K
Q

How to set up https on kubernetes bare metal using traefik ingress controller

7/6/2019

I'm running a kubernetes cluster which consists of three nodes and brilliantly works, but it's time to make my web application secure, so I deployed an ingress controller(traefik). But I was unable to find instructions for setting up https on it. I know most of things I will have to do, like setting up a "secret"(container with certs) etc. but I was wondering how to configure my ingress controller and all files related to it so I would be able to use secure connection

I have already configured ingress controller and created some frontends and backends. Also I configured nginx server(It's actually a web application I'm running) to work on 443 port

My web application deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: nginx
  replicas: 3 # tells deployment to run 3 pods matching the template
  template: # create pods using pod definition in this template
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: ilchub/my-nginx
        ports:
        - containerPort: 443
      tolerations:
      - key: "primary"
        operator: Equal
        value: "true"
        effect: "NoSchedule"

Traefik ingress controller deployment code

kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress
      terminationGracePeriodSeconds: 60
      containers:
      - image: traefik
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
        - name: https
          containerPort: secure
        - name: admin
          containerPort: 8080
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO

Ingress for traefik dashboard

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  rules:
  - host: cluster.aws.ctrlok.dev
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-web-ui
          servicePort: web

External expose related config

kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      nodePort: 30036
      name: web
    - protocol: TCP
      port: 443
      nodePort: 30035
      name: secure
    - protocol: TCP
      port: 8080
      nodePort: 30034
      name: admin
  type: NodePort

What I want to do is securing my application which is already running. Final result has to be a webpage running over https

-- dragonhaze
kubeadm
kubernetes
traefik-ingress

Similar Questions

Copy .kube config file from master to all nodes using ansible
Kubernetes: MountVolume.SetUp failed: hostPath type check failed is not a directory
Azure devops build push image to aks
How to configure the 'efs-provider' for Kubernetes?
Access Prometheus GUI on Kubernetes Cluster with Istio
Kubernetes AutoScaler - Where should I specify scaledown and scaleup
How to run python code in .net core web application deployed on k8s?
How to allow a non-root user to write to a mounted EFS in EKS
K8S Forbit job if another job is running
update k8s ingress via service account

1 Answer

7/10/2019

Actually you have 3 ways to configure Traefik to use https to communicate with backend pods:

  1. If the service port defined in the ingress spec is 443 (note that you can still use targetPort to use a different port on your pod).
  2. If the service port defined in the ingress spec has a name that starts with https (such as https-api, https-web or just https).
  3. If the ingress spec includes the annotation ingress.kubernetes.io/protocol: https.

If either of those configuration options exist, then the backend communication protocol is assumed to be TLS, and will connect via TLS automatically.

Also additional authentication annotations should be added to the Ingress object, like:

ingress.kubernetes.io/auth-tls-secret: secret

And of course, add a TLS Certificate to the Ingress

-- A_Suh
Source: StackOverflow