k3s redirect http to https

Question

I'm trying to deploy AWX on k3s and everything works just fine, however I'd like to enforce SSL - so, redirect HTTP to HTTPS.

I've been trying to test the SSL enforcement part, however it's not working properly. Here is my traefik config:

apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik-crd
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-crd-9.18.2.tgz
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-9.18.2.tgz
  set:
    global.systemDefaultRegistry: ""
  valuesContent: |-
    ssl:
      enforced: true
    rbac:
      enabled: true
    ports:
      websecure:
        tls:
          enabled: true
    podAnnotations:
      prometheus.io/port: "8082"
      prometheus.io/scrape: "true"
    providers:
      kubernetesIngress:
        publishedService:
          enabled: true
    priorityClassName: "system-cluster-critical"
    image:
      name: "rancher/library-traefik"
    tolerations:
    - key: "CriticalAddonsOnly"
      operator: "Exists"
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Exists"
      effect: "NoSchedule"
    - key: "node-role.kubernetes.io/master"
      operator: "Exists"
      effect: "NoSchedule"

According to the Helm chart here https://github.com/helm/charts/tree/master/stable/traefik#configuration, the ssl.enforced parameter should do the trick however when I access my host using http it is still not redirecting me to https. I can see that Rancher is deploying a LB service for traefik as well, do I need to modify it somehow?

Answer 1

I struggled myself to make redirection work, and finally found a working configuration.

You should define a Middleware object in kubernetes, and your Ingress object must reference it. Beware, because the documentation in traefik is very misleading here, because the Middleware manifest found on many pages forget the 'namespace' annotation, so they assure this is 'default' (which is stupid btw, no serious people work on default namespace).

Thus, here is a working configuration :

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect
  namespace: some_namespace
spec:
  redirectScheme:
    scheme: https
    permanent: true

and

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wordpress
  namespace: your_app_namespace
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.middlewares: some_namespace-redirect@kubernetescrd
spec:
  tls:
    - secretName: your_certificate
      hosts:
        - www.your_website.com
  rules:
    - host: www.your_website.com
      http:
        paths:
          - path: /
            backend:
              service:
                name: your_service
                port:
                  number: 80
            pathType: ImplementationSpecific

So the trick is to :

• define a Middleware object (in any namespace you want, but that may be in the same one as your app)
• reference it in traefik.ingress.kubernetes.io/router.middlewares with the syntax <NAMESPACE>-<NAME>@kubernetescrd (where NAMESPACE and NAME are those of the Middleware object)

Answer 2

A complement of GAmeScripting answer. The K3S do not recommend changes in the source config file. You can apply a HelmChartConfig like this:

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    ports:
      websecure:
        tls:
          enabled: true
      web:
        redirectTo: websecure

Answer 3

EDIT: Instead of changing the contents of the config file directly, you can also add a HelmChartConfig (which is recommended)

See: https://stackoverflow.com/a/71989847/808723

Original answer:

Here are the details for the way proposed by dywan666:

1. Login on your k3s server via ssh
2. Open /var/lib/rancher/k3s/server/manifests/traefik.yaml
3. Add ports.web.redirectTo: websecure as shown here:

4. Can can now see that k3s automatically re-ran the helm-install-treafik job

5. Now I recommend you verify with curl that the redirect is enforced:

curl -v http://my.web.app

It should look like this:

*   Trying 1.2.3.4:80...
* TCP_NODELAY set
* Connected to my.web.app (1.2.3.4) port 80 (#0)
> GET / HTTP/1.1
> Host: my.web.app
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
< Location: https://my.web.app/
< Date: Wed, 13 Apr 2022 08:24:47 GMT
< Content-Length: 17
< Content-Type: text/plain; charset=utf-8
<
* Connection #0 to host my.web.app left intact