1. Answers
  2. Implementing SSL termination at Traefik ingress in Kubernetes

How do I implement SSL termination at Traefik ingress in Kubernetes?

In this guide, we will implement SSL termination at the Traefik ingress in a Kubernetes cluster. SSL termination refers to the process of decrypting SSL/TLS traffic at the load balancer level, which offloads the CPU-intensive decryption process from your backend services.

We will set up a Kubernetes cluster with Traefik as the ingress controller, create a Kubernetes secret to store the SSL certificate, and configure the Traefik ingress to use this certificate for SSL termination.

import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

// Define the namespace for Traefik
const traefikNamespace = new k8s.core.v1.Namespace("traefik", {
    metadata: { name: "traefik" }
});

// Create a Kubernetes Secret to store the SSL certificate and key
const tlsSecret = new k8s.core.v1.Secret("tls-secret", {
    metadata: {
        name: "tls-secret",
        namespace: traefikNamespace.metadata.name,
    },
    data: {
        "tls.crt": pulumi.secret("<base64-encoded-certificate>"), // Replace with your base64 encoded certificate
        "tls.key": pulumi.secret("<base64-encoded-key>"), // Replace with your base64 encoded key
    },
    type: "kubernetes.io/tls",
});

// Deploy Traefik as the ingress controller
const traefikDeployment = new k8s.helm.v3.Chart("traefik", {
    chart: "traefik",
    version: "10.3.0",
    fetchOpts: {
        repo: "https://helm.traefik.io/traefik",
    },
    values: {
        additionalArguments: [
            "--entrypoints.websecure.address=:443",
        ],
        deployment: {
            enabled: true,
        },
        service: {
            type: "LoadBalancer",
        },
    },
    namespace: traefikNamespace.metadata.name,
});

// Define an Ingress resource to use the SSL certificate
const ingress = new k8s.networking.v1.Ingress("example-ingress", {
    metadata: {
        name: "example-ingress",
        namespace: traefikNamespace.metadata.name,
        annotations: {
            "kubernetes.io/ingress.class": "traefik",
            "traefik.ingress.kubernetes.io/router.entrypoints": "websecure",
        },
    },
    spec: {
        tls: [
            {
                hosts: ["example.com"], // Replace with your domain
                secretName: tlsSecret.metadata.name,
            },
        ],
        rules: [
            {
                host: "example.com", // Replace with your domain
                http: {
                    paths: [
                        {
                            path: "/",
                            pathType: "Prefix",
                            backend: {
                                service: {
                                    name: "example-service", // Replace with your service name
                                    port: {
                                        number: 80,
                                    },
                                },
                            },
                        },
                    ],
                },
            },
        ],
    },
});

Key Points

  • Namespace: We created a dedicated namespace for Traefik.
  • TLS Secret: We stored the SSL certificate and key in a Kubernetes secret.
  • Traefik Deployment: We deployed Traefik using a Helm chart and configured it to listen on port 443 for secure traffic.
  • Ingress Resource: We defined an ingress resource to route traffic to the backend service using the SSL certificate.

Summary

In this guide, we set up SSL termination at the Traefik ingress in a Kubernetes cluster. We created a Kubernetes secret to store the SSL certificate, deployed Traefik as the ingress controller, and configured an ingress resource to use the certificate for secure traffic. This setup offloads the SSL/TLS decryption process from your backend services, improving performance and security.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up