k3s redirect http to https [closed]

Question

I'm trying to deploy AWX on k3s and everything works just fine, however I'd like to enforce SSL - so, redirect HTTP to HTTPS.

I've been trying to test the SSL enforcement part, however it's not working properly. Here is my traefik config:

apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik-crd
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-crd-9.18.2.tgz
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-9.18.2.tgz
  set:
    global.systemDefaultRegistry: ""
  valuesContent: |-
    ssl:
      enforced: true
    rbac:
      enabled: true
    ports:
      websecure:
        tls:
          enabled: true
    podAnnotations:
      prometheus.io/port: "8082"
      prometheus.io/scrape: "true"
    providers:
      kubernetesIngress:
        publishedService:
          enabled: true
    priorityClassName: "system-cluster-critical"
    image:
      name: "rancher/library-traefik"
    tolerations:
    - key: "CriticalAddonsOnly"
      operator: "Exists"
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Exists"
      effect: "NoSchedule"
    - key: "node-role.kubernetes.io/master"
      operator: "Exists"
      effect: "NoSchedule"

According to the Helm chart here https://github.com/helm/charts/tree/master/stable/traefik#configuration, the ssl.enforced parameter should do the trick however when I access my host using http it is still not redirecting me to https. I can see that Rancher is deploying a LB service for traefik as well, do I need to modify it somehow?

Answer 1

I struggled myself to make redirection work, and finally found a working configuration.

You should define a Middleware object in kubernetes, and your Ingress object must reference it. Beware, because the documentation in traefik is very misleading here, because the Middleware manifest found on many pages forget the 'namespace' annotation, so they assure this is 'default' (which is stupid btw, no serious people work on default namespace).

Thus, here is a working configuration :

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect
  namespace: some_namespace
spec:
  redirectScheme:
    scheme: https
    permanent: true

and

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wordpress
  namespace: your_app_namespace
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.middlewares: some_namespace-redirect@kubernetescrd
spec:
  tls:
    - secretName: your_certificate
      hosts:
        - www.your_website.com
  rules:
    - host: www.your_website.com
      http:
        paths:
          - path: /
            backend:
              service:
                name: your_service
                port:
                  number: 80
            pathType: ImplementationSpecific

So the trick is to :

• define a Middleware object (in any namespace you want, but that may be in the same one as your app)
• reference it in traefik.ingress.kubernetes.io/router.middlewares with the syntax <NAMESPACE>-<NAME>@kubernetescrd (where NAMESPACE and NAME are those of the Middleware object)

Answer 2

A complement of GAmeScripting answer. The K3S do not recommend changes in the source config file. You can apply a HelmChartConfig like this:

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    ports:
      websecure:
        tls:
          enabled: true
      web:
        redirectTo:
          port: websecure