In kubernetes: protect a program that runs on port 3000 using Traefik, Cert Manager, and http challenge

Question

Hello and thank you for your time. I will try to explain what is my experiment. In kubernetes I have an app deployed. I can reach it with a load balancer. And using traefik I can reach it via http. I would like to reach it via Https. To achieve that result I am attempting to follow youtube videos and traefik documentation and use cert manager. I like to work using yml files, but if there is a better way please tell me, since I am learning from practice. I will post all the theoretically yml files hoping that serverfault give me space enough to publish them.

#001-role.yml
        kind: ClusterRole
    apiVersion: rbac.authorization.k8s.io/v1
    metadata:
      name: traefik-role
rules:
  - apiGroups:
      - &quot;&quot;
    resources:
      - services
      - secrets
      - nodes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - discovery.k8s.io
    resources:
      - endpointslices
    verbs:
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.io
    resources:
      - middlewares
      - middlewaretcps
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
      - serverstransports
      - serverstransporttcps
    verbs:
      - get
      - list
      - watch


#002-account.yml
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-account
#003-role-binding.yml
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: traefik-role-binding
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-role
subjects:

kind: ServiceAccount
name: traefik-account
namespace: default

#004-traefik.yml
kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik-deployment
  labels:
    app: traefik
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-account
      containers:
        - name: traefik
          image: traefik:v3.2
          args:
            - --api.insecure
            - --providers.kubernetesingress
          ports:
            - name: web
              containerPort: 80
            - name: dashboard
              containerPort: 8080
#005-traefik-service.yml
apiVersion: v1
kind: Service
metadata:
  name: traefik-dashboard-service
spec:
  type: LoadBalancer
  ports:
    - port: 8080
      targetPort: dashboard
  selector:
    app: traefik

apiVersion: v1
kind: Service
metadata:
  name: traefik-web-service
spec:
  type: LoadBalancer
  ports:
    - targetPort: web
      port: 80
  selector:
    app: traefik
#006-program-frontend-deployment.yml
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    kompose.cmd: kompose convert -f compose.yml
    kompose.version: 1.34.0 (HEAD)
  labels:
    io.kompose.service: program-frontend
  name: program-frontend
spec:
  replicas: 1
  selector:
    matchLabels:
      io.kompose.service: program-frontend
  template:
    metadata:
      annotations:
        kompose.cmd: kompose convert -f compose.yml
        kompose.version: 1.34.0 (HEAD)
      labels:
        io.kompose.service: program-frontend
    spec:
      containers:
        - env:
            - name: API_GATEWAY_BASE_URL
              value: http://edge-thinghy:9000
          image: program-image
          name: program-frontend
          ports:
            -  name: program-frontend
               containerPort: 3000
               protocol: TCP
      imagePullSecrets:
        - name: ghcr-secret
      restartPolicy: Always
#007-program-frontend-service.yml
apiVersion: v1
kind: Service
metadata:
  annotations:
    kompose.cmd: kompose convert -f compose.yml
    kompose.version: 1.34.0 (HEAD)
  labels:
    io.kompose.service: program-frontend
  name: program-frontend
spec:
  ports:
    - name: program-frontend
      protocol: TCP
      port: 3000
      targetPort: program-frontend
  selector:
    io.kompose.service: program-frontend
#008-edit-program-service.yml
apiVersion: v1
kind: Service
metadata:
  name: program-frontend
spec:
  ports:
    - name: program-frontend
      port: 80
      targetPort: 3000
  selector:
    io.kompose.service: program-frontend
#009-program-ingress.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: program-ingress
spec:
  rules:

http:
  paths:
path: /
pathType: Prefix
backend:
  service:
    name: program-frontend
    port: 
      name: program-frontend



#010-challenge.yml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
 name: program-challenge
 namespace: default
spec:
 acme:
   email: my-mail@my.domain
   server: https://acme-v02.api.letsencrypt.org/directory
   privateKeySecretRef:
     name: program-issuer-account-key
   solvers:
     - http01:
         ingress:
           class: traefik
#011-ingress-rule.yml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
 name: program-ssl-ingress
 namespace: default
 annotations:
   cert-manager.io/issuer: "program-challenge"
spec:
 tls:

hosts:
program-demo.example.domain

secretName: tls-program-ingress-http

rules:

host: program-demo.example.domain
http:
  paths:
    - path: /
      pathType: Prefix
      backend:
        service:
          name: program-frontend
          port:
            name: program-frontend

#012-redirect-http-to-https.yml
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: program-frontend-redirect
spec:
  redirectScheme:
    scheme: https
    permanent: true

If I understood correctly, at that point I should be able to reach https://program-demo.example.domain but I am reaching only http://program-demo.example.domain did I misread something in the documentation? Is something wrong in my reasoning? Thank you for your time in advance.

score 2 · Accepted Answer · answered Dec 13 '24 at 12:19

For setting up the HTTPS for your kubernetes app using traefik as the Ingress controller and Cert manager for automatic SSL certificate you can try installing helm chart which is a package manager for kubernetes). Below is the example, how to install it.

helm repo add traefik
https://helm.traefik.io/traefik
helm install traefik traefik/traefik 
- - set ingressClass.enabled=true

As per this documentation , When a TLS section is included, Traefik is told that the router is only going to handle HTTPS requests and that HTTP (non-TLS) requests should be ignored. In order to provide decrypted data to the services, Traefik will stop using the SSL connections.

Additionally, go through this community link which will be helpful for your issue.

In kubernetes: protect a program that runs on port 3000 using Traefik, Cert Manager, and http challenge

1 Answers1

Linked