8

I'm trying to deploy AWX on k3s and everything works just fine, however I'd like to enforce SSL - so, redirect HTTP to HTTPS.

I've been trying to test the SSL enforcement part, however it's not working properly. Here is my traefik config:

apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik-crd
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-crd-9.18.2.tgz
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-9.18.2.tgz
  set:
    global.systemDefaultRegistry: ""
  valuesContent: |-
    ssl:
      enforced: true
    rbac:
      enabled: true
    ports:
      websecure:
        tls:
          enabled: true
    podAnnotations:
      prometheus.io/port: "8082"
      prometheus.io/scrape: "true"
    providers:
      kubernetesIngress:
        publishedService:
          enabled: true
    priorityClassName: "system-cluster-critical"
    image:
      name: "rancher/library-traefik"
    tolerations:
    - key: "CriticalAddonsOnly"
      operator: "Exists"
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Exists"
      effect: "NoSchedule"
    - key: "node-role.kubernetes.io/master"
      operator: "Exists"
      effect: "NoSchedule"

According to the Helm chart here https://github.com/helm/charts/tree/master/stable/traefik#configuration, the ssl.enforced parameter should do the trick however when I access my host using http it is still not redirecting me to https. I can see that Rancher is deploying a LB service for traefik as well, do I need to modify it somehow?

dywan666
  • 385
  • 8
  • 14

3 Answers3

11

I struggled myself to make redirection work, and finally found a working configuration.

You should define a Middleware object in kubernetes, and your Ingress object must reference it. Beware, because the documentation in traefik is very misleading here, because the Middleware manifest found on many pages forget the 'namespace' annotation, so they assure this is 'default' (which is stupid btw, no serious people work on default namespace).

Thus, here is a working configuration :

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect
  namespace: some_namespace
spec:
  redirectScheme:
    scheme: https
    permanent: true

and

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wordpress
  namespace: your_app_namespace
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.middlewares: some_namespace-redirect@kubernetescrd
spec:
  tls:
    - secretName: your_certificate
      hosts:
        - www.your_website.com
  rules:
    - host: www.your_website.com
      http:
        paths:
          - path: /
            backend:
              service:
                name: your_service
                port:
                  number: 80
            pathType: ImplementationSpecific

So the trick is to :

  • define a Middleware object (in any namespace you want, but that may be in the same one as your app)
  • reference it in traefik.ingress.kubernetes.io/router.middlewares with the syntax <NAMESPACE>-<NAME>@kubernetescrd (where NAMESPACE and NAME are those of the Middleware object)
Orabîg
  • 11,718
  • 6
  • 38
  • 58
  • 3
    Thanks, glad it works for you, however I have found a much simpler solution but unfortunately I forgot to post it. I've modified the original traefik deployment that comes with k3s, and added this to the helm chart `ports.web.redirectTo: websecure` and it works. – dywan666 Aug 30 '21 at 12:10
  • 1
    I would guess that modifying the traefik deployment that comes with k3s would not allow you granular control for each deployment. So if you want TLS for one but not another this may still be the way to go. (?) – DPGraham4401 Aug 13 '22 at 10:53
6

A complement of GAmeScripting answer. The K3S do not recommend changes in the source config file. You can apply a HelmChartConfig like this:

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    ports:
      websecure:
        tls:
          enabled: true
      web:
        redirectTo: websecure
Rodrigo Brito
  • 378
  • 3
  • 9
  • 1
    Thank you, I added a link to you answer in my answer, as I think you solution is better. – GameScripting May 27 '22 at 13:57
  • This should be the correct answer. I already used object of this kind to apply `globalArguments: - "--serversTransport.insecureSkipVerify=true"` but I was not aware I can also override ports directly using yaml structure. Thanks! – pablito91 Jul 24 '22 at 22:09
4

EDIT: Instead of changing the contents of the config file directly, you can also add a HelmChartConfig (which is recommended)

See: https://stackoverflow.com/a/71989847/808723

Original answer:

Here are the details for the way proposed by dywan666:

  1. Login on your k3s server via ssh
  2. Open /var/lib/rancher/k3s/server/manifests/traefik.yaml
  3. Add ports.web.redirectTo: websecure as shown here:

image of the config file

  1. Can can now see that k3s automatically re-ran the helm-install-treafik job

screenshot of rancher ui with the job

  1. Now I recommend you verify with curl that the redirect is enforced:

curl -v http://my.web.app

It should look like this:

*   Trying 1.2.3.4:80...
* TCP_NODELAY set
* Connected to my.web.app (1.2.3.4) port 80 (#0)
> GET / HTTP/1.1
> Host: my.web.app
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: https://my.web.app/
< Date: Wed, 13 Apr 2022 08:24:47 GMT
< Content-Length: 17
< Content-Type: text/plain; charset=utf-8
<
* Connection #0 to host my.web.app left intact
GameScripting
  • 16,092
  • 13
  • 59
  • 98