TLS¶

How to add TLS certificates to HTTPS ingress resources.

Generate Certificate Files¶

The following command will generate tls.crt and tls.key files that can then be imported into Kubernetes.

Interactive

openssl req \
  -newkey rsa:2048 -nodes -keyout tls.key \
  -x509 -days 365 -out tls.crt

Non-interactive

openssl req -new -newkey rsa:4096 -days 365 -nodes -x509 \
    -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=www.example.com" \
    -keyout www.example.com.key  -out www.example.com.cert

Generate Secret Resource from Certificate¶

You can then import the certifates into Kubernetes as a secret.

kubectl create secret generic traefik-cert \
  --from-file=tls.crt \
  --from-file=tls.key

Optionally, you can export the secret to a yaml file to save in the repo.

kubectl create secret generic traefik-cert \
  --from-file=tls.crt \
  --from-file=tls.key \
  --dry-run=client -n kubernetes-dashboard -o yaml \
  | tee traefik-cert-secret.yaml

You can also encrypt the secret using SOPS before pushing it to the repo.

sops --encrypt --in-place traefik-cert-secret.yaml

Optional¶

You can optionally backup the certificate to a password manager such as pass.

Backup Certificate to `pass`¶

pass insert -fm tls/crt < tls.crt
pass insert -fm tls/key < tls.key

Note

where tls/crt and tls/key are the pass entries.

Generate the Secret Resource from `pass`¶

You can also then create the secret resource file using the certificate from pass.

kubectl create secret generic traefik-cert \
  --from-literal=tls.cert="$(pass tls/crt)" \
  --from-literal=tls.key="$(pass tls/key)" \
  --dry-run=client -n kubernetes-dashboard -o yaml \
  | tee traefik-cert-secret.yaml

Configure Traefik¶

You need to configure Traefik to reference the new secret.

ConfigMap¶

Edit the Traefik ConfigMap.

kubectl edit configmap traefik -n kube-system

Todo

Patch the existing CM instead.

...
data:
  traefik.toml: |
    defaultEntryPoints = ["http","https"]
    [entryPoints]
      [entryPoints.http]
      address = ":80"
        [entryPoints.http.redirect]
          entryPoint = "https"
      [entryPoints.https]
      address = ":443"
        [entryPoints.https.tls]
          [[entryPoints.https.tls.certificates]]
          CertFile = "/ssl/tls.crt"
          KeyFile = "/ssl/tls.key"
...

Deployment¶

Edit the Traefik deployment to reference the new secret.

kubectl edit deployment traefik -n kube-system

Todo

Patch the existing Deployment instead.

...
    spec:
      volumes:
        - name: ssl
          secret:
            secretName: traefik-cert
...

Ingress¶

Add the reference to the new secret to the ingress resource.

...
spec:
  tls:
    - secretName: traefik-cert
...

References¶

Using Traefik with TLS on Kubernetes