k3s redirect http to https
I'm trying to deploy AWX on k3s and everything works just fine, however I'd like to enforce SSL - so, redirect HTTP to HTTPS.
I've been trying to test the SSL enforcement part, however it's not working properly. Here is my traefik config:
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: traefik-crd
namespace: kube-system
spec:
chart: https://%{KUBERNETES_API}%/static/charts/traefik-crd-9.18.2.tgz
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: traefik
namespace: kube-system
spec:
chart: https://%{KUBERNETES_API}%/static/charts/traefik-9.18.2.tgz
set:
global.systemDefaultRegistry: ""
valuesContent: |-
ssl:
enforced: true
rbac:
enabled: true
ports:
websecure:
tls:
enabled: true
podAnnotations:
prometheus.io/port: "8082"
prometheus.io/scrape: "true"
providers:
kubernetesIngress:
publishedService:
enabled: true
priorityClassName: "system-cluster-critical"
image:
name: "rancher/library-traefik"
tolerations:
- key: "CriticalAddonsOnly"
operator: "Exists"
- key: "node-role.kubernetes.io/control-plane"
operator: "Exists"
effect: "NoSchedule"
- key: "node-role.kubernetes.io/master"
operator: "Exists"
effect: "NoSchedule"According to the Helm chart here https://github.com/helm/charts/tree/master/stable/traefik#configuration, the ssl.enforced parameter should do the trick however when I access my host using http it is still not redirecting me to https. I can see that Rancher is deploying a LB service for traefik as well, do I need to modify it somehow?
Similar Questions
3 Answers
Here are the details for the way proposed by dywan666:
- Login on your k3s server via ssh
- Open
/var/lib/rancher/k3s/server/manifests/traefik.yaml - Add
ports.web.redirectTo: websecureas shown here:
- Can can now see that k3s automatically re-ran the
helm-install-treafikjob
- Now I recommend you verify with curl that the redirect is enforced:
curl -v http://my.web.app
It should look like this:
* Trying 1.2.3.4:80...
* TCP_NODELAY set
* Connected to my.web.app (1.2.3.4) port 80 (#0)
> GET / HTTP/1.1
> Host: my.web.app
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: https://my.web.app/
< Date: Wed, 13 Apr 2022 08:24:47 GMT
< Content-Length: 17
< Content-Type: text/plain; charset=utf-8
<
* Connection #0 to host my.web.app left intact
A complement of GAmeScripting answer. The K3S do not recommend changes in the source config file. You can apply a HelmChartConfig like this:
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
ports:
websecure:
tls:
enabled: true
web:
redirectTo: websecureI struggled myself to make redirection work, and finally found a working configuration.
You should define a Middleware object in kubernetes, and your Ingress object must reference it. Beware, because the documentation in traefik is very misleading here, because the Middleware manifest found on many pages forget the 'namespace' annotation, so they assure this is 'default' (which is stupid btw, no serious people work on default namespace).
Thus, here is a working configuration :
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect
namespace: some_namespace
spec:
redirectScheme:
scheme: https
permanent: trueand
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wordpress
namespace: your_app_namespace
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.middlewares: some_namespace-redirect@kubernetescrd
spec:
tls:
- secretName: your_certificate
hosts:
- www.your_website.com
rules:
- host: www.your_website.com
http:
paths:
- path: /
backend:
service:
name: your_service
port:
number: 80
pathType: ImplementationSpecificSo the trick is to :
- define a Middleware object (in any namespace you want, but that may be in the same one as your app)
- reference it in
traefik.ingress.kubernetes.io/router.middlewareswith the syntax<NAMESPACE>-<NAME>@kubernetescrd(where NAMESPACE and NAME are those of the Middleware object)