Convincing Kubernetes to Trust a Backend

I run Kubernetes at home. Yeah, I’ve said it. It’s out there now.

Now we’re past that, here’s how to convince traefik to talk nicely to a HTTPS backend server, in this case a test instance of GoatNS. I use Terraform for my configuration management, k3s to build/control the platform, with its built-in traefik for routing traffic.

I’ve got a deployment set up, exposing port 4443 from the container, and using cert-manager.io to issue certificates from LetsEncrypt. They’re mounted in the container and the container will respond to requests on HTTPS with that certificate.

Then we add a ServersTransport object, which configures communications between traefik and the backend.

resource kubernetes_manifest goatns_serverstransport {
  manifest = {
    "apiVersion" = "traefik.containo.us/v1alpha1"
    "kind" = "ServersTransport"
    "metadata" = {
      "name" = "goatnstransport"
      "namespace" = "goatns"
    }
    "spec" = {
      "serverName" = "goatns.example.com"
    }
  }
}

Now I set up the ingress, which tells traefik “hey, this request connects to that service”:

resource kubernetes_ingress_v1 goatns {
  metadata {
    name = "goatns"
    namespace = "goatns"
    annotations = {
      "kubernetes.io/ingress.class": "traefik"
      "cert-manager.io/cluster-issuer": "letsencrypt-prod"
      "traefik.ingress.kubernetes.io/loadBalancer.serversTransport": "goatnstransport"

    }
  }
  spec {
    rule {
      host = "goatns.example.com"
      http {
        path {
          backend {
            service {
              name = "goatns"
              port {
                number = 443
              }
            }
          }

          path = "/"
          path_type = "Prefix"
        }
      }
    }
    tls {
      secret_name = "goatns.example.com"
      hosts = [
        "goatns.example.com"
      ]
    }
  }
}

Then we configure the service, and specify the ServersTransport in the format <middleware-namespace>-<middleware-name>@kubernetescrd documented here.

resource kubernetes_service goatns_web {
  metadata {
    name = "goatns-web"
    namespace = kubernetes_namespace.goatns.metadata[0].name
    annotations = {
      "traefik.ingress.kubernetes.io/service.serverstransport" = "goatnstransport-goatns@kubernetescrd"
      "traefik.ingress.kubernetes.io/service.passhostheader" = "true"
      "traefik.ingress.kubernetes.io/service.serversscheme" = "https"

    }
  }
  spec {
    selector = {
      k8s-app = kubernetes_deployment.goatns.metadata[0].labels.k8s-app
    }
    session_affinity = "ClientIP"
    port {
      port        = 4443
      target_port = 4443
      protocol = "TCP"
    }
  }
}

Diffusion Bee - 'goat, colourful'


November 14, 2022 · 2 mins reading time
#k8s #k3s #kubernetes #traefik #https #wtf