Kubernetes Traefik for Secure AI APIs with TLS Termination

Question

Pulumi · Accepted Answer

Setting up Traefik on Kubernetes to act as a reverse proxy for your AI APIs with TLS termination involves creating the necessary Kubernetes objects such as Deployments, Services, and Ingress resources, and then configuring TLS with Cert-Manager to manage and issue certificates.

To begin, we will need to have a Kubernetes cluster ready with `kubectl` configured to interact with the cluster. For setting up TLS, we'll use cert-manager which simplifies obtaining and managing TLS certificates from various issuing sources.

Let's go through the steps and the Pulumi code necessary to set up Traefik with TLS termination on Kubernetes.

1. **Installation of Traefik**: We will create a Deployment and a Service for Traefik. Traefik will listen on standard HTTP and HTTPS ports, and we will use an ingress to route outside traffic to it.

2. **Setting up Cert-Manager**: Cert-Manager is a Kubernetes application that manages TLS certificates, including issuing them from various authorities such as Let's Encrypt and renewing them.

3. **Traefik Ingress with TLS**: We will create an Ingress object that uses annotations to configure Traefik-specific settings. It refers to a TLS secret that will contain the TLS certificate and the corresponding private key for HTTPS.

Here's how you would set up the Traefik ingress with TLS termination using Pulumi and Python:

```python
import pulumi
import pulumi_kubernetes as k8s

# Deploy Cert-Manager to handle TLS certificates.
# Documentation: https://www.pulumi.com/registry/packages/kubernetes-cert-manager/api-docs/certmanager/

# Deploying the Cert-Manager CustomResourceDefinitions
cert_manager_crds = k8s.yaml.ConfigFile(
    "cert-manager-crds",
    file="https://github.com/cert-manager/cert-manager/releases/download/v1.3.0/cert-manager.crds.yaml"
)

# Deploying Cert-Manager itself
cert_manager_chart = k8s.helm.v3.Chart(
    "cert-manager",
    k8s.helm.v3.ChartOpts(
        chart="cert-manager",
        version="v1.3.0",
        namespace="kube-system",
        fetch_opts=k8s.helm.v3.FetchOpts(
            repo="https://charts.jetstack.io"
        )
    ),
    opts=pulumi.ResourceOptions(depends_on=[cert_manager_crds])
)

# Configure the Cert-Manager Issuer
# This is required to generate certificates for our domains.
letsencrypt_issuer = k8s.apiextensions.CustomResource(
    "letsencrypt-issuer",
    api_version="cert-manager.io/v1alpha2",
    kind="Issuer",
    metadata={
        "name": "letsencrypt-staging",
        "namespace": "default"
    },
    spec={
        "acme": {
            "server": "https://acme-staging-v02.api.letsencrypt.org/directory",
            "email": "user@example.com",
            "privateKeySecretRef": {
                "name": "letsencrypt-staging"
            },
            "solvers": [{
                "http01": {
                    "ingress": {
                        "class": "traefik"
                    }
                }
            }]
        }
    }
)

# Deploy Traefik itself using a Helm Chart.
# Documentation: https://www.pulumi.com/registry/packages/kubernetes-ingress-nginx/api-docs/ingresscontroller/

traefik_chart = k8s.helm.v3.Chart(
    "traefik",
    k8s.helm.v3.ChartOpts(
        chart="traefik",
        version="9.18.2",
        namespace="kube-system",
        fetch_opts=k8s.helm.v3.FetchOpts(
            repo="https://containous.github.io/traefik-helm-chart"
        ),
        values={
            "ports": {
                "web": {
                    "port": 80,
                    "redirectTo": "websecure"
                },
                "websecure": {
                    "port": 443,
                    "tls": {
                        "enabled": True,
                    }
                }
            },
            "service": {
                "annotations": {
                    "kubernetes.io/ingress.class": "traefik"
                }
            }
        }
    )
)

# Define the Ingress with TLS termination for your AI APIs.
ai_api_ingress = k8s.networking.v1.Ingress(
    "ai-api-ingress",
    metadata={
        "annotations": {
            "kubernetes.io/ingress.class": "traefik",
            "cert-manager.io/issuer": "letsencrypt-staging"
        }
    },
    spec={
        "rules": [
            {
                "host": "api.example.com",
                "http": {
                    "paths": [
                        {
                            "path": "/",
                            "pathType": "Prefix",
                            "backend": {
                                "service": {
                                    "name": "your-ai-api-service-name",
                                    "port": {
                                        "number": 80
                                    }
                                }
                            }
                        }
                    ]
                }
            }
        ],
        "tls": [
            {
                "hosts": ["api.example.com"],
                "secretName": "api-example-com-tls"
            }
        ]
    }
)

# Export the Ingress' host to access it from outside the cluster
pulumi.export("ingress_host", ai_api_ingress.metadata["annotations"]["ingress.kubernetes.io/url"])
```

In this program, we first deploy Cert-Manager with its CRDs to manage our TLS certificates. Then, we set up Traefik using the Helm chart. We have configured Traefik to enable TLS and redirect HTTP to HTTPS. The ingress configuration for the AI APIs points to the corresponding service and enables TLS termination with Cert-Manager.

Please note that you need to replace `"your-ai-api-service-name"` with the actual service name of your AI API deployment and adjust other configurations like domain names and email addresses accordingly.

This setup is for staging use with Let's Encrypt. For a production environment, be sure to use the production URL of Let's Encrypt and make sure you're compliant with their policies.