home-server/clusters/noble/bootstrap/traefik/README.md

Traefik — noble

Prerequisites: Cilium, MetalLB (pool + L2), nodes Ready.

1. Create the namespace (Pod Security baseline — Traefik needs more than restricted):

   kubectl apply -f clusters/noble/apps/traefik/namespace.yaml
   

2. Install the chart (do not use --create-namespace if the namespace already exists):

   helm repo add traefik https://traefik.github.io/charts
   helm repo update
   helm upgrade --install traefik traefik/traefik \
     --namespace traefik \
     --version 39.0.6 \
     -f clusters/noble/apps/traefik/values.yaml \
     --wait
   

3. Confirm the Service has a pool address. On the LAN, *.apps.noble.lab.pcenicni.dev can resolve to this IP (split horizon / local DNS). Public names go through Pangolin + Newt (CNAME + API), not ExternalDNS — see clusters/noble/apps/newt/README.md.

   kubectl get svc -n traefik traefik
   

   Values pin 192.168.50.211 via metallb.io/loadBalancerIPs. 192.168.50.210 stays free for Argo CD.

4. Create Ingress resources with ingressClassName: traefik (or rely on the default class). TLS: add cert-manager.io/cluster-issuer: letsencrypt-staging (or letsencrypt-prod) and tls hosts — see clusters/noble/apps/cert-manager/README.md.

5. Public DNS: use Newt + Pangolin (CNAME at your DNS host + Integration API for resources/targets) — clusters/noble/apps/newt/README.md.