In the previous article, we implemented Traefik 2.0 to expose Redis (TCP) services. We learned that using TCP routing configuration in Traefik requires SNI, which relies on TLS, so we need to configure certificates for normal access to TCP services. In fact, Traefik not only supports manually configuring TLS certificates but also supports automatically generating TLS certificates. This article will introduce how to configure automated HTTPS services in Traefik 2.0.
Similarly, the prerequisite is to have Traefik 2.0 installed in the Kubernetes cluster in advance. You can refer to the installation resource list we provided earlier at https://github.com/cnych/kubeapp/tree/master/traefik2. It contains four files: IngressRoute.yaml, crd.yaml, rbac.yaml, traefik.yaml, and we need to make some changes to some of these files.
We will take Traefik’s WebUI as an example. Previously, we enabled the KubernetesCRD provider and accessed the WebUI by creating an IngressRoute object. The resource list is as follows: (IngressRoute.yaml)
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-webui
namespace: kube-system
spec:
entryPoints:
- web
routes:
- match: Host(`traefik.qikqiak.com`)
kind: Rule
services:
- name: traefik
port: 8080
To use Let’s Encrypt for automated HTTPS, we first need to enable ACME. Enabling ACME requires static configuration, which means it can be provided through environment variables, startup parameters, etc. Here, we will directly use startup parameters to enable it by adding the following command-line parameters to Traefik’s deployment file:
args:
- --entrypoints.web.Address=:80
- --entrypoints.websecure.Address=:443
- --api.insecure=true # This parameter is required to enable the WebUI
- --providers.kubernetescrd
- --api
- --api.dashboard=true
- --accesslog
# Use TLS verification method
- --certificatesresolvers.default.acme.tlsChallenge=true
# Email configuration
- --certificatesResolvers.default.acme.email="[email protected]"
# Location to save ACME certificates
- --certificatesResolvers.default.acme.storage="acme.json"
# The following is a CA service for testing. If HTTPS certificate generation is successful, remove the following parameter
- --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
Here we are using the <span>tlsChallenge</span> method for ACME verification. It is important to note that when using this verification method, Let’s Encrypt must be reachable at Traefik’s port 443. In addition to this verification method, there are also <span>httpChallenge</span> and <span>dnsChallenge</span> methods, with the <span>httpChallenge</span> being the most commonly used. You can refer to the documentation for the usage of these verification methods:
Above, we have effectively specified a certificate resolver named <span>default</span>. It is important to ensure that the domain name of the WebUI <span>traefik</span><span>.</span><span>qikqiak</span><span>.</span><span>com</span> resolves to the node where Traefik is located. After resolving, redeploy Traefik:
$ kubectl apply -f traefik.yaml
Once deployed, we need to make the WebUI domain listen on port 443. Since we are using the <span>tlsChallenge</span> verification method, we need to create a new object in the <span>IngressRoute</span><span>.</span><span>yaml</span> file to listen on port 443, as shown below:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-webui-tls
namespace: kube-system
spec:
entryPoints:
- websecure # Note that this entryPoint is websecure, monitoring port 443
routes:
- match: Host(`traefik.youdianzhishi.com`)
kind: Rule
services:
- name: traefik
port: 8080
tls:
certResolver: default # Use the default resolver we configured
Then update the object:
$ kubectl apply -f IngressRoute.yaml
# Now there are two IngressRoute objects
$ kubectl get ingressroutes -n kube-system
NAME AGE
traefik-webui 28d
traefik-webui-tls 5h15m
If everything is normal at this point, we should be able to access our service via HTTPS:
Traefik automatically tracks the expiration dates of its generated ACME certificates. If the certificate is less than 30 days from expiration, Traefik attempts to automatically renew it.
Similarly, we can also access it via HTTP, but if we want to force HTTP requests to redirect to HTTPS, we need to use the middleware provided by Traefik 2.0.
Similarly, add a Middleware CRD object to the IngressRoute.yaml file as follows:
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-https
namespace: kube-system
spec:
redirectScheme:
scheme: https
Here we declare a middleware named <span>redirectScheme</span>, which can redirect our requests to another scheme. Then, we configure this middleware to the HTTP request service:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-webui
namespace: kube-system
spec:
entryPoints:
- web
routes:
- match: Host(`traefik.youdianzhishi.com`)
kind: Rule
services:
- name: traefik
port: 8080
middlewares: # Use the middleware we created above
- name: redirect-https
Then update the object:
$ kubectl apply -f IngressRoute.yaml
Now, when we access the WebUI service via HTTP, it will automatically redirect to HTTPS. You can also check the middleware file for more information about middleware.
The resource list file used in this article can be obtained here: https://github.com/cnych/kubeapp/tree/master/traefik2/https.
For more usage of Traefik 2.0, you can follow the documentation at https://www.qikqiak.com/traefik-book.
K8S Advanced Course Recommendations
Click the image below to learn more about the course details
