In this article, We are going to cover Configure cert manager, Configure Traefik LetsEncrypt issuer, Creating Traefik Let’s Encrypt Certificate, Point Traefik LetsEncrypt Certificate in Traefik Ingress, Pointing Domain Name to Traefik LoadBalancer.
Table of Contents
Introduction
If you setup Kubernetes cluster and using traefik ingress controller to expose microservice to outside.
Traefik is an open source and most popular Edge Router/ingress controller which is used to expose service from outside.
Traefik ingress controller also provides SSL Termination , adding secrets, https2, reverse proxy, to expose a Rest API and load balancing.
Prerequisite
- Kubernetes Cluster with atleast 1 master and 2 worker node
- Traefik Ingress Controller on Kubernetes
Follow below articles to Setup Kubernetes Cluster
9 Steps to Setup Kubernetes on AWS using KOPS
How To Setup Kubernetes Cluster Using Kubeadm on Ubuntu 18.04/16.04 LTS
Step #1: Setup Traefik Ingress Controller on Kubernetes Cluster
Once cluster setup done, setup Traefik Ingress controller on your Kubernetes cluster as shown below
sudo nano traefik.yml
apiVersion: v1 kind: ServiceAccount metadata: name: traefik-ingress namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingress roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingress subjects: - kind: ServiceAccount name: traefik-ingress namespace: kube-system --- kind: Deployment apiVersion: apps/v1 metadata: name: traefik-ingress namespace: kube-system labels: k8s-app: traefik-ingress-lb spec: replicas: 1 selector: matchLabels: k8s-app: traefik-ingress-lb template: metadata: labels: k8s-app: traefik-ingress-lb name: traefik-ingress-lb spec: serviceAccountName: traefik-ingress terminationGracePeriodSeconds: 60 containers: - image: traefik:1.7 name: traefik-ingress-lb ports: - name: http containerPort: 80 - name: https containerPort: 443 args: - --api - --kubernetes - --logLevel=INFO - --defaultentrypoints=http,https - --entrypoints=Name:https Address::443 TLS - --entrypoints=Name:http Address::80 --- kind: Service apiVersion: v1 metadata: name: traefik-ingress-service namespace: kube-system spec: selector: k8s-app: traefik-ingress-lb ports: - protocol: TCP port: 80 name: http - protocol: TCP port: 443 name: https type: LoadBalancer
Apply the traefik ingress yaml using below kubectl commands
kubectl apply -f traefik.yml
Step #2: Configure cert manager
once traefik ingress setup is done on your Kubernetes cluster, Lets install and configure cert manager using below kubectl command for Kubernetes version 1.16+
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.1/cert-manager.yaml
for Kubernetes <1.16 version
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.1/cert-manager-legacy.yaml
it will install cert manager packages on your k8s cluster
Step #3: Configure Traefik LetsEncrypt issuer
To configure Traefik LetsEncrypt , navigate to cert manager acme ingress page, go to Configure Let’s Encrypt Issuer, copy the let’s encrypt issuer yml and change as shown below.
sudo nano letsencrypt-issuer.yml
apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod namespace: prod spec: acme: # The ACME server URL server: https://acme-v02.api.letsencrypt.org/directory # Email address used for ACME registration email: [email protected] # Name of a secret used to store the ACME account private key privateKeySecretRef: name: letsencrypt-prod # Enable the HTTP-01 challenge provider solvers: - http01: ingress: class: traefik
kubectl apply -f letsencrypt-issuer.yml
We have deployed let’s encrypt issuer which issues certificates,
Step #4: Creating Traefik Let’s Encrypt Certificate
Now lets create Traefik Let’s Encrypt TLS certificate for your microservice.
sudo nano letsencrypt-cert.yml
Modify the Traefik LetsEncrypt TLS certificate as per your micro service/domain name
apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: sales.fosstechnix.info namespace: prod spec: secretName: sales.fosstechnix.in-tls issuerRef: name: letsencrypt-prod kind: ClusterIssuer commonName: sales.fosstechnix.info dnsNames: - sales.fosstechnix.info
kubectl apply -f letsencrypt-cert.yml
once done, it will create a Traefik letsencrypt TLS certificate for domain sales.fosstechnix.info and injects into Kubernetes secrets.
Lets check the certificate is created
kubectl get certificates sales.fosstechnix.info -n prod
Let’s check secrets to check Traefik letsencrypt TLS
kubectl get secrets sales.fosstechnix.info -n prod
Step #5: Point Traefik LetsEncrypt Certificate in Traefik Ingress
Now point/refer the generated Traefik LetsEncrypt in your Kubernetes Traefik Ingress as shown below.
sudo nano traefik-ingress.yml
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: traefik-ingress namespace: prod annotations: kubernetes.io/ingress.class: traefik cert-manager.io/cluster-issuer: letsencrypt-prod spec: rules: - host: sales.fosstechnix.info http: paths: - backend: serviceName: sales-svcs servicePort: 80 tls: - hosts: - sales.fosstechnix.info secretName: sales.fosstechnix.info-tls
Here we have referenced secret sales.fosstechnix.info-tls and added annotation cert-manager.io/cluster-issuer: letsencrypt-prod.
Note: secret and certificates should be in same namespace as ingress.
Step #6: Pointing Domain Name to Traefik LoadBalancer
To access your application/domain name using browser you can either access using Loadbalancer URL or you can point Loadbalancer URL by adding CNAME record in Domain Provider.
Here We have added CNAME record in GoDaddy with Domain sales.fosstechnix.info
To check the Traefik Ingress Kubernetes Service
kubectl get svc -n kube-system
Output:
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE kube-dns ClusterIP 100.64.0.10 <none> 53/UDP,53/TCP 3h58m traefik-ingress-service LoadBalancer 100.64.144.139 ab690ac82863747738f3d98420cd5a6b-2116167598.ap-south-1.elb.amazonaws.com 80:31424/TCP,8080:30361/TCP 3h51m
![Configure Traefik LetsEncrypt for Kubernetes [6 Steps] 1](https://www.fosstechnix.com/wp-content/uploads/2020/09/pointing-traefik-ingress-loadbalance-as-cname-1024x378.png)
Finally we can see your application site https://sales.fosstechnix.info Traefik LetsEncrypt TLS
https://sales.fosstechnix.info
Conclusion
We have covered, Configure cert manager, Configure Traefik LetsEncrypt issuer, Creating Traefik Let’s Encrypt Certificate, Point Traefik LetsEncrypt Certificate in Traefik Ingress, Pointing Domain Name to Traefik LoadBalancer.
Related Articles
Setup nginx ingress controller on kubernetes using helm 3
Kubernetes Concepts for Beginners
4 Steps to Install Kubernetes Dashboard
How to Create New Namespace in Kubernetes
Kubernetes Deployment Using Helm [Part 1]
Deploy to Kubernetes using Helm and GitLab[ Part 2]
Configure Traefik Ingress Controller on Kubernetes [5 Steps]