Blog
April 27, 2022

Traefik Enterprise and Cloudflare 101

traefik and cloudflare 101

Traefik Enterprise is a unified cloud native networking solution that eases microservices networking complexity.

And what better way to ease the complexity of networking other than taking care of the undeniably tedious task that is managing HTTPS certificates.

In this 101 guide, I will show you how to install the latest version of Traefik Enterprise and how to configure a provider. With my configuration, your Traefik Enterprise automatically will get Let's Encrypt certificates and all certificate requests are validated against Cloudflare DNS.

You can find all the files for Traefik Enterprise on GitHub.

Prerequisites

To follow through with this guide, you need to have the following:

  • Kubernetes Cluster
  • Traefik Enterprise License Key
  • Cloudflare Account

Now that you have everything set up, let's get started!

Configuration

Since version 2.3.0 of Traefik Enterprise, you are able to install it without any additional tool. You can now deploy Traefik Enterprise with Argo CD or some other Continuous Delivery tool.

But first, you need to prepare all the Kubernetes objects.

Namespace

Create a new namespace for your installation with the CLI.

kubectl create namespace traefikee

Or with a file:

---
apiVersion: v1
kind: Namespace
metadata:
  name: traefikee

Secret (license)

Add the license as a secret from kubectl. For this example, I am using the Traefik Enterprise license.

kubectl create secret generic traefik-enterprise-license --from-literal=license=EXAMPLE-LICENSE -n traefikee

Or with a file:

---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: traefik-enterprise-license
  namespace: traefikee
stringData:
  license: EXAMPLE-LICENSE

Static Configuration

Create a ConfigMap with the static configuration.

---
apiVersion: v1
kind: ConfigMap
metadata:
  namespace: traefikee
  name: traefik-enterprise-static-config
data: 
  static.yaml: | 
    entryPoints:
      web:
        address: ":80"
        http:
          redirections:
            entryPoint:
              to: websecure
              scheme: https
              permanent: true
      websecure:
        address: ":443"
 
    api:
      dashboard: true
     
    providers:
      kubernetescrd: {}
      kubernetesingress: {}
      
    certificatesResolvers:
      cloudflare:
        acme:
          email: [email protected]
          storage: acme.json
          dnsChallenge:
            provider: cloudflare
            resolvers:
              - "1.1.1.1"

You can copy this example in your editor and modify it as you like. Make sure to change the example email address used here.

Manifest

With a simple Curl call, you can get your YAML manifest to deploy all Traefik Enterprise components.

Here's an example of the latest version of Traefik Enterprise:

curl -L -k "https://install.enterprise.traefik.io/v2.6?cluster=traefik-enterprise&namespace=traefikee" -o traefik-enterprise-manifest.yaml

Add environment variables for Cloudflare

First, create a Secret with your login information for Cloudflare API.

---
apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-api-credentials
  namespace: traefikee
type: Opaque
stringData:
  email: YOUR_CLOUDFLARE_EMAIL
  apiKey: YOUR_API_TOKEN

Edit the Traefik Enterprise manifest and add the environment variables to the traefik-enterprise-controller statefulSet, just after the license variable definition.

            - name: CF_API_EMAIL
              valueFrom:
                secretKeyRef:
                  key: email
                  name: cloudflare-api-credentials
            - name: CF_API_KEY
              valueFrom:
                secretKeyRef:
                  key: apiKey
                  name: cloudflare-api-credentials
See the API Gateway Cloud Natives TrustWant to simplify the discovery, security, and deployment of APIs and microservices? Explore Traefik Enterprise today.Learn More

Install Traefik Enterprise

It's finally time to install Traefik Enterprise!

Argo CD

Take all files and commit them to your Git repo. Now you are able to connect the repository with Argo CD. Create a new App and deploy Traefik Enterprise.

Kubectl

The easiest way to deploy Traefik Enterprise is with kubectl.

kubectl apply -f traefik-enterprise-ns.yaml
kubectl apply -f traefik-enterprise-license-secret.yaml
kubectl apply -f cloudflare-secret.yaml
kubectl apply -f traefik-enterprise-static-configmap.yaml
kubectl apply -f traefik-enterprise-manifest-cloudflare-env.yaml

Wait for all the Traefik Enterprise component to come up.

kubectl get po -n traefikee                              
NAME                                        READY   STATUS    RESTARTS   AGE
traefik-enterprise-controller-0             1/1     Running   0          21m
traefik-enterprise-plugin-registry-0        1/1     Running   0          22m
traefik-enterprise-proxy-598c694f9d-fdw2f   1/1     Running   0          22m
traefik-enterprise-proxy-598c694f9d-g625t   1/1     Running   3          22m

Operations

Dashboard

To add some basic security to your dashboard, create an HTTP basic auth middleware. Use the following command to create a base64 encoded htpasswd file with traefik as user and enterprise as password:

htpasswd -n -b traefik enterprise | openssl base64

Add your credentials to the secret for basic-auth:

---
apiVersion: v1
kind: Secret
metadata:
  name: traefik-enterprise-dashboard-auth
  namespace: traefikee
data:
  users: |2
    dHJhZWZpazokYXByMSR6R2NRa0xLTCRPWDlFQkZkeVhCWjVNZ2hSVEgzYVMxCgo=

Define the basicAuth middleware to use the secret:

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-enterprise-dashboard-basicauth
  namespace: traefikee
spec:
  basicAuth:
    secret: traefik-enterprise-dashboard-auth

Create an ingress route to the service api@internal to enable the dashboard. Here, make sure to change the matching host rule.

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-enterprise-dashboard
  namespace: traefikee
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`dashboard.example.com`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
      middlewares:
        - name: traefik-enterprise-dashboard-basicauth
  tls:
    certResolver: cloudflare

Apply the files with kubectl:

kubectl apply -f traefik-enterprise-basicAuth-secret.yaml
kubectl apply -f traefik-enterprise-dashboard-middleware.yaml
kubectl apply -f traefik-enterprise-dashboard-igr.yaml

And done! You can now connect to the dashboard in your browser with the URL you define in the ingressRoute.

Traefik Enterprise Dashboard

API Portal

The API Portal groups all of the API specifications from your services into a web UI. Currently, Traefik Enterprise supports OpenAPI.

Add these two lines to your static configuration, to enable API Portal.

apiportal:
  path: spec.json

Create an ingress route to the service apiportal@internal to enable the API Portal dashboard. Don't forget to change the matching host rule here as well.

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-enterprise-api
  namespace: traefikee
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`apiportal.example.com`)
      kind: Rule
      services:
        - name: apiportal@internal
          kind: TraefikService
  tls:
    certResolver: cloudflare

Note: I would recommend that you added the Basic Auth middleware to your API. Otherwise, anyone can access your API Portal web UI without any authentication.*

Traefik Enterprise now searches every service. If there is a service detected which supports the OpenAPI format and can be reached under the path /api/swagger.json, this service will be listed in the API portal.

Example spec.json

Here is an example of an OpenAPI supported service.

---
apiVersion: v1
kind: Namespace
metadata:
  name: httpbin

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: api-httpbin
  namespace: httpbin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: api-httpbin
  template:
    metadata:
      labels:
        app: api-httpbin
    spec:
      containers:
        - name: whoami
          image: kennethreitz/httpbin

---
apiVersion: v1
kind: Service
metadata:
  name: api-httpbin
  namespace: httpbin
  labels:
    app: api-httpbin
spec:
  type: ClusterIP
  ports:
    - port: 80
      name: api
  selector:
    app: api-httpbin

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: api-httpbin-tls
  namespace: httpbin
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`httpbin.example.com`)
      services:
        - name: api-httpbin
          port: 80
  tls:
    certResolver: cloudflare

Make sure to change the host values and then apply this files:

kubectl apply -f traefik-enterprise-static-configmap-apiportal.yaml
kubectl apply -f traefik-enterprise-apiportal-igr.yaml
kubectl apply -f traefik-enterprise-petstore-api.yaml

You can now check the API portal to have a look at your API.

Traefik Enterprise API Portal

Connect with teectl

To get things started, you need to install the teectl command-line tool.

Once your cluster is ready, generate credentials from your cluster using Traefik Enterprise. Generate the credentials on one of your controllers and use teectl to import the cluster credentials.

kubectl exec -n traefikee traefik-enterprise-controller-0 -- /traefikee generate credentials --kubernetes.kubeconfig="${KUBECONFIG}"  --cluster=traefik-enterprise > traefikee/config.yaml > config.yaml

Now you can import the cluster configuration to teectl.

teectl cluster import --file="config.yaml"

And finally, select this new cluster.

teectl cluster use --name traefik-enterprise

You can now use teectl to operate your cluster.

Conclusion

Since version 2.3.0, Traefik Enterprise deployment has been made very simple. In a few minutes, you are able to run Traefik Enterprise in our Kubernetes cluster.

I’m really happy to see how Traefik Enterprise is getting better and making your life easier! Always keep an eye on the new releases of Traefik Enterprise for more improvements and new capabilities.

server icons in grey cubes on a dark blue background
Webinar: From Chaos to ControlledLearn how to simplify multi-cluster networking for all your applicationsWatch the Webinar

About the Author

Latest from Traefik Labs

How to Keep Your Services Secure With Traefik’s Rate Limiting
Blog

How to Keep Your Services Secure With Traefik’s Rate Limiting

Read more
Taming The Wild West of LLMs with Traefik AI Gateway
Blog

Taming The Wild West of LLMs with Traefik AI Gateway

Read more
GitOps-Driven Runtime API Governance: The Secret Sauce for Scale
Webinar

GitOps-Driven Runtime API Governance: The Secret Sauce for Scale

Watch now

Traefik Labs uses cookies to improve your experience. By continuing to browse the site you are agreeing to our use of cookies. Find out more in the Cookie Policy.