Installing the Traefik Controller

8.1.4 Installing the Traefik Controller

Follow these steps to set up Traefik as a load balancer for Oracle Identity Governance domain in a Kubernetes cluster:

If you can connect directly to a worker node hostname or IP address from a browser, then install Traefik with the --set controller.service.type=NodePort parameter.

If you are using a Managed Service for your Kubernetes cluster, for example Oracle Kubernetes Engine (OKE) on Oracle Cloud Infrastructure (OCI), and connect from a browser to the Load Balancer IP address, then use the --set controller.service.type=LoadBalancer parameter. This instructs the Managed Service to setup a Load Balancer to direct traffic to the Traefik ingress.

The instructions below use --set controller.service.type=NodePort. If using a managed service, change to --set controller.service.type=LoadBalancer.

Configuring an Ingress Controller with SSL

To configure the ingress controller to use SSL, run the following command:

helm install Traefik-ingress \
-n <domain_namespace> \
--set controller.service.nodePorts.http=<http_port> \
--set controller.service.nodePorts.https=<https_port> \
--set controller.extraArgs.default-ssl-certificate=<domain_namespace>/<ssl_secret> \
--set controller.service.type=<type> \
--set controller.config.use-forwarded-headers=true \
--set controller.config.enable-underscores-in-headers=true \
--set controller.admissionWebhooks.enabled=false \
stable/ingress-Traefik \
--version 4.7.2

Where:

<domain_namespace> is your namespace, for example myTraefikns.
<http_port> is the HTTP port that you want the controller to listen on, for example 30777.
<https_port> is the HTTPS port that you want the controller to listen on, for example 30443.
<type> is the controller type. If using NodePort set to NodePort. If using a managed service set to LoadBalancer. If using LoadBalancer remove --set controller.service.nodePorts.http=<http_port> and --set controller.service.nodePorts.https=<https_port>.
<ssl_secret> is the secret you created in Generating SSL Certificates for Traefik.

For example:

helm install traefik-ingress -n mytraefikns \
--set controller.service.nodePorts.http=30777 \
--set controller.service.nodePorts.https=30443 \
--set controller.extraArgs.default-ssl-certificate=mytraefikns/accessdomain-tls-cert \
--set controller.service.type=NodePort \
--set controller.config.use-forwarded-headers=true \
--set controller.config.enable-underscores-in-headers=true \
--set controller.admissionWebhooks.enabled=false \
stable/ingress-traefik \
--version 4.7.2

The output will look similar to the following:

NAME: traefik-ingress
LAST DEPLOYED: <DATE>

NAMESPACE: mytraefikns
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The traefik-ingress controller has been installed.
Get the application URL by running these commands:
  export HTTP_NODE_PORT=30777
  export HTTPS_NODE_PORT=30443
  export NODE_IP=$(kubectl --namespace mytraefikns get nodes -o jsonpath="{.items[0].status.addresses[1].address}")

  echo "Visit http://$NODE_IP:$HTTP_NODE_PORT to access your application via HTTP."
  echo "Visit https://$NODE_IP:$HTTPS_NODE_PORT to access your application via HTTPS."

An example Ingress that makes use of the controller:

  apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    annotations:
      kubernetes.io/ingress.class: Traefik
    name: example
    namespace: foo
  spec:
    ingressClassName: example-class
    rules:
       - host: www.example.com
        http:
          paths:
            - path: /
              pathType: Prefix
              backend:
                service:
                  name: exampleService
                  port: 80
    # This section is only required if TLS is to be enabled for the Ingress
    tls:
      - hosts:
        - www.example.com
        secretName: example-tls


If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:

  apiVersion: v1
  kind: Secret
  metadata:
    name: example-tls
    namespace: foo
  data:
    tls.crt: <base64 encoded cert>
    tls.key: <base64 encoded key>
  type: kubernetes.io/tls

Configure an Ingress Controller Without SSL

To configure the ingress controller without SSL, run the following command:

helm install Traefik-ingress \
-n <domain_namespace> \
--set controller.service.nodePorts.http=<http_port> \
--set controller.service.type=NodePort \
--set controller.config.use-forwarded-headers=true \
--set controller.config.enable-underscores-in-headers=true \
--set controller.admissionWebhooks.enabled=false \
stable/ingress-Traefik
--version 4.7.2

Where:

<domain_namespace> is your namespace, for example myTraefikns.
<http_port> is the HTTP port that you want the controller to listen on, for example 30777.
<type> is the controller type. If using NodePort set to NodePort. If using a managed service set to LoadBalancer. If using LoadBalancer remove --set controller.service.nodePorts.http=<http_port>.

For example:

helm install Traefik-ingress \
-n myTraefikns \
--set controller.service.nodePorts.http=30777 \
--set controller.service.type=NodePort \
--set controller.config.use-forwarded-headers=true \
--set controller.config.enable-underscores-in-headers=true \
--set controller.admissionWebhooks.enabled=false \
stable/ingress-Traefik \
--version 4.7.2

The output will look similar to the following:

NAME: Traefik-ingress
LAST DEPLOYED: <DATE>

NAMESPACE: myTraefikns
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
The Traefik-ingress controller has been installed.
Get the application URL by running these commands:
  export HTTP_NODE_PORT=30777
  export HTTPS_NODE_PORT=$(kubectl --namespace myTraefikns get services -o jsonpath="{.spec.ports[1].nodePort}" Traefik-ingress-ingress-Traefik-controller)
  export NODE_IP=$(kubectl --namespace mygninx get nodes -o jsonpath="{.items[0].status.addresses[1].address}")

  echo "Visit http://$NODE_IP:$HTTP_NODE_PORT to access your application via HTTP."
  echo "Visit https://$NODE_IP:$HTTPS_NODE_PORT to access your application via HTTPS."

An example Ingress that makes use of the controller:

  apiVersion: networking.k8s.io/v1
  kind: Ingress
  metadata:
    annotations:
      kubernetes.io/ingress.class: Traefik
    name: example
    namespace: foo
  spec:
    ingressClassName: example-class
    rules:
       - host: www.example.com
        http:
          paths:
            - path: /
              pathType: Prefix
              backend:
                service:
                  name: exampleService
                  port: 80
    # This section is only required if TLS is to be enabled for the Ingress
    tls:
      - hosts:
        - www.example.com
        secretName: example-tls


If TLS is enabled for the Ingress, a Secret containing the certificate and key must also be provided:

  apiVersion: v1
  kind: Secret
  metadata:
    name: example-tls
    namespace: foo
  data:
    tls.crt: <base64 encoded cert>
    tls.key: <base64 encoded key>
  type: kubernetes.io/tls