Traefik with external Hetzner loadbalancer

I am trying to create a static Traefik config (I am using Hetzner with hcloud-cloud-controller-manager) and my goal is to have the Hetzner loadbalancer to terminate all TLS and Traefik should only handle web / port 80.

The reason I am trying this is that I was getting some TLS problems when Traefik is handling my certificates, also I would like to offload TLS handling to the external loadbalancer. But please tell me if my plan is idiotic from the start.

I am using the helm chart for Traefik 3.1. I am including my current values.yaml which creates a healthy Hetzner loadbalancer with the correct certificates - but services only return ERR_CONNECTION_TIMED_OUT.

What I don't understand is how the port: and the service: section interrelate. When I create Traefik with the default helm values.yaml, it already creates a (tcp) Hetzner loadbalancer. Can I deactivate that in the values.yaml? Then I could create the loadbalancer with a separate manifest, if that is of any use... I am quiet lost as you can tell.

autoscaling:
enabled: true
maxReplicas: 3
minReplicas: 3
deployment:
replicas: 3
podDisruptionBudget:
enabled: true
maxUnavailable: 33%
ports:
web:
expose:
default: false
websecure:
forwardedHeaders:
trustedIPs:
- 127.0.0.1/32
- 10.0.0.0/8
proxyProtocol:
trustedIPs:
- 127.0.0.1/32
- 10.0.0.0/8
tls:
enabled: false
resources:
limits:
cpu: 300m
memory: 150Mi
requests:
cpu: 100m
memory: 50Mi
service:
annotations:
load-balancer.hetzner.cloud/location: fsn1
load-balancer.hetzner.cloud/name: k3s-traefik
load-balancer.hetzner.cloud/type: lb11
load-balancer.hetzner.cloud/certificate-type: uploaded
load-balancer.hetzner.cloud/http-certificates: "upsize managed-certificate,exocort managed-certificate,exocort.com managed-certificate"
load-balancer.hetzner.cloud/protocol: "https"
load-balancer.hetzner.cloud/http-redirect-http: "true"
load-balancer.hetzner.cloud/uses-proxyprotocol: "true"
enabled: true
type: LoadBalancer

Use 3 backticks in front and after code/config to make it more readable and preserve spacing, which is important in yaml.

Thanks. It looks like I am unable to edit my post, maybe insufficient rights. But I think my configuration is so messed up - it's not worth posting it again.

I installed the cluster using GitHub - kube-hetzner/terraform-hcloud-kube-hetzner: Optimized and Maintenance-free Kubernetes on Hetzner Cloud in one command! and it has worked well, I just ran into problems when I added keycloak and tried to get SSO working with Wordpress and ArgoCD. Wordpress for example would not allow the keycloak login with certificate problems. I think because Traefik was using self-signed certificates for keycloak internally, while my keycloak URL uses a Let's Encrypt certificate (handled by the Hetzner Loadbalancer). Similar problems with ArgoCD.

I then got the idea to have TLS termination done by the external loadbalancer only and to use http only inside the cluster. The better approach is probably to use cert-manager so the certificates are known to Traefik. As you can tell I don't quite know what I am doing, but it's an experimental cluster anyway.

However, I was unable to find good documentation about making K3S, Hetzner loadbalancer and Trafik work together (beyond the default setup, which obviously works). It would be great if anyone has some tips to share about this (or about Traefik and external loadbalancers in general).

You could try reddit.com/r/Traefik/ or the k3s forum there.