How to Secure Your Application with SSL Using Traefik and Cert Manager on Kubernetes
Hello there! If you’re diving into the world of Kubernetes and looking to enhance your application’s security with SSL, you’ve come to the right place. Deploying Traefik as your ingress controller alongside Cert Manager can help you achieve this seamlessly. In this guide, we’ll walk through the steps to set up Traefik and Cert Manager in your Kubernetes environment, ensuring your applications are not only accessible but also secure.
Before we jump into the setup process, let’s briefly discuss what Traefik and Cert Manager are. Traefik is a modern HTTP reverse proxy and load balancer that makes deploying microservices easy. It integrates with your container orchestrators and automatically discovers services, making it a popular choice among Kubernetes users. On the other hand, Cert Manager is a powerful tool that automates the management of SSL/TLS certificates in Kubernetes, allowing you to secure your applications easily.
Step 1: Setting Up Traefik in Kubernetes
To get started, you need to deploy Traefik in your Kubernetes cluster. You can do this using Helm, which is a package manager for Kubernetes. If you haven’t installed Helm yet, you can find instructions on their official website. Once you have Helm set up, you can deploy Traefik using the following commands:
helm repo add traefik https://helm.traefik.io/traefik helm repo update kubectl create namespace traefik helm install traefik traefik/traefik --namespace traefik
After running these commands, you can verify that Traefik is running by checking the pods in the Traefik namespace:
kubectl get pods -n traefik
Step 2: Installing Cert Manager
Now that Traefik is up and running, let’s install Cert Manager. This can also be done using Helm. Just like before, you’ll first need to add the Cert Manager repository and then install it:
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml
To verify that Cert Manager is installed correctly, you can check its pods:
kubectl get pods --namespace cert-manager
Step 3: Configuring Certificate Issuers
With both Traefik and Cert Manager installed, the next step is to set up a Certificate Issuer. This issuer defines how certificates will be obtained. Here’s an example of a ClusterIssuer using Let’s Encrypt:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# You will need to change this to your own email address
email: your-email@example.com
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: traefik
Apply this configuration to your cluster by saving it to a file called `cluster-issuer.yaml` and running:
kubectl apply -f cluster-issuer.yaml
Step 4: Protecting Your Application with SSL
Now that you have your ClusterIssuer set up, you can create a Certificate resource that requests a certificate for your application. Here’s an example configuration:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: myapp-cert
namespace: your-app-namespace
spec:
secretName: myapp-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
commonName: yourdomain.com
dnsNames:
- yourdomain.com
- www.yourdomain.com
After applying this configuration, Cert Manager will automatically request a certificate from Let’s Encrypt for your specified domain. You can check the status of the certificate with:
kubectl describe certificate myapp-cert -n your-app-namespace
Step 5: Configuring Traefik to Use the Certificate
Finally, you need to configure Traefik to use the newly created TLS secret. Here’s an example of an Ingress resource that utilizes the SSL certificate:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: myapp-ingress
namespace: your-app-namespace
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
tls:
- secretName: myapp-tls
rules:
- host: yourdomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: your-app-service
port:
number: 80
With this Ingress configuration, Traefik will route HTTPS traffic to your application, ensuring secure communication between your users and the application.
Conclusion
Congratulations! You’ve successfully set up Traefik and Cert Manager to protect your application with SSL on Kubernetes. This configuration not only enhances your application’s security but also simplifies the management of SSL certificates. If you want to dive deeper into Kubernetes, Traefik, or Cert Manager, feel free to explore more articles on our site. Happy coding!
