How do I implement SSL termination at Traefik ingress in Kubernetes?
In this guide, we will implement SSL termination at the Traefik ingress in a Kubernetes cluster. SSL termination refers to the process of decrypting SSL/TLS traffic at the load balancer level, which offloads the CPU-intensive decryption process from your backend services.
We will set up a Kubernetes cluster with Traefik as the ingress controller, create a Kubernetes secret to store the SSL certificate, and configure the Traefik ingress to use this certificate for SSL termination.
import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";
// Define the namespace for Traefik
const traefikNamespace = new k8s.core.v1.Namespace("traefik", {
metadata: { name: "traefik" }
});
// Create a Kubernetes Secret to store the SSL certificate and key
const tlsSecret = new k8s.core.v1.Secret("tls-secret", {
metadata: {
name: "tls-secret",
namespace: traefikNamespace.metadata.name,
},
data: {
"tls.crt": pulumi.secret("<base64-encoded-certificate>"), // Replace with your base64 encoded certificate
"tls.key": pulumi.secret("<base64-encoded-key>"), // Replace with your base64 encoded key
},
type: "kubernetes.io/tls",
});
// Deploy Traefik as the ingress controller
const traefikDeployment = new k8s.helm.v3.Chart("traefik", {
chart: "traefik",
version: "10.3.0",
fetchOpts: {
repo: "https://helm.traefik.io/traefik",
},
values: {
additionalArguments: [
"--entrypoints.websecure.address=:443",
],
deployment: {
enabled: true,
},
service: {
type: "LoadBalancer",
},
},
namespace: traefikNamespace.metadata.name,
});
// Define an Ingress resource to use the SSL certificate
const ingress = new k8s.networking.v1.Ingress("example-ingress", {
metadata: {
name: "example-ingress",
namespace: traefikNamespace.metadata.name,
annotations: {
"kubernetes.io/ingress.class": "traefik",
"traefik.ingress.kubernetes.io/router.entrypoints": "websecure",
},
},
spec: {
tls: [
{
hosts: ["example.com"], // Replace with your domain
secretName: tlsSecret.metadata.name,
},
],
rules: [
{
host: "example.com", // Replace with your domain
http: {
paths: [
{
path: "/",
pathType: "Prefix",
backend: {
service: {
name: "example-service", // Replace with your service name
port: {
number: 80,
},
},
},
},
],
},
},
],
},
});
Key Points
- Namespace: We created a dedicated namespace for Traefik.
- TLS Secret: We stored the SSL certificate and key in a Kubernetes secret.
- Traefik Deployment: We deployed Traefik using a Helm chart and configured it to listen on port 443 for secure traffic.
- Ingress Resource: We defined an ingress resource to route traffic to the backend service using the SSL certificate.
Summary
In this guide, we set up SSL termination at the Traefik ingress in a Kubernetes cluster. We created a Kubernetes secret to store the SSL certificate, deployed Traefik as the ingress controller, and configured an ingress resource to use the certificate for secure traffic. This setup offloads the SSL/TLS decryption process from your backend services, improving performance and security.
Deploy this code
Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.
Sign upNew to Pulumi?
Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.
Sign upThank you for your feedback!
If you have a question about how to use Pulumi, reach out in Community Slack.
Open an issue on GitHub to report a problem or suggest an improvement.