V1 -> v2 migration | Kubernetes | multiple replica deployment | global https redirect

georger-angel · January 10, 2020, 8:39am

Hello,

We are facing two issues in the current major version migration.

Global http -> https redirect
Shared wildcard certificate (V1 -> v2 migration | Kubernetes | multiple replica deployment | shared wildcard certificate)

We are currently running:

Traefik: traefik:v1.7.14-alpine
Kubernetes: v1.16.2
Providers: AWS, GCP, on-prem

We have 2 namespaces, running total of 4 Traefik Deployments (3 replicas in each Deployment)

private-ingress namespace
- Traefik Deployment terminating TLS (x3)
- Traefik Deployment where ELB terminates TLS (x3)
public-ingress namespace
- Traefik Deployment terminating TLS (x3)
- Traefik Deployment where ELB terminates TLS (x3)

First, is the global http -> https redirect, which we previously managed via cli options directly on the traefik instances:

        - --entryPoints=Name:http-redirect Address::80 Redirect.Regex:^http://(.*) Redirect.Replacement:https://$1

I have found Idez's solution for global redirect via the file provider: Global http to https redirect in v2, this does not work as gracefully translated into Kubernetes resources.

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: http-redirect-ingressroute
  labels:
    kubernetes.io/ingress.class: traefik-private-tls
spec:
  entryPoints:
    - web
  routes:
    - match: HostRegexp(`{host:.+}`)
      kind: Rule
      services:
        - name: dummy-cert-loader
          port: 80
      middlewares:
        - name: redirect
      priority: 1000

You need to have a "real" Kubernetes Service specified to route to
That Service must be available, otherwise route stops being active and the redirect stops, you start serving plain-text.

The simplest Kubernetes Service we managed to come up with is using ExternalName, but it still needs to be an endpoint of some sort thats 100% available.

apiVersion: v1
kind: Service
metadata:
  name: dummy-cert-loader
  namespace: sys-ingress-certs
spec:
  type: ExternalName
  externalName: example.com
  ports:
    - name: web
      port: 80

Is there a better solution for a global https redirect? We have 320 Ingress resources in just one of our Production clusters, owned by many teams in the department. It would be a large undertaking to translate Ingress -> IngressRoute resources all at once.

Thank you

georger-angel · January 10, 2020, 1:31pm

Update, it looks like we were incorrect, and you can use any address in the externalName (https://kubernetes.io/docs/concepts/services-networking/service/#externalname) and it does not need be valid to work.

So the following Service satisfies IngressRoute configuration:

apiVersion: v1
kind: Service
metadata:
  name: dummy-cert-loader
  namespace: sys-ingress-certs
spec:
  type: ExternalName
  externalName: 127.0.0.1
  ports:
    - name: web
      port: 80

Note, there is nothing listening on port 80, but Traefik reports the service: healthy.

Topic		Replies	Views
V1 -> v2 migration \| Kubernetes \| multiple replica deployment \| shared wildcard certificate Traefik v2 kubernetes-crd , kubernetes-ingress , letsencrypt-acme	1	1323	January 10, 2020
Traefik v2.1 Configuration for HTTPs support with Kubernetes Ingress Traefik v2 kubernetes-ingress	0	681	January 17, 2020
Global http redirect to https in kubernetes Traefik v2 kubernetes-crd , kubernetes-ingress	1	624	November 1, 2020
Kubernetes http to https redirect Traefik v2 kubernetes-crd	3	2335	September 23, 2019
Traefik 2.0 & Kubernetes CRD [Force SSL / Http to Https redirect] How? Traefik v2 kubernetes-crd , kubernetes-ingress	8	5917	February 13, 2020

V1 -> v2 migration | Kubernetes | multiple replica deployment | global https redirect

Related topics