When services are deployed to kubernetes, it is necessary to configure how to expose and redirect traffic to them from outside the cluster.
In this blog post I will show you how you can set up Traefik ingress routers to redirect HTTP traffic to HTTPS.
This post assumes you have Traefik deployed in your cluster with the kubernetes ingress and kubernetescrd provider, as well as the TLS certificate you want to use loaded on to it.
Ensure you have entrypoints defined in your kubernetes deployment, with ports 80 and 443 defined for web and websecure traffic respectively.
EntryPoints are the network entry points into Traefik. They define the port which will receive the packets, and whether to listen for TCP or UDP.
Deploy first router
In order to have Traefik listen to requests on HTTPS, you'll need to include a TLS section in your ingress definition. Here is an example definition of our first router:
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: traefik-ingress
namespace: example
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
rules:
- host: websecure.example.io
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: ImplementationSpecific
tls:
- hosts:
- websecure.example.io
We incorporate the traefik.ingress.kubernetes.io/router.entrypoints
annotation with value websecure
only.
However, as per the Traefik documentation, this will instruct our router to ignore HTTP (non TLS) requests.
We want to have our service listen on both HTTP and HTTPS. To do this we'll need to deploy a second router dedicated to HTTP traffic, but first let's have a look at Middleware.
Middleware
The documentation explains it well, so I'll just copy the definition here:
Attached to the routers, pieces of middleware are a means of tweaking the requests before they are sent to your service (or before the answer from the services are sent to the clients).
That sounds good, we want to redirect all HTTP requests to HTTPS, so lets deploy the Middleware:
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect
namespace: example
spec:
redirectScheme:
scheme: https
permanent: true
Now we need to attach this to our HTTP router, so let's proceed with it's creation.
Deploy second router
Here is the definition for our second router:
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress-redirect
namespace: example
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
traefik.ingress.kubernetes.io/router.middlewares: example-redirect@kubernetescrd
spec:
rules:
- host: websecure.example.io
http:
paths:
- backend:
service:
name: example
port:
number: 80
path: /
pathType: ImplementationSpecific
We specify the entrypoint as web this time as it will listen for HTTP requests only.
Our middleware is attached with the traefik.ingress.kubernetes.io/router.middlewares
annotation.
The value we associate is in the format <namespace>-<middleware-name>@kubernetescrd
By doing this we also avoid global redirection for all our other services in the cluster
Great, I hope that helps with how you can redirect requests from outside your kubernetes cluster into your services.