4 July 2020 Richard Andrews

Deploying to AKS with Traefik

DevOpsAzureKubernetesTraefik

In my previous post I showed you how to deploy Treafik as a reverse proxy with SSL by let's encrypt.

In this article I will take it a step further and provision an Kubernetes cluster on Azure and automate deployment from Azure devops.

Provision AKS

First we need to provision our new AKS cluster. Sign up / sign in to the Azure portal and add a resource. Select Azure Kubernetes Service (AKS) and follow the on screen prompts to create your cluster. I'm using the dev / test workload (works out approx £120 per month), configured as default. For a production workload, though, you probably want to go for the Standard configuration although this will cost considerable more because you will have 3 nodes instead of just one!

You will also want to provision an Azure Container Registry (ACR) when prompted, this is where we will be storing our helm charts and docker images.

Finally, you want to also provision a key-vault, this is where we will store our secrets for our deployed applications.

Connect Azure Devops to your cluster

First in the Azure Portal for you AKS cluster, under Access control (IAM) ensure your user account has the role Azure Kubernetes Service Cluster Admin Role and optionally add a new namespace for your services to be deployed to.

In Azure Devops first ensure that your user is in the Build Administrators role, then head over to Project Settings and select Service Connections.

Add a Kubernetes service collection and select you cluster and namespace.

Note, you may have to log in to Azure Portal in a little dialog that pops up, sometimes it's behind you current browser window!

Setup Traefik Reverse Proxy

First create a new repository in your devops project, this will contain the Traefik configuration for the reverse proxy. All we reall need in here is a piplines.yaml and a values file for your trafik configuration.

Next, find the LoadBalancer in the Azure Portal that was created for you as part of your cluster setup (mine is called kubernetes) and then under frontend ip configuration not down the ip address for the cluster. Also note down the resource group that the load balancer is in, you will need these in a sec.

Now, in devops, create a new pipeline variable group called dev-azure and add the values for K8sServiceConnection and K8sNamespace. This should be the name and namespace you gave the service connection.

Create the following files...

./pipeline.yaml

resources:
  repositories:
    - repository: traefik
      type: git
      name: [yourproject]/traefik

trigger:
  branches:
    include:
      - main

variables:
  - group: 'dev-azure'
  - name: HelmChartName
    value: 'traefik'

stages:
  - stage: DeployTraefik
    displayName: 'Deploy Traefik'
    jobs:
      - job: Deploy
        displayName: 'Deploy Traefik'
        pool: 'default'
        steps:
          - checkout: self
            clean: true
            persistCredentials: true

          - task: HelmInstaller@1
            displayName: 'Install helm'

          - task: HelmDeploy@0
            displayName: Add Traefik helm repo
            inputs:
              connectionType: 'Kubernetes Service Connection'
              kubernetesServiceEndpoint: $(K8sServiceConnection)
              namespace: $(K8sNamespace)
              command: 'repo'
              arguments: 'add traefik https://helm.traefik.io/traefik'

          - task: HelmDeploy@0
            displayName: Update local helm repos
            inputs:
              connectionType: 'Kubernetes Service Connection'
              kubernetesServiceEndpoint: $(K8sServiceConnection)
              namespace: $(K8sNamespace)
              command: 'repo'
              arguments: 'update'
              
          - task: HelmDeploy@0
            displayName: Deploy Traefik helm chart to AKS
            inputs:
              connectionType: 'Kubernetes Service Connection'
              kubernetesServiceEndpoint: $(K8sServiceConnection)
              namespace: $(K8sNamespace)
              command: 'upgrade'
              chartName: 'traefik/traefik'
              releaseName: 'traefik'
              arguments: '-f traefik-values.yaml'

./traefik-values.yaml

additionalArguments:
  - "--accesslog=true"
  - "--accesslog.format=json"
  - "--log.level=DEBUG"

deployment:
  replicas: 1

service:
  spec:
    loadBalancerIP: [Your LoadBalancer public ip here]
  annotations:
    "service.beta.kubernetes.io/azure-load-balancer-resource-group": "[Your resource group here]"

ingressRoute:
  dashboard:
    # Specify the allowed entrypoints to use for the dashboard ingress route, (e.g. traefik, web, websecure).
    # By default, it's using traefik entrypoint, which is not exposed.
    # /!\ Do not expose your dashboard without any protection over the internet /!\
    entryPoints: ["traefik"]

Finally, create a new pipeline using the pipeline.yaml file you checked in. Run the pipeline and you should have traefik runing as a service in your cluster. You can verify this in the Azure Portal by going to your cluster and under Workloads, for your namespace you should see the traefik service running.

If you like at this stage you can change the entryPoints to "web", redeploy and then go to http://load-balancer-ip/dashboard/ and you should see the traefik dashboard. Dont forget to swap it back to traefik and redeploy afterwards though!