K
Q

Issue setting up SSL certificates for traefik controller on AWS Kubernetes

4/11/2019

I am deploying a web application (set of inter-communicating node servers) on kubernetes. I use Traefik controller, as load balancer and also internal communication in the cluster. I purchased the domain name through AWS and set it up via simple load balancer through route 53. Its pretty much works fine for http://domain-name.com. I am trying to set-up SSL certificates(purchased from an external vendor, non AWS), so as to make the website https. But it doesn't work. I always end up getting Connection timed out. But http way works pretty much fine.

  1. I got the SSL certs from my company's IT, with csr, key, interm files. Out of that, created a new configuration in AWS certificate manager.
  2. Traefik ingress controller is now configured with SSL enabled ,SSL enforced, and also the certificate body and key set. I am using the traefik helm chart, where I save them in values.yaml.
  3. The load balancer link generated post traefik controller installation is configured with the AWS cert manager config created in step (1). In Loadbalancers settings, in AWS console, opening https port.
  4. Also, am configuring a secrets objects containing ssl certs during ingress set up.

For beginners, this is the sample application, I am trying to access through traefik controller, via https.

apiVersion: v1
kind: Service
metadata:
  name: hello-kubernetes
spec:
  type: LoadBalancer
  ports:
  - port: 80
    targetPort: 8080
  selector:
    app: hello-kubernetes
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: hello-kubernetes
spec:
  replicas: 1
  selector:
    matchLabels:
      app: hello-kubernetes
  template:
    metadata:
      labels:
        app: hello-kubernetes
    spec:
      containers:
      - name: hello-kubernetes
        image: gcr.io/hello-minikube-zero-install/hello-node
        ports:
        - containerPort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: hello-world-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.frontend.rule.type: PathPrefixStrip
spec:
  rules:
  - http:
      paths:
      - path: / 
        backend:
          serviceName: hello-kubernetes
          servicePort: 80
  tls:
   - secretName: traefik-ui-tls-cert

As far as helm chart of traefik controller is concerned,

ssl:
  enabled: true
  enforced: false
  permanentRedirect: false
  upstream: false
  insecureSkipVerify: false
  generateTLS: false
  defaultSANList: []
  defaultIPList: []
  defaultCert: <crt from IT> (which I converted from csr file that IT gave me using openssh tool) 
  defaultKey: <key from IT>

And in the aws console, for the load balancer, under the listeners tab, I add the following configuration.

HTTPS-443-HTTP-80-e1e4096b-6a31-4b2d-9d33-9f3f94ab0320 (ACM) Change

I should be able to access my website on https. But I can only access it on http. Any suggestions?

-- AMOL MISHRA
aws-load-balancer
https
kubernetes
ssl
traefik

Similar Questions

Get Kubernetes FlexVolume Logs
Traefik HA with persistent volume
how to deploy 2 docker container that has to be linked together using yaml on kubernetes?
Kubernetes Ingress configuration rewrite problem
Debugging NodeJs app running inside pod on Kind (Kubernetes in docker) cluster
Kubernetes 1.18 on EKS StartupProbe with old ServiceAccountName

0 Answers