LAB16a: Deploying Stateful Application

LAB 200: Deploying Stateful Application

Installing Guestbook Application

Install Frontend

cd frontend

kubectl apply -f configmap.yaml
kubectl apply -f service.yaml
kubectl apply -f deployment.yaml

Install Backend

cd ../backend

kubectl apply -f secret.yaml
kubectl apply -f configmap.yaml
kubectl apply -f service.yaml
kubectl apply -f deployment.yaml

Deploy database

cd ../database

kubectl apply -f secret.yaml
kubectl apply -f service.yaml
kubectl apply -f deployment.yaml

Install Ingress

cd ..

kubectl apply -f ingress.yaml

Test the app

Next let's configure ssl

Create Your Own CA and TLS Certificates

We’ll generate:

CA private key
CA certificate
Server private key
Server CSR
Server certificate signed by CA (for guestbook.frontend.laliguras.hotel)

— Create CA Private Key

openssl genrsa -out ca.key 4096

— Create CA Certificate

openssl req -x509 -new -nodes \
  -key ca.key \
  -sha256 -days 3650 \
  -out ca.crt \
  -subj "/C=NP/ST=Bagmati/L=Kathmandu/O=MyCA Ltd/CN=My-Root-CA"

This is your root certificate authority.

— Generate Server Private Key

openssl genrsa -out tls.key 2048

— Create CSR (Certificate Signing Request)

openssl req -new \
  -key tls.key \
  -out tls.csr \
  -subj "/C=NP/ST=Bagmati/L=Kathmandu/O=MyServer/CN=guestbook.frontend.laliguras.hotel"

—Create SAN Config File (Recommended)

Create san.cnf:

subjectAltName = @alt_names

[alt_names]
DNS.1 = guestbook.frontend.laliguras.hotel
DNS.2 = guestbook.backend.laliguras.hotel

— Sign Server Certificate With Your CA

openssl x509 -req \
  -in tls.csr \
  -CA ca.crt \
  -CAkey ca.key \
  -CAcreateserial \
  -out tls.crt \
  -days 365 \
  -sha256 \
  -extfile san.cnf

Resulting files:

tls.key → Server private key
tls.crt → Server certificate
ca.crt → CA certificate

Create Kubernetes TLS Secret

Using kubectl command

kubectl create secret tls nginx-tls-secret \
  --cert=tls.crt \
  --key=tls.key

Update Ingress to use HTTPS

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: guestbook-guestbook-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  rules:
  ingressClassName: nginx
  tls:
    - hosts:
        - guestbook.frontend.laliguras.hotel
        - guestbook.backend.laliguras.hotel
      secretName: nginx-tls-secret
  - host: guestbook.frontend.laliguras.hotel
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: guestbook-frontend
            port: 
              number: 80
  - host: guestbook.backend.laliguras.hotel
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: guestbook-backend
            port:
              number: 80

::: spoiler traefik ingress configuration Here is the Traefik equivalent of your NGINX Ingress.

Traefik does NOT use annotations for SSL redirect or advanced routing—most capabilities are automatic or moved into Middleware.

You’re expecting Traefik to route requests to your guestbook app, but your Ingress is configured for NGINX, not Traefik.

Let’s break down the issue and give you the correct Traefik config.

Fix: Change your Ingress to use Traefik

Replace:

ingressClassName: nginx

WITH:

ingressClassName: traefik

Traefik’s default ingress class in K3s is usually "traefik".

Correct Ingress for Traefik

Use this:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: guestbook-guestbook-ingress
  namespace: guestbook-dev
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
  ingressClassName: traefik
  rules:
  - host: guestbook.frontend.deepak.hotel
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: guestbook-frontend
            port:
              number: 80
  - host: guestbook.backend.deepak.hotel
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: guestbook-backend
            port:
              number: 80

Verify Traefik is receiving the Ingress

Before applying:

kubectl get ingressclass

Expected output:

NAME      CONTROLLER
traefik   traefik.io/ingress-controller

Test again:

curl -H "Host: guestbook.frontend.deepak.hotel" http://44.192.46.248

You should now get the frontend response.

TLS Configuration

✅ Secret name: nginx-tls-secret ✅ TLS hosts:

guestbook.frontend.deepak.hotel
guestbook.backend.deepak.hotel ✅ IngressClass: traefik ✅ EntryPoints: websecure (port 443)

Traefik TLS Ingress (Using Your Secret)

Apply this:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: guestbook-guestbook-ingress
  namespace: guestbook-dev
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
spec:
  ingressClassName: traefik

  tls:
  - secretName: nginx-tls-secret
    hosts:
      - guestbook.frontend.deepak.hotel
      - guestbook.backend.deepak.hotel

  rules:
  - host: guestbook.frontend.deepak.hotel
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: guestbook-frontend
            port:
              number: 80

  - host: guestbook.backend.deepak.hotel
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: guestbook-backend
            port:
              number: 80

HTTP → HTTPS redirect, use this annotation:

Add this:

traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
traefik.ingress.kubernetes.io/router.middlewares: guestbook-dev-redirect@kubernetescrd

Create Middleware:

apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: redirect
  namespace: guestbook-dev
spec:
  redirectScheme:
    scheme: https
    permanent: true

This forces automatic redirect.

Test the Ingress

HTTPS:

curl -vk https://guestbook.frontend.deepak.hotel \
  --resolve guestbook.frontend.deepak.hotel:443:44.192.46.248

Backend:

curl -vk https://guestbook.backend.deepak.hotel \
  --resolve guestbook.backend.deepak.hotel:443:44.192.46.248

To enable access log in the Traefik controller

Update Traefik static pod

sudo nano /var/lib/rancher/k3s/server/manifests/traefik.yaml

---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik-crd
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-crd-37.1.1+up37.1.0.tgz
---
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
  name: traefik
  namespace: kube-system
spec:
  chart: https://%{KUBERNETES_API}%/static/charts/traefik-37.1.1+up37.1.0.tgz
  set:
    global.systemDefaultRegistry: ""
  valuesContent: |-
    deployment:
      podAnnotations:
        prometheus.io/port: "8082"
        prometheus.io/scrape: "true"

    # THIS IS THE ONLY GUARANTEED WAY FOR LOGGING IN K3s TRAEFIK
    additionalArguments:
      - "--log.level=INFO"
      - "--log.format=json"
      - "--accesslog=true"
      - "--accesslog.format=json"
      - "--accesslog.fields.defaultmode=keep"
      - "--accesslog.fields.headers.defaultmode=keep"

    providers:
      kubernetesIngress:
        publishedService:
          enabled: true

    priorityClassName: "system-cluster-critical"

    image:
      repository: "rancher/mirrored-library-traefik"
      tag: "3.5.1"

    tolerations:
    - key: "CriticalAddonsOnly"
      operator: "Exists"
    - key: "node-role.kubernetes.io/control-plane"
      operator: "Exists"
      effect: "NoSchedule"
    - key: "node-role.kubernetes.io/master"
      operator: "Exists"
      effect: "NoSchedule"

    service:
      ipFamilyPolicy: "PreferDualStack"

Apply the Updated Config

kubectl delete pod -n kube-system -l app.kubernetes.io/name=traefik

Check logs

kubectl logs -n kube-system deploy/traefik -f

:::

Also update backend url in frontend configmap

backend_uri: "https://guestbook.backend.laliguras.hotel:30334/guestbook"

Next let's configure external Loadbalancer

HA Proxy loadbalancer configuration guide here

Let's Test

kubectl exec guestbook-database-68d6c7c9c5-kcrwd -c guestbook-database -- /bin/sh -c "kill 1"

Let's use `EmptyDir` volume and test

Database deployment snippet

    . . .
    volumemounts:
      - name: mongodb-volume
        mountPath: /data/db
  volumes:
    - name: mongodb-volume
      emptyDir: {}

Let's configure NFS storage for dynamic storage provisioning with Storageclass

Nfs storage provisioner setup

Configuring Mongodb replica

kubectl exec -it guestbook-database-0 mongo

rs.status()
rs.initiate(
  {_id:'rs0',
   members:[ { _id:0, host:'guestbook-database-0.guestbook-database:27017'},
             { _id:1, host:'guestbook-database-1.guestbook-database:27017'},
             { _id:2, host:'guestbook-database-2.guestbook-database:27017'}]
   });
rs.status()
db.createUser({user:"admin",pwd:"password",roles:[{db:"admin",role:"root"}]})

Check mongodb read/write workload balancing

kubectl exec -it guestbook-database-0 -- mongostat --discover -i -o=host,query,insert,update

PreviousLAB16: HA Proxy Load Balancer NextLAB17: Minio Setup and Access

Last updated 1 month ago

Good night

hashtagLAB 200: Deploying Stateful Application

hashtagInstalling Guestbook Application

hashtagNext let's configure ssl

hashtagCreate Your Own CA and TLS Certificates

hashtagCreate Kubernetes TLS Secret

hashtagTLS Configuration

hashtagNext let's configure external Loadbalancer

hashtagLet's Test

hashtagLet's use EmptyDir volume and test

hashtagLet's configure NFS storage for dynamic storage provisioning with Storageclass

hashtagConfiguring Mongodb replica