How to set up https on kubernetes bare metal using traefik ingress controller

7/6/2019

I'm running a kubernetes cluster which consists of three nodes and brilliantly works, but it's time to make my web application secure, so I deployed an ingress controller(traefik). But I was unable to find instructions for setting up https on it. I know most of things I will have to do, like setting up a "secret"(container with certs) etc. but I was wondering how to configure my ingress controller and all files related to it so I would be able to use secure connection

I have already configured ingress controller and created some frontends and backends. Also I configured nginx server(It's actually a web application I'm running) to work on 443 port


My web application deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: nginx
  replicas: 3 # tells deployment to run 3 pods matching the template
  template: # create pods using pod definition in this template
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: ilchub/my-nginx
        ports:
        - containerPort: 443
      tolerations:
      - key: "primary"
        operator: Equal
        value: "true"
        effect: "NoSchedule"

Traefik ingress controller deployment code

kind: Deployment
apiVersion: extensions/v1beta1
metadata:
  name: traefik-ingress
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress
      terminationGracePeriodSeconds: 60
      containers:
      - image: traefik
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
        - name: https
          containerPort: secure
        - name: admin
          containerPort: 8080
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO

Ingress for traefik dashboard

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-web-ui
  namespace: kube-system
spec:
  rules:
  - host: cluster.aws.ctrlok.dev
    http:
      paths:
      - path: /
        backend:
          serviceName: traefik-web-ui
          servicePort: web

External expose related config

kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      nodePort: 30036
      name: web
    - protocol: TCP
      port: 443
      nodePort: 30035
      name: secure
    - protocol: TCP
      port: 8080
      nodePort: 30034
      name: admin
  type: NodePort

What I want to do is securing my application which is already running. Final result has to be a webpage running over https

-- dragonhaze
kubeadm
kubernetes
traefik-ingress

1 Answer

7/10/2019

Actually you have 3 ways to configure Traefik to use https to communicate with backend pods:

  1. If the service port defined in the ingress spec is 443 (note that you can still use targetPort to use a different port on your pod).
  2. If the service port defined in the ingress spec has a name that starts with https (such as https-api, https-web or just https).
  3. If the ingress spec includes the annotation ingress.kubernetes.io/protocol: https.

If either of those configuration options exist, then the backend communication protocol is assumed to be TLS, and will connect via TLS automatically.

Also additional authentication annotations should be added to the Ingress object, like:

ingress.kubernetes.io/auth-tls-secret: secret

And of course, add a TLS Certificate to the Ingress

-- A_Suh
Source: StackOverflow