DigitalOcean

Question

SSL certificates with traefik in kubernetes.

Hello, everyday a new style execise with digitalocean. I have to say I am already learning the whole kubernetes thing. I would like to attempt this kind of deployment: On a 3 nodes cluster, already payed and on wich I am doing experiments, I would like to run Traefik as load balancer and ssl certificate manager, and behind Traefik I would like to run something, let’s say a Tomcat just for the sake of the example. So far I’m documenting myself with this:

https://www.digitalocean.com/community/tutorials/how-to-use-traefik-v2-as-a-reverse-proxy-for-docker-containers-on-ubuntu-20-04

https://www.digitalocean.com/community/questions/how-do-i-set-up-tomcat-with-kubernetes-in-digitalocean

https://doc.traefik.io/traefik/https/acme/

https://doc.traefik.io/traefik/providers/kubernetes-ingress/

https://doc.traefik.io/traefik/getting-started/install-traefik/

I am trying to wrap the things together and use Traefik instead of certificate manager. I could give you all the commands issued so far but my question is a bit more wide. Is it possible to do in digital ocean kubernetes such infrastructure? Kubernetes -> Traefik as proxy and ssl cert manager -> redirecting to Tomcat. Do you suggest some documentation that can help me learn how to deploy that?

Submit an answer


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Bobby Iliev
Site Moderator
Site Moderator badge
February 27, 2025

Hi there,

I believe that this should be doable. This tutorial here should cover most of this:

https://www.digitalocean.com/community/tutorials/how-to-secure-your-site-in-kubernetes-with-cert-manager-traefik-and-let-s-encrypt

Start by deploying Traefik via Helm:

helm repo add traefik https://helm.traefik.io/traefik
helm repo update
helm install traefik traefik/traefik --namespace traefik

This creates a LoadBalancer Service, which provisions a DigitalOcean Load Balancer to route traffic.

Traefik can directly request and manage Let’s Encrypt certificates. Add these Helm values to enable ACME:

additionalArguments:
  - "--certificatesresolvers.le.acme.email=your@email.com"
  - "--certificatesresolvers.le.acme.storage=/data/acme.json"
  - "--certificatesresolvers.le.acme.httpChallenge.entryPoint=web"

Also, make sure your domain points to the DO Load Balancer’s IP so Let’s Encrypt can validate it.

Define an Ingress rule for your Tomcat service:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "traefik"
    traefik.ingress.kubernetes.io/router.entrypoints: "web,websecure"
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/router.tls.certresolver: "le"
spec:
  rules:
    - host: app.mydomain.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: tomcat-service
                port:
                  number: 8080

This ensures traffic to app.mydomain.com is routed to your Tomcat pod with TLS encryption via Let’s Encrypt.

If you want Traefik to fully manage TLS, enable passthrough on the DO Load Balancer:

service.beta.kubernetes.io/do-loadbalancer-tls-passthrough: "true"
service.beta.kubernetes.io/do-loadbalancer-tls-ports: "443"

Also, enable PROXY Protocol to retain real IPs:

service.beta.kubernetes.io/do-loadbalancer-enable-proxy-protocol: "true"

For a real-world example of DigitalOcean Kubernetes deployment with Ingress and SSL, check out DigitalOcean’s Mastodon on Kubernetes project:

Mastodon on Kubernetes

- Bobby

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.