing around with it, I immediately started asking myself how I could automate the process of creating a GKE cluster and how I could easily deploy the powerful Traefik as my Ingress Controller.
At first, as already mentioned, I wanted to automate as much as possible. Therefore I decided to use the following tools:
Due to missing functionality in the terraform kubernetes provider to modify RBAC on the cluster, I deviated from my original idea to deploy traefik solely via terraform and decided to also use kubectl.
Of course, at first we need a GCP Project to use for our little case. In that project, we need to have billing at the compute API enabled.
Also, we obviously need to have the tools from above installed. All files used in this post are available inside this example project on github. The code also includes some inline comments to explain what its doing ;-)
Lets do it!
Alright, as we have everything settled, we can finally get down to business. First, we need to init our gcloud command-line.
In my case, I already had a configuration so I would choose the first option. If you don’t have any configuration at all, this screen will not appear.
If you see this screen, we’re at an important step. Please take not of the email adress you choose here (this is from your gcp account). You will need it later. After that, just go through the init chain. Its self explanatory.
Once you’ve gone through the init, we now need to connect the sdk with your account.
Now, we need to connect the local terraform with the project we want to use. Therefore just run
export GOOGLE_PROJECT=$(gcloud config get-value project)
Now, our gcloud sdk and terraform are ready to go. You remember the email adress you needed to note down? Now it’s the time to use it.
As already mentioned, GKE has some strong RBAC polices so we need to modify it during the process of deploying. By default, your kubectl user does not have permission to modify RBAC on its own, which requires the next step.
In the file permissions.yml, we need to edit line 12 and put in the email address you noted down.
- apiGroup: rbac.authorization.k8s.io
Once this is done, we’re able to init terraform :-)
Next step, is then to apply with terraform to get the cluster created.
Be patient, that will take a little while ;-) But eventually, you’ll see this
Once you see this, you will see a full fledged cluster in your google cloud console.
In order to be able to deploy some services, we now need to wire up our local kubectl with the cluster spawned on GKE. This is done by simply running
Nowe, we’re finally able to deploy traefik. Using the provided code, its just a simple
The configuration for the spawned traefik can be found here.
Last but not least, just apply both demo services
And we’re done!
Now it’s time to check what we did. At first, head over to your GKE Dashboard and check the spawned services
What we can see, is that the traefik-ingress-controller has an external ip and 2 ports oppened. Our 2 demo services are deployed under whoami.traefikgke and nginx.traefikgke. Next, let’s check the traefik dashboard. This is reachable, as you have guessed, under the public IP and the 8080 Port.
To check both services, best is to set local hosts with the names whoami.traefikgke and nginx.traefikgke to the public ip from above.
As you can see, with the code from the example project things are straight forward. It’s a little tricky to setup RBAC (ClusterRoleBindings, ServiceAccounts etc) but with the example code it should be relatively self explanatory.
Special thanks to Daniel Tomcej to helping me when I got lost :-)
If you have questions or feedback, feel free to reach out to me via Twitter @mZapfDE, I would highly appreciate it.