Skip to main content

Install Traefik Hub Gateway on Kubernetes

Before You Begin

Before you begin the installation process, it is recommended that you have a basic understanding of Kubernetes. You should have access to a working Kubernetes cluster, either on a cloud provider or on your own infrastructure.

Please make sure that you have the following:

  • Kubectl
  • Helm v3
  • Checked the documentation about networking details to make sure that the Traefik Hub API Gateway can communicate with Traefik Hub to validate the token.

Install with the Helm Chart

Log in to the Traefik Hub Online Dashboard, and open the page which allows you to create a new Hub Gateway.

⚠️ Copy only the token.

Step 1: Store the token in a secret

Open a terminal and run the following commands to create the required secret:

# Create an environment variable which contains the token
# Set the token provided in the Dashboard here
export TRAEFIK_HUB_TOKEN=
# Initilaze the namespace and the secret that contains the token
kubectl create namespace traefik
kubectl create secret generic license --namespace traefik --from-literal=token=$TRAEFIK_HUB_TOKEN

Step 2: Deploy Hub API Gateway

Run the helm commands to install Hub API Gateway:

Install Traefik Hub API Gateway using Helm
# Add the Helm repository
helm repo add --force-update traefik https://traefik.github.io/charts
# Install the Helm chart
helm install traefik -n traefik --wait \
  --set hub.token=license \
  --set image.registry=ghcr.io \
  --set image.repository=traefik/traefik-hub \
  --set metrics={} \ # Do not expose Prometheus metrics by default
  --set ingressRoute.dashboard.enabled=false \ # Do not expose the dashboard by default
  --set image.tag=v3 \
   traefik/traefik
Turned off options

In this installation guide, a few options that are set by default in Traefik Hub API Gateway Helm Chart are turned off. It allows you to set up an instance of Hub API Gateway with a minimal set of features.

For example, this installation does not deploy the Traefik Hub API Gateway local dashboard. A dedicated section describes how to deploy a secured dashboard.

To customize the installation using the Helm Chart, please refer to the dedicated documentation.

Specific version

If you want to download a specific version, you have to set the version with the following format: vMAJOR.MINOR.PATCH; for example v3.1.1.

Using the commands described above, the following objects are installed in the namespace traefik:

# kubectl -n traefik describe deployments.apps traefik
Name:                   traefik
Namespace:              traefik
...
  Containers:
   traefik:
    Ports:       9100/TCP, 9000/TCP, 8000/TCP, 8443/TCP, 9943/TCP
    Host Ports:  0/TCP, 0/TCP, 0/TCP, 0/TCP, 0/TCP
    Args:
      --global.checknewversion
      --global.sendanonymoususage
      --log.level=INFO
      --hub.token=$(HUB_TOKEN)
      # Entrypoints (Link concepts entrypoints)
      --entryPoints.metrics.address=:9100/tcp
      --entryPoints.traefik.address=:9000/tcp
      --entryPoints.web.address=:8000/tcp
      --entryPoints.websecure.address=:8443/tcp
      # Set TLS per default on the Entrypoint websecure
      --entryPoints.websecure.http.tls=true
      # Enable to check the Health of Traefik Hub API Gateway on the path /ping
      --ping=true
      # Enable Kubernetes providers (Link concepts providers)
      --providers.kubernetescrd
      --providers.kubernetesingress
    Liveness:   http-get http://:9000/ping delay=2s timeout=2s period=10s #success=1 #failure=3
    Readiness:  http-get http://:9000/ping delay=2s timeout=2s period=10s #success=1 #failure=1
    Environment:
      HUB_TOKEN:      <set to the key 'token' in secret 'traefik-hub-license'>  Optional: false
      POD_NAME:        (v1:metadata.name)
      POD_NAMESPACE:   (v1:metadata.namespace)

Install using a FIPS 140-2 Compliant Image

FIPS 140-2 is a U.S. Federal Government security standard used to approve cryptographic modules. This section explains how Traefik Hub API Gateway is built with FIPS validated cryptographic libraries.

For each Traefik Hub API Gateway version a specific Docker image is built using the Go option GOEXPERIMENT=boringcrypto. In Go, the BoringCrypto module is a general-purpose cryptographic library that is FIPS 140–2.

Deploy Hub API Gateway

In the Step 2 described above, replace the Traefik Hub Gateway image with the FIPS one. To do so, set the major version as a prefix in the image tag. For example, to download the FIPS compliant Traefik Hub API Gateway image in version v3:

Install Traefik Hub API Gateway FIPS-140.2 using Helm
# Add the Helm repository
helm repo add --force-update traefik https://traefik.github.io/charts
# Install the Helm chart
helm install traefik -n traefik --wait \
  --set hub.token=license \
  --set image.registry=ghcr.io \
  --set image.repository=traefik/traefik-hub \
  --set metrics={} \ # Do not expose Prometheus metrics by default
  --set ingressRoute.dashboard.enabled=false \ # Do not expose the dashboard by default
  --set image.tag=v3-fips \
   traefik/traefik
Turned off options

In this installation guide, a few options that are set by default in Traefik Hub API Gateway Helm Chart are turned off. It allows you to set up an instance of Hub API Gateway with a minimal set of features.

For example, this installation does not deploy the Traefik Hub API Gateway local dashboard. A dedicated section describes how to deploy a secured dashboard.

To customize the installation using the Helm Chart, please refer to the dedicated documentation.

Specific version

If you want to download a specific version, you have to set the version as a prefix in the image tag. For example, to use the FIPS compliant Traefik Hub API GAteway image in version v3.1.1 use the tag v3.1.1-fips.

Related Content