DigitalOcean

Question

How do I use traefic and cert manager to protect an application with ssl?

Hello, I am learning kubernetes and traefik. I would like to deploy traefik in kubernetes.

I have currently this situation.

kubectl get pods,services
NAME                                     READY   STATUS    RESTARTS       AGE
pod/app-frontend-5d5584888d-9mzhv       1/1     Running   0              114m
pod/app-backend-67b59df8b5-59lh2       1/1     Running   0              114m
pod/cm-acme-http-solver-qh8ms            1/1     Running   0              63m
pod/company-service-855864d49-mrkrp      1/1     Running   0              114m
pod/edge-service-5cd9945fbc-tzthl        1/1     Running   0              114m
pod/location-service-68db8f867b-wzf4j    1/1     Running   0              114m
pod/tomcat-deployment-69677f796c-57xh7   1/1     Running   0              39m
pod/traefik-5d86ff94c5-c6m9f             1/1     Running   0              22h
pod/traefik-deployment-c8bdf66f5-kgng2   1/1     Running   0              4h46m
pod/user-service-5f5c46df5f-j2lqg        1/1     Running   1 (113m ago)   114m

NAME                                TYPE               EXTERNAL-IP       PORT(S)                      AGE
service/app-frontend               LoadBalancer      app-ext-ip     3000:32459/TCP               114m
service/app-backend               ClusterIP         <none>            5432/TCP                     114m
service/cm-acme-http-solver-fcgpr   NodePort        <none>            8089:30577/TCP               63m
service/company-service             ClusterIP       <none>            9003/TCP                     114m
service/edge-service                ClusterIP       <none>            9000/TCP                     114m
service/kubernetes                  ClusterIP      <none>            443/TCP                      23h
service/location-service            ClusterIP      <none>            9002/TCP                     114m
service/traefik                     LoadBalancer   traefik-ext-ip   80:32591/TCP,443:30716/TCP   22h
service/traefik-dashboard-service   LoadBalancer   traefik-dashboard-ext-ip     8080:31431/TCP               4h44m
service/traefik-web-service         LoadBalancer   traefik-web-ext-ip   80:31211/TCP                 4h44m
service/user-service                ClusterIP      <none>            9001/TCP                     114m

so far I followed this guide: Secure Web Apps: Traefik Proxy, cert-manager & Let’s Encrypt and I’m reading the traefik documentation. What I’m trying to understand and achieve Is how to get traefik act as a proxy and ssl into app-frontend. Can you point me to some further documentation? Do I need to make another load balancer service that uses ssl and goes to app-frontend ?

Show comments
Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

alexdo
Site Moderator
Site Moderator badge
December 29, 2024

Heya, @netrunnercyberpunkcoral

In order to use Traefik as a reverse proxy with SSL termination for your app-frontend service, you don’t need to create another LoadBalancer service. Instead, you configure Traefik to route traffic to your app-frontend using IngressRoute resources.

Traefik listens for incoming traffic on ports 80 and 443 (HTTP and HTTPS) and routes it to your Kubernetes services based on rules defined in Ingress or IngressRoute resources.

Create a Certificate for SSL

Use cert-manager to provision an SSL certificate for app-frontend.

Apply a Certificate Issuer

Define an Issuer (or ClusterIssuer) for Let’s Encrypt in YAML:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: your-email@example.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: traefik

Apply it:

kubectl apply -f cluster-issuer.yaml

Create a Certificate

Create a certificate for app-frontend:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: app-frontend-cert
  namespace: default
spec:
  secretName: app-frontend-cert-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: app-frontend.example.com
  dnsNames:
  - app-frontend.example.com

Apply it:

kubectl apply -f certificate.yaml

Define an IngressRoute for Traefik

Create an IngressRoute to route traffic to your app-frontend service and use the generated SSL certificate.

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: app-frontend-route
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`app-frontend.example.com`)
    kind: Rule
    services:
    - name: app-frontend
      port: 3000
  tls:
    secretName: app-frontend-cert-tls

Apply it:

kubectl apply -f ingressroute.yaml

You can also check this article:

https://www.digitalocean.com/community/tutorials/how-to-use-traefik-v2-as-a-reverse-proxy-for-docker-containers-on-ubuntu-20-04

Regards

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.