Deploying Traefik Proxy with Cloudflare Origin CA Certificate on k0s

#devops #kubernetes #webdev #cloud

Objective:

To perform a minimal installation of k0s on a VPS, set up Traefik as a reverse proxy, and enable HTTPS.

Prerequisites:

A VPS (4GB RAM, 2 vCPUs)
A domain
k0s (v1.31.2+k0s.0)
Helm (v3.16.3)
MetalLB (v0.14.8)
Traefik (v3.2.0)
Traefik Helm Chart (v33.0.0)

Steps:

1. k0s Setup:

A single-node k0s installation is ideal for this minimal VPS setup to minimize resource usage. Below are the installation commands:

Download k0s

curl --proto '=https' --tlsv1.2 -sSf https://get.k0s.sh | sudo sh

Install a single node k0s

# output k0s.yaml sudo k0s config create > k0s.yaml

Modify k0s.yaml to install MetalLB

 extensions: helm: concurrencyLevel: 5 repositories: - name: metallb url: https://metallb.github.io/metallb charts: - name: metallb chartname: metallb/metallb version: "0.14.8" namespace: default

Start k0s

sudo k0s install controller --single --force --config k0s.yaml sudo k0s start

Create ConfigMap for MetalLB

Remember to add your vps public ip

--- apiVersion: metallb.io/v1beta1 kind: IPAddressPool metadata: name: metallb-ip-pool namespace: default spec: addresses: - [your_vps_public_ip]/32 --- apiVersion: metallb.io/v1beta1 kind: L2Advertisement metadata: name: metallb-l2-advertisment namespace: default spec: ipAddressPools: - metallb-ip-pool

After adding metallb-l2-pool.yaml, then

kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io metallb-webhook-configuration kubectl apply -f metallb-l2-pool.yaml

Why kubectl delete validatingwebhookconfigurations.admissionregistration.k8s.io metallb-webhook-configuration

2. Enabling HTTPS and Redirect HTTP to HTTPS:

Generate a Cloudflare Origin CA certificate for secure HTTPS
How to generate your Origin certificate on Cloudflare
Create TLS secret your-tls-secret
- your_origin_ca.pem (Origin Certificate)
- your_origin_ca.key (Private Key)

kubectl create secret tls your-tls-secret --cert=your_origin_ca.pem --key=your_origin_ca.key --namespace=default

3. Installing Traefik:

Install Traefik using the Helm chart.

Install Helm
Add your traefik_values.yaml
- my-tls-secret is generated from the previous step.
- redirectTo is used for redirecting HTTP to HTTPS.
- nodeAffinity is because we need to schedule traefik pod in the controller node.

# traefik_values.yaml ports: web: redirectTo: port: websecure tlsStore: default: defaultCertificate: secretName: my-tls-secret affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: node-role.kubernetes.io/control-plane operator: Exists

Then

helm repo add traefik https://traefik.github.io/charts helm install -f traefik_values.yaml traefik traefik/traefik

4. Test Deployment:

Deploy a simple whoami application to test if the setup is successful.

Add your whoami.yaml
- port = 8001 (or whatever you want)
- WHOAMI_PORT_NUMBER is necessary

apiVersion: apps/v1 kind: Deployment metadata: name: whoami namespace: default labels: app: whoami spec: replicas: 1 selector: matchLabels: app: whoami template: metadata: labels: app: whoami spec: containers: - name: whoami image: traefik/whoami env: - name: WHOAMI_PORT_NUMBER value: "8001" --- apiVersion: v1 kind: Service metadata: name: whoami-service namespace: default labels: app: whoami spec: ports: - port: 8001 targetPort: 8001 selector: app: whoami --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: whoami-ingress namespace: default spec: entryPoints: - websecure routes: - match: Host(`your_domain`) && PathPrefix(`/whoami`) kind: Rule services: - name: whoami-service port: 8001