How to enforce TLS using Traefik Middleware

Table of contents

Reading Time: 3 minutes

Traefik is reverse proxy and load balancer that makes deploying microservices easy. We can deploy Traefik in the existing infrastructure and we can configure it dynamically. We will just need to point to our orchestrator. There is a feature of middleware which we can use to tweak the requests. With the release of Traefik-v2 lots of features are added.

Some of these features are:

Middlewares
IngressRoutes(CRDs in Kubernetes)

In this blog, I will use Traefik ingress controller to allow traffic into the pods in the Kubernetes Cluster. And I will use middlewares to enforce TLS. I will expose a sample nginx deployment over HTTPS. You can use any deployment of your choice.

Prerequisites

Kubernetes Cluster(1.14+)
Helm v3

I will also be using cert-manager to generate self signed certificates. Basic knowledge on cert-manager will be helpful.

Deploy cert-manager

To deploy Cert-Manager, use the following command:

helm repo add jetstack https://charts.jetstack.io

helm repo update

helm install cert-manager jetstack/cert-manager --namespace cert-manager \
  --create-namespace \
  --set installCRDs=true --dry-run --debug

Deploy Traefik-v2

To deploy Traefik-v2, use the following command:

helm repo add traefik https://helm.traefik.io/traefik 

helm repo update

helm install traefik traefik/traefik --namespace traefik-ingress --create-namespace --set ingressRoute.dashboard.enabled=false --set ingressClass.enabled=true

Creating a sample nginx deployment

To create a sample nginx deployment and service follow the following steps,

# Deploy the nginx deployment

kubectl create deploy nginx --image=nginx -o yaml

# Expose the nginx deployment with clusteIP service

kubectl expose deploy nginx --type=ClusterIP --port=80

Generating a self-signed TLS certificate using cert-manager

We will first deploy a ClusterIssuer which will sign the certificates.

# ClusterIssuer.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: self-signed-ca
spec:
  selfSigned: {}

Deploy the yaml using the command:

kubectl apply -f ClusterIssuer.yaml

Now we will deploy the tls secret.

# Certificate.yaml

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: nginx-tls
spec:
  commonName: "*.traefik.com"
  isCA: false
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: self-signed-ca
  secretName: nginx-tls
  dnsNames:
    - "*.traefik.com

Apply the Certificate.yaml using the command:

kubectl apply -f Certificate.yaml

We will see a secret of type tls will be created having the name nginx-tls. we will use this tls certificate with the ingress.

Creating a Middleware

We will need to create a middleware. This middleware will redirect any HTTP traffic to HTTPS.

# https-redirect.yaml

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: nginx-https
spec:
  redirectScheme:
    scheme: https
    permanent: true
    port: "443"

Creating an Ingress Route to expose the nginx

We will need two ingressroutes. One Ingress route will listen on HTTP port 80 and use the middleware to redirect the traffic to HTTPS 443 port. The other ingress route will listen on port 443 and route the traffic to backend nginx.

# This ingress route listens on port 80 and redirects to HTTPS

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: nginx-http
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`nginx.traefik.com`) && PathPrefix(`/`)
      kind: Rule
      # The name of the middleware which modifies the request
      middlewares:
      - name: nginx-https
      services:
        - name: nginx
          kind: Service
          port: 80
---
# The ingress route listening on port 443

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: nginx-https
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`nginx.traefik.com`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: nginx
          kind: Service
          port: 80
  tls:
    secretName: nginx-tls

Now add the DNS entry for the traefik Load Balancer and map it to nginx.traefik.com. We will see the nginx web page.

Creating Ingress Resource to expose nginx

In the same way, we will use two Ingress resource. One will listen on HTTP and redirect the reuests to HTTPS. The other will listen on HTTPS.

# This Ingress listens on http port

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ing-http
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web   
    # This is the name of the middleware of the form <namespace>-<middleware_name>@kubernetescrd

    traefik.ingress.kubernetes.io/router.middlewares: default-nginx-https@kubernetescrd
    # ingress.kubernetes.io/ssl-redirect: "true"
spec:
  ingressClassName: traefik
  rules:
  - host: nginx2.traefik.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
  ---
# This ingress listens on websecure or https

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ing-https
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
spec:
  ingressClassName: traefik
  rules:
  - host: nginx2.traefik.com
    http:
      paths:
      - backend:
          service:
            name: nginx
            port:
              number: 80
        path: /
        pathType: ImplementationSpecific
  tls:
  - hosts:
    - "*.traefik.com"
    secretName: nginx-tls

Now add the DNS entry for the traefik-service Load Balancer and map it to nginx2.traefik.com. We will see the nginx web page.

Conclusion

In this blog, you have learned how to enforce TLS using traefik reverse proxy and its middleware feature. This can be used to expose services in Kuberenetes cluster using TLS.