TLS¶
TraefikEE provides support for TLS over HTTP and TCP. It can be enabled on any router either using ACME or user-provided certificates. This section will explain how to load user-provided certificates into a cluster and how to configure routers to use them.
teectl
is required
The teectl
binary must be installed for cluster management.
Manage TLS Certificates¶
A TLS certificate can be added to a cluster using the following teectl
command:
teectl create tls-cert \
--cert="cert.pem" \
--key="key.pem"
Once added, the certificate will be used on routers that have TLS enabled when the domain matches.
TraefikEE can use a default certificate when there's no matching domain. A certificate will be served by default
if the --isdefault
option is given.
Certificate information can be retrieved from a cluster using the following command:
teectl get tls-certs
ID CN SANs NOT AFTER STORE DEFAULT
u7vxw9esw9vuyjqokgpvza9cl whoami.example.com 2022-01-22T15:27:25Z default false
Please note that each certificate is assigned a unique ID which is used to remove it from the cluster:
teectl delete tls-cert --id="u7vxw9esw9vuyjqokgpvza9cl"
Examples¶
Kubernetes¶
Setup a cluster on Kubernetes:
# Setup a cluster to manage.
teectl setup --kubernetes
# Generate manifest file and install it on the Kubernetes cluster.
teectl setup gen \
--license="$TRAEFIKEE_LICENSE" \
--controllers=1 \
--proxies=2 | kubectl apply -f -
Add the certificate to the cluster:
teectl create tls-cert \
--cert="cert.pem" \
--key="key.pem"
Copy the following static configuration in a file named static.yaml
. It configures TraefikEE to
use the kubernetesCRD
provider and adds a secure
entrypoint to listen for incoming HTTP requests
on the port 443
.
providers:
kubernetesCRD: {}
entryPoints:
secure:
address: ":443"
Once the cluster is ready, apply the static configuration:
teectl apply --file="./static.yaml"
Create a new file whoami.yaml
with the following kubernetes objects:
- Namespace: Create a new namespace
whoami-ns
where the following objects will reside. - Deployment: Deploy a single pod running the containous/whoami image.
- Service: Declare a service
whoami-svc
to expose the whoami pods on port80
. - IngressRoute: Declare a new router which routes requests coming from the
secure
entrypoint (port443
, defined in the static configuration) to thewhoami-svc
service if the hostname iswhoami.example.com
. Please note thattls
is enabled on this route.
---
apiVersion: v1
kind: Namespace
metadata:
name: whoami-ns
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoami
namespace: whoami-ns
spec:
selector:
matchLabels:
app: whoami
replicas: 1
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: containous/whoami:v1.4.0
imagePullPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
name: whoami-svc
namespace: whoami-ns
spec:
type: ClusterIP
ports:
- port: 80
name: whoami
selector:
app: whoami
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami-ingressroute
namespace: whoami-ns
spec:
entryPoints:
- secure
routes:
- match: Host(`whoami.example.com`)
kind: Rule
services:
- name: whoami-svc
port: 80
tls: {}
Deploy the whoami service and the ingress route:
kubectl apply -f ./whoami.yaml
The application is now deployed and accessible on https://whoami.example.com
.
EXTERNAL_IP=$(kubectl -n traefikee get service/default-proxy-svc -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
openssl s_client -showcerts -servername whoami.example.com "$EXTERNAL_IP:443"
Docker Swarm¶
Setup a cluster on Docker Swarm:
# Setup a cluster to manage.
teectl setup --swarm --swarm.hosts="<the swarm hosts>"
# Setup TraefikEE controllers.
teectl setup gen \
--license="$TRAEFIKEE_LICENSE" \
--controllers=1 | docker stack deploy -c - traefikee
# Setup TraefikEE proxies once the controlers are ready.
teectl setup gen \
--license="$TRAEFIKEE_LICENSE" \
--proxies=2 | docker stack deploy -c - traefikee
Add the certificate to the cluster:
teectl create tls-cert \
--cert="cert.pem" \
--key="key.pem"
Copy the following static configuration in a file named static.yaml
. It configures TraefikEE to
use the docker
provider with swarmMode
enabled and adds a secure
entrypoint to listen for incoming HTTP requests
on the port 443
.
providers:
docker:
swarmMode: true
exposedByDefault: false
entryPoints:
secure:
address: ":443"
Once the cluster is ready, apply the static configuration:
teectl apply --file="./static.yaml"
Create a new file whoami.yaml
to define a whoami service. Please note that tls
is enabled on this whoami
router.
version: '3.4'
networks:
traefikee_traefikee-ingress:
external: true
services:
whoami:
image: containous/whoami:v1.4.0
deploy:
mode: replicated
replicas: 1
labels:
- "traefik.http.routers.whoami.entrypoints=secure"
- "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
- "traefik.http.routers.whoami.tls=true"
- "traefik.http.services.whoami.loadbalancer.server.port=80"
networks:
- traefikee_traefikee-ingress
Deploy the whoami service:
docker stack deploy -c whoami.yaml traefikee
The application is now deployed and accessible on https://whoami.example.com
.
openssl s_client -showcerts -servername whoami.example.com "127.0.0.1:443"