MR.
Hello, everyday a new style execise with digitalocean. I have to say I am already learning the whole kubernetes thing. I would like to attempt this kind of deployment: On a 3 nodes cluster, already payed and on wich I am doing experiments, I would like to run Traefik as load balancer and ssl certificate manager, and behind Traefik I would like to run something, let’s say a Tomcat just for the sake of the example. So far I’m documenting myself with this:
https://doc.traefik.io/traefik/https/acme/
https://doc.traefik.io/traefik/providers/kubernetes-ingress/
https://doc.traefik.io/traefik/getting-started/install-traefik/
I am trying to wrap the things together and use Traefik instead of certificate manager. I could give you all the commands issued so far but my question is a bit more wide. Is it possible to do in digital ocean kubernetes such infrastructure? Kubernetes -> Traefik as proxy and ssl cert manager -> redirecting to Tomcat. Do you suggest some documentation that can help me learn how to deploy that?
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Hi there,
I believe that this should be doable. This tutorial here should cover most of this:
Start by deploying Traefik via Helm:
helm repo add traefik https://helm.traefik.io/traefik
helm repo update
helm install traefik traefik/traefik --namespace traefik
This creates a LoadBalancer Service, which provisions a DigitalOcean Load Balancer to route traffic.
Traefik can directly request and manage Let’s Encrypt certificates. Add these Helm values to enable ACME:
additionalArguments:
- "--certificatesresolvers.le.acme.email=your@email.com"
- "--certificatesresolvers.le.acme.storage=/data/acme.json"
- "--certificatesresolvers.le.acme.httpChallenge.entryPoint=web"
Also, make sure your domain points to the DO Load Balancer’s IP so Let’s Encrypt can validate it.
Define an Ingress rule for your Tomcat service:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: "traefik"
traefik.ingress.kubernetes.io/router.entrypoints: "web,websecure"
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.certresolver: "le"
spec:
rules:
- host: app.mydomain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: tomcat-service
port:
number: 8080
This ensures traffic to app.mydomain.com is routed to your Tomcat pod with TLS encryption via Let’s Encrypt.
If you want Traefik to fully manage TLS, enable passthrough on the DO Load Balancer:
service.beta.kubernetes.io/do-loadbalancer-tls-passthrough: "true"
service.beta.kubernetes.io/do-loadbalancer-tls-ports: "443"
Also, enable PROXY Protocol to retain real IPs:
service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"
For a real-world example of DigitalOcean Kubernetes deployment with Ingress and SSL, check out DigitalOcean’s Mastodon on Kubernetes project:
- Bobby
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.