Use traefik as a proxy and letsencrypt ssl certificate manager with kubernetes

LearningNetrunner · December 6, 2024, 11:13am

Hello,
I am learning kubernetes and traefik.
I would like to deploy traefik in kubernetes.
Right now I have a test environment on digitalocean but the questions are about traefik and kubernetes in general.
I have currently this situation.

kubectl get pods,services
NAME                                     READY   STATUS    RESTARTS       AGE
pod/app-frontend-5d5584888d-9mzhv       1/1     Running   0              114m
pod/app-backend-67b59df8b5-59lh2       1/1     Running   0              114m
pod/cm-acme-http-solver-qh8ms            1/1     Running   0              63m
pod/company-service-855864d49-mrkrp      1/1     Running   0              114m
pod/edge-service-5cd9945fbc-tzthl        1/1     Running   0              114m
pod/location-service-68db8f867b-wzf4j    1/1     Running   0              114m
pod/tomcat-deployment-69677f796c-57xh7   1/1     Running   0              39m
pod/traefik-5d86ff94c5-c6m9f             1/1     Running   0              22h
pod/traefik-deployment-c8bdf66f5-kgng2   1/1     Running   0              4h46m
pod/user-service-5f5c46df5f-j2lqg        1/1     Running   1 (113m ago)   114m

NAME                                TYPE           EXTERNAL-IP       PORT(S)                      AGE
service/app-frontend               LoadBalancer   app-ext-ip     3000:32459/TCP               114m
service/app-backend               ClusterIP      <none>            5432/TCP                     114m
service/cm-acme-http-solver-fcgpr   NodePort    <none>            8089:30577/TCP               63m
service/company-service             ClusterIP   <none>            9003/TCP                     114m
service/edge-service                ClusterIP  <none>            9000/TCP                     114m
service/kubernetes                  ClusterIP   <none>            443/TCP                      23h
service/location-service            ClusterIP  <none>            9002/TCP                     114m
service/traefik                     LoadBalancer traefik-ext-ip   80:32591/TCP,443:30716/TCP   22h
service/traefik-dashboard-service   LoadBalancer  traefik-dashboard-ext-ip     8080:31431/TCP               4h44m
service/traefik-web-service         LoadBalancer  traefik-web-ext-ip   80:31211/TCP                 4h44m
service/user-service                ClusterIP <none>            9001/TCP                     114m

so far I followed this guide: Secure Web Apps: Traefik Proxy, cert-manager & Let’s Encrypt
and I'm reading the documentation.
What I'm trying to understand and achieve Is how to get traefik act as a proxy and ssl into app-frontend. Can you point me to some further documentation?

LearningNetrunner · December 10, 2024, 8:59am

I have a question about this part of that beautiful guide:

HTTP challenge

For most common scenarios the HTTP-01 challenge is a convenient start to solve an ACME based validation. To make this scenario work, Traefik Proxy needs to be reachable from the internet on HTTP port 80, and the used DNS domain has to be configured to point to it.

So, I have to make a dns record that points to app.domain.example using the traefik-web-ext-ip or using the traefik-ext-ip ?

bluepuma77 · December 10, 2024, 9:23am

For LetsEncrypt httpChallenge and tlsChallenge to work, you need to have purchased a domain name at a DNS provider and point the A/AAAA record to the public IP of the Traefik server, which is reachable on the Internet.

Traefik will request a TLS cert from LetsEncrypt and LetsEncrypt will request a verification via the domain name and public IP from Traefik.

LearningNetrunner · December 10, 2024, 9:40am

thank you for clarifing that.
at this moment I have 2 public ip for traefik.

service/traefik                     LoadBalancer traefik-ext-ip   80:32591/TCP,443:30716/TCP
service/traefik-web-service         LoadBalancer  traefik-web-ext-ip   80:31211/TCP

Should I use the one of the traefik service, or the one of the traefik-web-service?
I think dns record A should point to traefik-web-service but I'm searching for documentation.

bluepuma77 · December 10, 2024, 10:07am

I think in general in k8s the TLS certs are handled by cert-manager (guide), not Traefik directly. But I am not a k8s user.

LearningNetrunner · December 10, 2024, 12:27pm

you are right.
I am now trying to figure out how traefic can act as a proxy https.
I see the certificate in certificate manager.
If I type http://traefik-web-ext-ip i get to the app through traefic.
If I type https://traefik-web-ext-ip i get timeout.

LearningNetrunner · December 10, 2024, 2:13pm

hello @bluepuma77 do you happen to know the apiVersion I should use in traefik v3 to create via file.yml the following?

apiVersion: I_DO_NOT_KNOW
kind: Middleware
metadata:
  name: app-frontend
spec:
  redirectScheme:
    permanent: true
    scheme: https
---
apiVersion: I_DO_NOT_KNOW
kind: IngressRoute
metadata:
  name: app-frontend
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`traefik-web-ext-fqdn`)
      kind: Rule
      services:
        - name: app-frontend
          port: 80
      middlewares:
        - name: app-frontend

or where I could find it?

LearningNetrunner · December 10, 2024, 2:57pm

traefik.io/v1alpha1

system · December 13, 2024, 2:57pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Http works https not. Traefik and cert manager in kubernetes Traefik v3 (latest) kubernetes-ingress	4	22	December 13, 2024
Traefik v2 - aws kubeernetes Traefik v2 kubernetes-ingress	0	482	June 22, 2020
K8s, Traefik and Let's Encrypt Traefik v2 kubernetes-ingress , letsencrypt-acme	3	1325	October 1, 2021
TLS Cert from secret Traefik v2 file , kubernetes-ingress	3	2528	December 16, 2022
Traefik on Kubernetes - HELP Traefik v3 (latest) kubernetes-crd	1	141	August 23, 2024

Use traefik as a proxy and letsencrypt ssl certificate manager with kubernetes

Related topics