Configure Traefik LetsEncrypt for Kubernetes [6 Steps]

In this article, We are going to cover Configure cert manager, Configure Traefik LetsEncrypt issuer, Creating Traefik Let’s Encrypt Certificate, Point Traefik LetsEncrypt Certificate in Traefik Ingress, Pointing Domain Name to Traefik LoadBalancer.

Introduction

If you setup Kubernetes cluster and using traefik ingress controller to expose microservice to outside.

Traefik is an open source and most popular Edge Router/ingress controller which is used to expose service from outside.

Traefik ingress controller also provides SSL Termination , adding secrets, https2, reverse proxy, to expose a Rest API and load balancing.

Prerequisite

  • Kubernetes Cluster with atleast 1 master and 2 worker node
  • Traefik Ingress Controller on Kubernetes

Follow below articles to Setup Kubernetes Cluster

9 Steps to Setup Kubernetes on AWS using KOPS

How To Setup Kubernetes Cluster Using Kubeadm on Ubuntu 18.04/16.04 LTS

Step #1: Setup Traefik Ingress Controller on Kubernetes Cluster

Once cluster setup done, setup Traefik Ingress controller on your Kubernetes cluster as shown below

sudo nano traefik.yml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress
  namespace: kube-system
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress
subjects:
- kind: ServiceAccount
  name: traefik-ingress
  namespace: kube-system
---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik-ingress
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      serviceAccountName: traefik-ingress
      terminationGracePeriodSeconds: 60
      containers:
      - image: traefik:1.7
        name: traefik-ingress-lb
        ports:
        - name: http
          containerPort: 80
        - name: https
          containerPort: 443
        args:
        - --api
        - --kubernetes
        - --logLevel=INFO
        - --defaultentrypoints=http,https
        - --entrypoints=Name:https Address::443 TLS
        - --entrypoints=Name:http Address::80
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: http
    - protocol: TCP
      port: 443
      name: https
  type: LoadBalancer

Apply the traefik ingress yaml using below kubectl commands

kubectl apply -f traefik.yml

Step #2: Configure cert manager

once traefik ingress setup is done on your Kubernetes cluster, Lets install and configure cert manager using below kubectl command for Kubernetes version 1.16+

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.1/cert-manager.yaml

for Kubernetes <1.16 version

kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.1/cert-manager-legacy.yaml

it will install cert manager packages on your k8s cluster

Step #3: Configure Traefik LetsEncrypt issuer

To configure Traefik LetsEncrypt , navigate to cert manager acme ingress page, go to Configure Let’s Encrypt Issuer, copy the let’s encrypt issuer yml and change as shown below.

sudo nano  letsencrypt-issuer.yml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: [email protected]
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: traefik
kubectl apply -f letsencrypt-issuer.yml

We have deployed let’s encrypt issuer which issues certificates,

Step #4: Creating Traefik Let’s Encrypt Certificate

Now lets create Traefik Let’s Encrypt TLS certificate for your microservice.

sudo nano letsencrypt-cert.yml

Modify the Traefik LetsEncrypt TLS certificate as per your micro service/domain name

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: sales.fosstechnix.info
  namespace: prod
spec:
  secretName: sales.fosstechnix.in-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: sales.fosstechnix.info
  dnsNames:
  - sales.fosstechnix.info
kubectl apply -f letsencrypt-cert.yml

once done, it will create a Traefik letsencrypt TLS certificate for domain sales.fosstechnix.info and injects into Kubernetes secrets.

Lets check the certificate is created

kubectl get certificates sales.fosstechnix.info -n prod

Let’s check secrets to check Traefik letsencrypt TLS

kubectl get secrets sales.fosstechnix.info -n prod

Step #5: Point Traefik LetsEncrypt Certificate in Traefik Ingress

Now point/refer the generated Traefik LetsEncrypt in your Kubernetes Traefik Ingress as shown below.

sudo nano traefik-ingress.yml
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: traefik-ingress
  namespace: prod
  annotations:
    kubernetes.io/ingress.class: traefik
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  rules:
  - host: sales.fosstechnix.info
    http:
      paths:
      - backend:
          serviceName: sales-svcs
          servicePort: 80
  tls: 
  - hosts:
    - sales.fosstechnix.info
    secretName: sales.fosstechnix.info-tls

Here we have referenced secret sales.fosstechnix.info-tls and added annotation cert-manager.io/cluster-issuer: letsencrypt-prod.

Note: secret and certificates should be in same namespace as ingress.

Step #6: Pointing Domain Name to Traefik LoadBalancer

To access your application/domain name using browser you can either access using Loadbalancer URL or you can point Loadbalancer URL by adding CNAME record in Domain Provider.

Here We have added CNAME record in GoDaddy with Domain sales.fosstechnix.info

To check the Traefik Ingress Kubernetes Service

kubectl get svc -n kube-system

Output:

NAME                      TYPE           CLUSTER-IP       EXTERNAL-IP                                                                PORT(S)                       AGE
kube-dns                  ClusterIP      100.64.0.10      <none>                                                                     53/UDP,53/TCP                 3h58m
traefik-ingress-service   LoadBalancer   100.64.144.139   ab690ac82863747738f3d98420cd5a6b-2116167598.ap-south-1.elb.amazonaws.com   80:31424/TCP,8080:30361/TCP   3h51m
Configure Traefik LetsEncrypt for Kubernetes [6 Steps] 1

Finally we can see your application site https://sales.fosstechnix.info Traefik LetsEncrypt TLS

https://sales.fosstechnix.info

Conclusion

We have covered, Configure cert manager, Configure Traefik LetsEncrypt issuer, Creating Traefik Let’s Encrypt Certificate, Point Traefik LetsEncrypt Certificate in Traefik Ingress, Pointing Domain Name to Traefik LoadBalancer.

Related Articles

Kubernetes Concepts for Beginners

4 Steps to Install Kubernetes Dashboard

How to Create New Namespace in Kubernetes

Kubernetes Deployment Using Helm [Part 1]

Deploy to Kubernetes using Helm and GitLab[ Part 2]

Configure Traefik Ingress Controller on Kubernetes [5 Steps]

Alok Kanakeri

I am Alok Kanakeri working as Senior Site Reliability Engineer(Cloud and DevOps) Likes to share knowledge.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Share via
Copy link