Set up a reverse-proxy through Traefik with Let's Encrypt to external resource?

[senpro-ingwersenk]

Good morning!

I am aware this isn't exactly k3s specific, but since this is the kubernetes distribution that my company works with the most, and because I had tried to implement this as a Traefik IngressRoute before, I might as well try it here.

Basically, we deployed a k3s cluster in a client's network and one of their embedded appliances only supports the HTTP ACME challenge; and we do not trust this device to be publicy reachable, at all. So instead, we would like to use the cluster itself to do the reverse proxying, since it can easily use the DNS challenge - well, Traefik can, and does.

I ended up with this deployment here. But I am quite sure I overengineered this... I had tried to use an ExternalName service, but that didn't work. The host uses a HTTP to HTTPS redirect and it's certs are all over the place... so, I have to skip verifying (which is another reason why we do not trust it to be publicy reachable for the HTTP challenge).

Deployment YAML

apiVersion: v1
kind: Namespace
metadata:
  name: rp-reddoxx
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: rp-reddoxx
  namespace: rp-reddoxx
  labels:
    rev-proxy: reddoxx
spec:
  replicas: 1
  selector:
    matchLabels:
      rev-proxy: reddoxx
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
    type: RollingUpdate
  template:
    metadata:
      labels:
        rev-proxy: reddoxx
    spec:
      containers:
        - image: docker.io/library/caddy:2-alpine
          name: proxy
          ports:
            - containerPort: 8080
              name: web
              protocol: TCP
          args:
            - "caddy"
            - "reverse-proxy"
            - "--insecure"
            - "--from=http://:8080"
            - "--to=https://10.100.0.32"
---
apiVersion: v1
kind: Service
metadata:
  name: rp-reddoxx
  namespace: rp-reddoxx
spec:
  type: ClusterIP
  ports:
    - port: 8080
      targetPort: 8080
      name: web
  selector:
    rev-proxy: reddoxx
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: rp-reddoxx
  namespace: rp-reddoxx
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`reddoxx.domain`)
      kind: Rule
      services:
        - name: rp-reddoxx
          port: 8080

Kind regards!

[brandond]

This is really more of a traefik question. I think you should have been able to get an ExternalName service working - reference their docs:

• https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/#communication-between-traefik-and-pods
• https://doc.traefik.io/traefik/providers/kubernetes-ingress/#allowexternalnameservices

[IngwiePhoenix]

Thank you, I will look into that!