Documentation
Kubernetes
Traefik Kubernetes Advanced Configuration

Traefik Kubernetes Advanced Configuration

Overview

Here are some advanced configurations for traefik.

Create Default TLS Store

When using traefik, we want to force a default certificate for secure entries, rather than the default self-generated traefik certificate. We will need to create a kubernetes secret with the certificate and private key, and we will need to create a tls store manifest to assign to traefik, which points to this kubernetes secret for the certificate details.

Navigate to the directory where the certificate and private key are located, and run the following command:

kubectl create secret generic weepynet-wildcard-cert --from-file=tls.crt=star.weepynet.com.crt --from-file=tls.key=star.weepynet.com.key

weepynet-wildcard-cert This will be the secret name that is referenced in the TLS store configuration, so it’s best to make this name meaningful and clear

Now that the secret has been created, we can create the TLS Store for traefik

default-tls-store.yaml

---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
  name: default
  namespace: default
spec:
  defaultCertificate:
    secretName: weepynet-wildcard-cert

We then apply this configuration to traefik

kubectl apply -f default-tls-store.yaml

Redirect http to https middleware

For most cases, we want to automatically upgrade a users connection from http to https. We can leverage this middleware in traefik by defining the following configuration:

middleware-redirect-https.yaml

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect-https
  namespace: default
spec:
  redirectScheme:
    scheme: https
    permanent: true
    port: "443"

We apply this configuration to the cluster

kubectl apply -f middleware-redirect-https.yaml

To leverage this, we need to ensure the following:

  • Entrypoint has a definition for web and websecure
  • This middleware is declared in the manifest

Here’s an example ingressroute

pgadmin-ingress.yaml

---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: pgadmin-ingress
  namespace: default
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`pgadmin.weepynet.com`)
      kind: Rule
      services:
        - name: pgadmin-service
          port: 80
      middlewares:
        - name: redirect-https

Applying this ingress will force-upgrade any session hitting the web entrypoint to the websecure entrypoint, thus force redirecting to https.

How to Add nfs-storage-provisoner to KubernetesHow to Deploy jager to Kubernetes