How to Deploy Traefik Ingress with HTTPS and Wildcard TLS in GKE

By / April 15, 2025

This guide walks you through setting up a Google Kubernetes Engine (GKE) cluster with Traefik as an Ingress controller, enabling HTTPS for multiple subdomains using Let’s Encrypt wildcard certificates via cert-manager.

🚀 Step 1: Create a GKE Cluster

🔄 Note: Replace premsvmm-k8s with your preferred Kubernetes cluster name.

gcloud container clusters create premsvmm-k8s \
  --zone asia-south1-a \
  --machine-type e2-medium \
  --num-nodes 2 \
  --enable-ip-alias

🧱 Step 2: Create a Namespace for Traefik

kubectl create namespace traefik

🌐 Step 3: Install Traefik Ingress Controller

helm install traefik traefik/traefik \
  --namespace traefik \
  --create-namespace \
  --set service.type=LoadBalancer \
  --set ports.web.port=8000 \
  --set ports.websecure.port=8443 \
  --set "entryPoints.web.address=:8000" \
  --set "entryPoints.web.http.redirections.entryPoint.to=websecure" \
  --set "entryPoints.web.http.redirections.entryPoint.scheme=https" \
  --set "entryPoints.web.http.redirections.entryPoint.permanent=true" \
  --set "entryPoints.websecure.address=:8443" \
  --set "securityContext.capabilities.drop[0]=ALL" \
  --set securityContext.runAsGroup=65532 \
  --set securityContext.runAsUser=65532 \
  --set securityContext.runAsNonRoot=true \
  --set dashboard.enabled=true \
  --set ingressRoute.dashboard.enabled=true \
  --set crds.enabled=true

🧭 Step 4: Create Dashboard IngressRoute

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: traefik
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`traefik.k8s.premsvmm.xyz`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService

🌍 Step 5: Configure DNS A Record

Run the command 

kubectl get svc -n traefik

This will create an external IP. Copy the external IP and update your DNS record accordingly.

🔒 Step 6: Install cert-manager for Auto TLS

helm repo add jetstack https://charts.jetstack.io
helm repo update

kubectl create namespace cert-manager

helm install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --set installCRDs=true

🛂 Step 7: Configure DNS-01 Challenge via Cloud DNS

Create GCP Service Account and Bind DNS Admin Role:

gcloud iam service-accounts create cert-manager-dns01-solver \
  --display-name "cert-manager dns01 solver"

gcloud projects add-iam-policy-binding prem-1516640837807 \
  --member "serviceAccount:cert-manager-dns01-solver@prem-1516640837807.iam.gserviceaccount.com" \
  --role "roles/dns.admin"

gcloud iam service-accounts keys create key.json \
  --iam-account cert-manager-dns01-solver@prem-1516640837807.iam.gserviceaccount.com

Create Kubernetes Secret for the Key:

kubectl create secret generic clouddns-dns01-solver-sa \
  --from-file=key.json=key.json \
  -n cert-manager

🔐 Step 8: Create ClusterIssuer for Let’s Encrypt

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-dns
spec:
  acme:
    email: prem.svmm@gmail.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-dns-account-key
    solvers:
    - dns01:
        cloudDNS:
          project: prem-1516640837807
          serviceAccountSecretRef:
            name: clouddns-dns01-solver-sa
            key: key.json

Apply it with:

kubectl apply -f cluster-issuer.yaml

📄 Step 9: Request a Wildcard TLS Certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: ssl-cret
  namespace: traefik
spec:
  secretName: ssl-cret
  issuerRef:
    name: letsencrypt-dns
    kind: ClusterIssuer
  commonName: "*.k8s.premsvmm.xyz"
  dnsNames:
    - "*.k8s.premsvmm.xyz"
    - "k8s.premsvmm.xyz"

🔄 Step 10: Update Traefik Dashboard for HTTPS

apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: traefik
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`traefik.k8s.premsvmm.xyz`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
  tls:
    secretName: ssl-cret

You can now access your secure dashboard at:

🔗 https://traefik.k8s.premsvmm.xyz

Step 11: Create App Namespace and Deploy Your Service

kubectl create namespace app

🚀 Step 12: Deploy Sample App with HTTPS IngressRoute

# app1-deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: app1-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: app1
  template:
    metadata:
      labels:
        app: app1
    spec:
      containers:
      - name: whoami
        image: traefik/whoami
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: app1-service
spec:
  selector:
    app: app1
  ports:
  - protocol: TCP
    port: 80
    targetPort: 80
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: app1-ingressroute
  namespace: app
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`app1.k8s.premsvmm.xyz`) && PathPrefix(`/`)
      kind: Rule
      services:
        - name: app1-service
          port: 80
  tls:
    secretName: ssl-cret

✅ You can now access your app securely at

🔗 https://app1.k8s.premsvmm.xyz

🧹 Optional: Delete the Cluster

gcloud container clusters delete premsvmm-k8s \
  --zone asia-south1-a
Post Views: 68

Related Posts

Scroll to Top