So i have been playing with this over the last 6 months or so, and just spent about 3 days with the latest blog posts and versions of everything.
Latest of all software as of July 2021....
I have metallb and traefik installed pulling TLS from cloudflare.
When spun up everything works except one very small issue.
The metallb issues an IP (alternates between public ip group and private ip group in config. This is small issue, we want to specify which pool to draw from).
The traefik will route either web or websecure entries no problem. If websecure trafefik and cloudflare issue the correct cert and all good except everything must go through the external IP on the traefik service.
So the root question is; Can we use the metallb to issue new loadbalancer services and then have them route to the same traefik instance and all will have different IPs. Some external some private
traefik is in traefik namespace. metallb in metallb-system namespace. We are working in default namespace.
Step 1 - Deploy
apiVersion: apps/v1 kind: Deployment metadata: labels: run: nginx name: nginx-full spec: replicas: 1 selector: matchLabels: run: nginx-main-full template: metadata: labels: run: nginx-main-full spec: containers: - image: nginx name: nginx ports: - containerPort: 80
Step 2 is the expose below.
This WORKS just fine. But everything is going through one external IP on the traefik service.
k expose deploy nginx-full --port 80
When I do this by using (does not work);
kubectl expose deploy nginx-full --type=LoadBalancer --port 80,443
Everything looks correct. A new service appears with a new IP. The route appears in the dashboard. nothing really in logs. But the website never responds. It's like the router is not getting to the end service.
Step 3 (for both services)(note: we own local.dev so this generates valid cert for us)
apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: nginx-deploy-full spec: entryPoints: - websecure routes: - match: Host(`full-priv.local.dev`) kind: Rule services: - name: nginx-full port: 80 tls: certResolver: letsencrypt
Thoughts? I'm guessing it is something incredibly simple that I have missed somewhere.