K3s and Traefik with Let's encrypt and basic authentication

traefik_letsencrypt_basic_auth.md

K3s and Traefik with Let's encrypt and basic authentication

The steps below requires that you have followed the installation steps for installing K3s on RPIs.

Prerequisites

Ensure that you have a DNS hostname that can be resolved on Inet:

$ dig +short oh.domain.se
104.21.58.56

Ensure that port 80 and 443 points to your k3s master in your local router configuration.

Install Certificate Manager

Create namespace:

kubectl create namespace cert-manager

Create cert manager yaml-file:

curl -sL \
https://github.com/jetstack/cert-manager/releases/download/v1.7.3/cert-manager.yaml |\
sed -r 's/(image:.*):(v.*)$/\1-arm:\2/g' > cert-manager-arm.yaml

Apply the yaml-file:

kubectl apply -f cert-manager-arm.yaml

Check that all pods are running:

kubectl --namespace cert-manager get pods

Create a ClusterIssuer for Let's encrypt and traefik

Create a file named letsencrypt-issuer-production.yaml with the following contents (NOTE: Change to your email address):

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: <your_email>@example.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: traefik

Apply the file:

kubectl apply -f letsencrypt-issuer-production.yaml

This ClusterIssuer can now be re-used for all future certificate generations.

Add Basic Authentication and use ClusterIssuer for your Ingress

Create users for Basic authentication

Install apache2-utils package to get the htpasswd utility installed:

sudo apt-get install apache2-utils

Create a storage folder for the authentication file:

sudo mkdir /etc/traefik/

Create a first admin user (change username to your desired username) and add a password:

sudo htpasswd -c /etc/traefik/.htpasswd username

To add new users to your site, you must use following command, do not use the -c modifier again as this will remove all previously created users:

sudo htpasswd /etc/traefik/.htpasswd username

and to delete an existing user:

sudo htpasswd -D /etc/traefik/.htpasswd username

Create a secret for created user

Issue the following command to create a secret named authsecret:

kubectl create secret generic authsecret --from-file /etc/traefik/.htpasswd

Update your trafik/ingress yaml-file according to:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: openhab-production
  annotations:
    kubernetes.io/ingress.class: "traefik"
    cert-manager.io/cluster-issuer: letsencrypt-prod
    traefik.ingress.kubernetes.io/auth-type: basic
    traefik.ingress.kubernetes.io/auth-secret: authsecret
    ingress.kubernetes.io/custom-request-headers: "cookie: X-OPENHAB-AUTH-HEADER=true"
    ingress.kubernetes.io/custom-response-headers: "cookie: X-OPENHAB-AUTH-HEADER=true"
    ingress.kubernetes.io/auth-remove-header: "true"
spec:
  rules:
  - host: oh.domain.se
    http:
      paths:
      - path: /
        backend:
          serviceName: openhab-production
          servicePort: openhab-http
  tls:
  - hosts:
    - oh.domain.se
    secretName: oh-domain-se-tls

Time to apply the updated file:

kubectl apply -f openhab-traefik.yml

Check that the Let's encrypt certificate is generated:

pi@k3s-master-1:~/openhab-production-k3s $ kubectl get certificates
NAME                   READY   SECRET                 AGE
oh-domain-se-tls          True    oh-domain-se-tls          39m

It will take upto 1 min before READY is set as True.

Then try to access your site!