Traefik NodePort + GKE/GCE Ingress + HTTPS (+ Cloud Armor)

igoooor · September 26, 2022, 1:29pm

Hello there,

I followed that blog article Google Cloud Armor and Traefik Proxy | Traefik Labs to setup Cloud Armor in front of my GKE/Traefik cluster.

Before doing that, I had Traefik configured with a LoadBalancer service, and CRD IngressRoutes for my application (with cert-manager for SSL), and that all works well.

However, in order to be able to have Cloud Armor on front, we can't use LoadBalancer services, but instead we have to use NodePort with a "catch-all" gce Ingress, as described by the blog article.

After following the blog article, I was able to configure Traefik with NodePort service and a "catch-all" gce Ingress.
That works well, I can also add IngressRoutes with custom domain and successfully call them in HTTP.
However, and that is not part of that blog, how do I have to configure all that to enable HTTPS?
Because, AFAIK, the "catch all" ingress can not be configured for HTTPS, as it would require a valid ssl certificate, but I don't know yet all the domains that my cluster will be reachable to, that's something I would have done later with with IngressRoute & cert-manager.
Does anyone know what to configure in order to accept HTTP & HTTPS?

Thanks in advance for your time & support.

mikejoseph-ah · November 6, 2022, 10:11am

Hey, experiencing same issues with it, have you found a solution yet?

eugene · March 16, 2023, 3:34pm

FWIW we're interested in this too.

Though I'm just starting a research regarding this. Will report back if I manage to find a solution here too.

eugene · March 16, 2023, 3:47pm

My instinct is that method described in the articles renders the following to be true:

traefik becomes merely a "backed" to which load balancer "downstreams" the HTTP requests,
load balancer instance is now managed by Google Cloud + "controlled" via k8s Ingress object,
it is now load balancer and not traefik that should now terminate the SSL,
ingress object should now become aware of available SSL-certs.

Then, probably we can use the spec.tls[].secretName field of Ingress object to point to a list of secrets containing various certificates, including a wildcard certificate. One of spec.tls[].hosts would have to point to *.mydomain.com.

I'm still not 100% convinced 3 and 4 are true. But I intend to check out.

DanG · April 10, 2024, 5:27pm

Quite some time has passed, have you been able to confirm your suspicions that the SSL must be moved upstream to the load balancer?

Thanks

Topic		Replies	Views
How to configure GCP Cloud Armour with Traefik ingress in GKE Autopilot? Traefik v2 kubernetes-ingress	26	3605	January 10, 2022
Traefik Ingress: forwarding to Caddy load balancer - TLS Issues Traefik v2 kubernetes-ingress	2	261	June 7, 2024
Traefik v2 - aws kubeernetes Traefik v2 kubernetes-ingress	0	485	June 22, 2020
EKS Traefik Ingress Controller with Application Load Balancer Traefik v2 kubernetes-ingress	1	2457	April 28, 2021
Traefik default tls on kubernetes Traefik v2 file , kubernetes-ingress	2	1424	December 28, 2021

Traefik NodePort + GKE/GCE Ingress + HTTPS (+ Cloud Armor)

Related topics