Traefik https via kubernetes deployment and AWS certifications

7/20/2018

I'm running traefik on AWS via kubernetes. It all works with http, but can't get the https and my http=>https redirect configuration.

I have the following .toml file

defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"

With the Kubernetes Deployment + Service configurations below.

Kubernetes config files:

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  annotations:
    deployment.kubernetes.io/revision: "3"
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"extensions/v1beta1","kind":"Deployment","metadata":{"annotations":{},"labels":{"k8s-app":"traefik-ingress-lb"},"name":"traefik-ingress-controller","namespace":"kube-system"},"spec":{"replicas":1,"selector":{"matchLabels":{"k8s-app":"traefik-ingress-lb"}},"template":{"metadata":{"labels":{"k8s-app":"traefik-ingress-lb","name":"traefik-ingress-lb"}},"spec":{"containers":[{"args":["--api","--kubernetes","--logLevel=INFO"],"image":"traefik","name":"traefik-ingress-lb","ports":[{"containerPort":80,"name":"http"},{"containerPort":8080,"name":"admin"}]}],"serviceAccountName":"traefik-ingress-controller","terminationGracePeriodSeconds":60}}}}
  creationTimestamp: 2018-07-18T19:39:53Z
  generation: 3
  labels:
    k8s-app: traefik-ingress-lb
  name: traefik-ingress-controller
  namespace: kube-system
  resourceVersion: "624437"
  selfLink: /apis/extensions/v1beta1/namespaces/kube-system/deployments/traefik-ingress-controller
  uid: 58026a2c-8ac2-11e8-bb82-02f2884c3a1c
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      containers:
      - args:
        - --configFile=/conf/traefik.toml
        - --api
        - --kubernetes
        - --logLevel=INFO
        image: traefik
        imagePullPolicy: Always
        name: traefik-ingress-lb
        ports:
        - containerPort: 80
          name: http
          protocol: TCP
        - containerPort: 8080
          name: admin
          protocol: TCP
        - containerPort: 443
          protocol: TCP
        resources: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /conf
          name: config
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: traefik-ingress-controller
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      volumes:
      - configMap:
          defaultMode: 420
          name: traefik-conf
        name: config
status:
  availableReplicas: 1
  conditions:
  - lastTransitionTime: 2018-07-18T19:39:54Z
    lastUpdateTime: 2018-07-18T19:39:54Z
    message: Deployment has minimum availability.
    reason: MinimumReplicasAvailable
    status: "True"
    type: Available
  observedGeneration: 3
  readyReplicas: 1
  replicas: 1
  updatedReplicas: 1
  
 ---
 apiVersion: v1
kind: Service
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"name":"traefik-ingress-service","namespace":"kube-system"},"spec":{"ports":[{"name":"web","port":80,"protocol":"TCP"},{"name":"admin","port":8080,"protocol":"TCP"}],"selector":{"k8s-app":"traefik-ingress-lb"},"type":"NodePort"}}
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-1:735079771029:certificate/sfsg
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
  creationTimestamp: 2018-07-18T19:39:54Z
  name: traefik-ingress-service
  namespace: kube-system
  resourceVersion: "619785"
  selfLink: /api/v1/namespaces/kube-system/services/traefik-ingress-service
  uid: 585294fb-8ac2-11e8-bb82-02f2884c3a1c
spec:
  clusterIP: 100.69.33.166
  externalTrafficPolicy: Cluster
  ports:
  - name: web
    nodePort: 32734
    port: 80
    protocol: TCP
    targetPort: 80
  - name: admin
    nodePort: 32566
    port: 8080
    protocol: TCP
    targetPort: 8080
  - name: https
    nodePort: 32287
    port: 443
    protocol: TCP
    targetPort: 80
  selector:
    k8s-app: traefik-ingress-lb
  sessionAffinity: None
  type: LoadBalancer
status:
  loadBalancer:
    ingress:
    - hostname: blablabla.eu-west-1.elb.amazonaws.com
 

My http is working fine but my https isn't working. I got a time out error. This is very strange. I even add a listener on port 443 on my ELB but still not working. What do you guys think ?

-- Nizar AYARI
amazon-web-services
https
kubernetes
traefik
traefik-ingress

1 Answer

7/20/2018

Since you are using entrypoint redirection, Traefik redirects the request to the entrypoint specified (in your case https). Your ELB then listens on https, and passes the request to the http entrypoint on Traefik, which then redirects to https, etc.

It is usually a bad idea to redirect to TLS at any other layer than the layer that terminates TLS. If your ELB is terminating TLS connections, you should configure it to redirect if needed.

Also, since you have all of your traffic http behind the ELB, you can remove the https entrypoints from traefik, as they will not be needed.

-- Daniel Tomcej
Source: StackOverflow