Have I understood correctly how to protect a program in kubernetes with traefik?

LearningNetrunner · December 12, 2024, 12:26pm

Hello, I was attempting to follow the official documentation for traefik.
To do a better example and see if I understood the logic behind that I will post all the yml file I am using.
I want to protect an app that run on port 3000 putting it behind traefic 3.2.1 and https, in order to get the letsencrypt certificate I will use http challenge and certificate manager 1.16.1

001-role.yml

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: traefik-role

rules:
  - apiGroups:
      - ""
    resources:
      - services
      - secrets
      - nodes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - discovery.k8s.io
    resources:
      - endpointslices
    verbs:
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.io
    resources:
      - middlewares
      - middlewaretcps
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
      - serverstransports
      - serverstransporttcps
    verbs:
      - get
      - list
      - watch

002-account.yml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-account

003-role-binding.yml

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: traefik-role-binding

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-role
subjects:
  - kind: ServiceAccount
    name: traefik-account
    namespace: default

004-traefik.yml

kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik-deployment
  labels:
    app: traefik
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-account
      containers:
        - name: traefik
          image: traefik:v3.2
          args:
            - --api.insecure
            - --providers.kubernetesingress
          ports:
            - name: web
              containerPort: 80
            - name: dashboard
              containerPort: 8080`

005-traefik-services.yml

apiVersion: v1
kind: Service
metadata:
  name: traefik-dashboard-service

spec:
  type: LoadBalancer
  ports:
    - port: 8080
      targetPort: dashboard
  selector:
    app: traefik
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-web-service

spec:
  type: LoadBalancer
  ports:
    - targetPort: web
      port: 80
  selector:
    app: traefik

006-program-frontend-deployment.yml

apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    kompose.cmd: kompose convert -f compose.yml
    kompose.version: 1.34.0 (HEAD)
  labels:
    io.kompose.service: program-frontend
  name: program-frontend
spec:
  replicas: 1
  selector:
    matchLabels:
      io.kompose.service: program-frontend
  template:
    metadata:
      annotations:
        kompose.cmd: kompose convert -f compose.yml
        kompose.version: 1.34.0 (HEAD)
      labels:
        io.kompose.service: program-frontend
    spec:
      containers:
        - env:
            - name: API_GATEWAY_BASE_URL
              value: http://edge-thinghy:9000
          image: program-image
          name: program-frontend
          ports:
            -  name: program-frontend
               containerPort: 3000
               protocol: TCP
      imagePullSecrets:
        - name: ghcr-secret
      restartPolicy: Always

007-program-frontend-service.yml

apiVersion: v1
kind: Service
metadata:
  annotations:
    kompose.cmd: kompose convert -f compose.yml
    kompose.version: 1.34.0 (HEAD)
  labels:
    io.kompose.service: program-frontend
  name: program-frontend
spec:
  ports:
    - name: program-frontend
      protocol: TCP
      port: 3000
      targetPort: program-frontend
  selector:
    io.kompose.service: program-frontend

008-edit-program-frontend-service.yml

apiVersion: v1
kind: Service
metadata:
  name: program-frontend

spec:
  ports:
    - name: program-frontend
      port: 80
      targetPort: 3000

  selector:
      io.kompose.service: program-frontend

009-program-ingress.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: program-ingress
spec:
  rules:
  - http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: program-frontend
            port: 
              name: program-frontend

010-challenge.yml

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
 name: program-challenge
 namespace: default
spec:
 acme:
   email: my-mail@my.domain
   server: https://acme-v02.api.letsencrypt.org/directory
   privateKeySecretRef:
     # if not existing, it will register a new account and stores it
     name: program-issuer-account-key
   solvers:
     - http01:
         # The ingressClass used to create the necessary ingress routes
         ingress:
           class: traefik

011-ingress-rule.yml

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
 name: program-ssl-ingress
 namespace: default
 annotations:
   cert-manager.io/issuer: "program-challenge"
spec:
 tls:
   - hosts:
       - program-demo.example.domain
     secretName: tls-program-ingress-http
 rules:
   - host: program-demo.example.domain
     http:
       paths:
         - path: /
           pathType: Prefix
           backend:
             service:
               name: program-frontend
               port:
                 name: program-frontend

012-redirect-to-https

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: program-frontend-redirect
spec:
  redirectScheme:
    scheme: https
    permanent: true

At this point, after applying all the yml files and getting no errors, if I understood the documentation correctly, I should be able to reach https://program-demo.example.domain but I'm not.
I get error timeout.
I reach only http://program-demo.example.domain
Am I missing something?
If I check the traefik pod logs i can see a lot of errors mentioning this fact:

ERR Skipping service: no endpoints found ingress=program-ingress namespace=default providerName=kubernetes serviceName=program-frontend servicePort=&ServiceBackendPort{Name:program-frontend,Number:0,}
ERR Skipping service: no endpoints found ingress=program-ssl-ingress namespace=default providerName=kubernetes serviceName=program-frontend servicePort=&ServiceBackendPort{Name:program-frontend,Number:0,}

LearningNetrunner · December 13, 2024, 2:56pm

ok I got rid of errors in the logs. I still do not get to the https , only http works. what am I missing?

LearningNetrunner · December 16, 2024, 8:30am

Hello,
I really don't understand why traefik is not implementing https.
on the terminal if I give:

$ kubectl get pods
NAME                                  READY   STATUS    RESTARTS     
program-frontend-6f9dbd5c7b-qzd48        1/1     Running   0           
program-postgres-67b59df8b5-59lh2        1/1     Running   0            
company-service-855864d49-mrkrp       1/1     Running   0            
edge-service-5cd9945fbc-tzthl         1/1     Running   0            
location-service-68db8f867b-wzf4j     1/1     Running   0           
traefik-794dd86b89-8dfbl              1/1     Running   0            
traefik-deployment-5775d777d5-7wc4n   1/1     Running   0            
user-service-5f5c46df5f-j2lqg         1/1     Running   1 (9d ago)   
$ kubectl get services
NAME                        TYPE           CLUSTER-IP       EXTERNAL-IP       PORT(S)                      
program-frontend               ClusterIP      10.245.22.90     <none>            80/TCP                       
program-postgres               ClusterIP      10.245.144.224   <none>            5432/TCP                    
company-service             ClusterIP      10.245.25.182    <none>            9003/TCP                     
edge-service                ClusterIP      10.245.117.252   <none>            9000/TCP                     
kubernetes                  ClusterIP      10.245.0.1       <none>            443/TCP                      
location-service            ClusterIP      10.245.117.224   <none>            9002/TCP                     
traefik                     LoadBalancer   10.245.116.223   ext-ip-traefik    80:31166/TCP,443:32714/TCP   
traefik-dashboard-service   LoadBalancer   10.245.10.191    ext-ip-dashboard    8080:30302/TCP               
traefik-web-service         LoadBalancer   10.245.184.80    desired-ext-ip   80:32250/TCP                 
user-service                ClusterIP      10.245.119.103   <none>            9001/TCP                     
$ kubectl logs traefik-deployment-5775d777d5-7wc4n
$ kubectl logs traefik-794dd86b89-8dfbl
INF Traefik version 3.2.2 built version=3.2.2
INF Stats collection is enabled.
INF Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.
INF Help us improve Traefik by leaving this feature on :)
INF More details on: https://doc.traefik.io/traefik/contributing/data-collection/
INF Starting provider aggregator *aggregator.ProviderAggregator
INF Starting provider *traefik.Provider
INF Starting provider *crd.Provider
INF label selector is: "" providerName=kubernetescrd
INF Creating in-cluster Provider client providerName=kubernetescrd
INF Starting provider *ingress.Provider
INF ingress label selector is: "" providerName=kubernetes
INF Creating in-cluster Provider client providerName=kubernetes
INF Starting provider *acme.ChallengeTLSALPN
WRN No domain found in rule PathPrefix(`/`), the TLS options applied for this router will depend on the SNI of each request entryPointName=websecure routerName=websecure-default-program-ingress@kubernetes
INF Updated ingress status ingress=program-ingress namespace=default
INF Updated ingress status ingress=program-ssl-ingress namespace=default

Since I do not have any evident Error I would suppose that https://desired-ext-ip would get me to the app protected by https, but it's not working.

LearningNetrunner · December 16, 2024, 9:40am

https://program-demo.example.domain should point to ext-ip-traefik in this way everything works.

system · December 19, 2024, 9:41am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
LetsEncrypt on Kubernetes... Not working & v2.1 User Guide.... Oddity Traefik v2 kubernetes-ingress , letsencrypt-acme	0	421	February 16, 2020
Traefik v2 with Cert-Manager under Kubernetes problem Traefik v2 kubernetes-ingress , letsencrypt-acme	1	862	April 3, 2022
[HELP] - Certificate - Let's encrypt - Reverse proxy Traefik v3 (latest) letsencrypt-acme	2	40	January 5, 2025
Kubernetes traefik permissions, how to give permissions to use a tls secret? Traefik v3 (latest) kubernetes-crd	0	18	December 13, 2024
New to Traefik & K8 questions Traefik v1 kubernetes-ingress , letsencrypt-acme	39	4979	July 30, 2019

Have I understood correctly how to protect a program in kubernetes with traefik?

Related topics