Traefik NodePort + GKE/GCE Ingress + HTTPS (+ Cloud Armor)

Hello there,

I followed that blog article Google Cloud Armor and Traefik Proxy | Traefik Labs to setup Cloud Armor in front of my GKE/Traefik cluster.

Before doing that, I had Traefik configured with a LoadBalancer service, and CRD IngressRoutes for my application (with cert-manager for SSL), and that all works well.

However, in order to be able to have Cloud Armor on front, we can't use LoadBalancer services, but instead we have to use NodePort with a "catch-all" gce Ingress, as described by the blog article.

After following the blog article, I was able to configure Traefik with NodePort service and a "catch-all" gce Ingress.
That works well, I can also add IngressRoutes with custom domain and successfully call them in HTTP.
However, and that is not part of that blog, how do I have to configure all that to enable HTTPS?
Because, AFAIK, the "catch all" ingress can not be configured for HTTPS, as it would require a valid ssl certificate, but I don't know yet all the domains that my cluster will be reachable to, that's something I would have done later with with IngressRoute & cert-manager.
Does anyone know what to configure in order to accept HTTP & HTTPS?

Thanks in advance for your time & support.

Hey, experiencing same issues with it, have you found a solution yet?

FWIW we're interested in this too.

Though I'm just starting a research regarding this. Will report back if I manage to find a solution here too.

My instinct is that method described in the articles renders the following to be true:

  1. traefik becomes merely a "backed" to which load balancer "downstreams" the HTTP requests,
  2. load balancer instance is now managed by Google Cloud + "controlled" via k8s Ingress object,
  3. it is now load balancer and not traefik that should now terminate the SSL,
  4. ingress object should now become aware of available SSL-certs.

Then, probably we can use the spec.tls[].secretName field of Ingress object to point to a list of secrets containing various certificates, including a wildcard certificate. One of spec.tls[].hosts would have to point to *

I'm still not 100% convinced 3 and 4 are true. But I intend to check out.