Hello and thank you for your time. I will try to explain what is my experiment. In kubernetes I have an app deployed. I can reach it with a load balancer. And using traefik I can reach it via http. I would like to reach it via Https. To achieve that result I am attempting to follow youtube videos and traefik documentation and use cert manager. I like to work using yml files, but if there is a better way please tell me, since I am learning from practice. I will post all the theoretically yml files hoping that serverfault give me space enough to publish them.
#001-role.yml
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-role
rules:
- apiGroups:
- ""
resources:
- services
- secrets
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- traefik.io
resources:
- middlewares
- middlewaretcps
- ingressroutes
- traefikservices
- ingressroutetcps
- ingressrouteudps
- tlsoptions
- tlsstores
- serverstransports
- serverstransporttcps
verbs:
- get
- list
- watch
#002-account.yml
apiVersion: v1
kind: ServiceAccount
metadata:
name: traefik-account
#003-role-binding.yml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: traefik-role-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: traefik-role
subjects:
- kind: ServiceAccount
name: traefik-account
namespace: default
#004-traefik.yml
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-deployment
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-account
containers:
- name: traefik
image: traefik:v3.2
args:
- --api.insecure
- --providers.kubernetesingress
ports:
- name: web
containerPort: 80
- name: dashboard
containerPort: 8080
#005-traefik-service.yml
apiVersion: v1
kind: Service
metadata:
name: traefik-dashboard-service
spec:
type: LoadBalancer
ports:
- port: 8080
targetPort: dashboard
selector:
app: traefik
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-service
spec:
type: LoadBalancer
ports:
- targetPort: web
port: 80
selector:
app: traefik
#006-program-frontend-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
annotations:
kompose.cmd: kompose convert -f compose.yml
kompose.version: 1.34.0 (HEAD)
labels:
io.kompose.service: program-frontend
name: program-frontend
spec:
replicas: 1
selector:
matchLabels:
io.kompose.service: program-frontend
template:
metadata:
annotations:
kompose.cmd: kompose convert -f compose.yml
kompose.version: 1.34.0 (HEAD)
labels:
io.kompose.service: program-frontend
spec:
containers:
- env:
- name: API_GATEWAY_BASE_URL
value: http://edge-thinghy:9000
image: program-image
name: program-frontend
ports:
- name: program-frontend
containerPort: 3000
protocol: TCP
imagePullSecrets:
- name: ghcr-secret
restartPolicy: Always
#007-program-frontend-service.yml
apiVersion: v1
kind: Service
metadata:
annotations:
kompose.cmd: kompose convert -f compose.yml
kompose.version: 1.34.0 (HEAD)
labels:
io.kompose.service: program-frontend
name: program-frontend
spec:
ports:
- name: program-frontend
protocol: TCP
port: 3000
targetPort: program-frontend
selector:
io.kompose.service: program-frontend
#008-edit-program-service.yml
apiVersion: v1
kind: Service
metadata:
name: program-frontend
spec:
ports:
- name: program-frontend
port: 80
targetPort: 3000
selector:
io.kompose.service: program-frontend
#009-program-ingress.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: program-ingress
spec:
rules:
- http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: program-frontend
port:
name: program-frontend
#010-challenge.yml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: program-challenge
namespace: default
spec:
acme:
email: [email protected]
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: program-issuer-account-key
solvers:
- http01:
ingress:
class: traefik
#011-ingress-rule.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: program-ssl-ingress
namespace: default
annotations:
cert-manager.io/issuer: "program-challenge"
spec:
tls:
- hosts:
- program-demo.example.domain
secretName: tls-program-ingress-http
rules:
- host: program-demo.example.domain
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: program-frontend
port:
name: program-frontend
#012-redirect-http-to-https.yml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: program-frontend-redirect
spec:
redirectScheme:
scheme: https
permanent: true
If I understood correctly, at that point I should be able to reach https://program-demo.example.domain but I am reaching only http://program-demo.example.domain did I misread something in the documentation? Is something wrong in my reasoning? Thank you for your time in advance.
For setting up the HTTPS for your kubernetes app using traefik as the Ingress controller and Cert manager for automatic SSL certificate you can try installing helm chart which is a package manager for kubernetes). Below is the example, how to install it.
As per this documentation , When a TLS section is included, Traefik is told that the router is only going to handle HTTPS requests and that HTTP (non-TLS) requests should be ignored. In order to provide decrypted data to the services, Traefik will stop using the SSL connections.
Additionally, go through this community link which will be helpful for your issue.