Deploying Globaleaks on Kubernetes Using Helm with Traefik Ingress Controller

Deploying applications on Kubernetes can be a complex task, but with the help of Helm charts, the process becomes more manageable and reproducible. In this guide, we’ll walk through deploying Globaleaks, an open-source whistleblowing platform, on a local Kubernetes cluster using Helm. We’ll utilize Traefik as our ingress controller, suitable for both k3sand Rancher Desktop environments.

Additionally, we’ll cover how to ensure that ports 8080 and 8443 are open on your machine to allow external access, including specific instructions for both Windows and macOS users. We’ll also address the importance of setting the Docker image to the correct platform to avoid runtime errors.

Table of Contents

1. Prerequisites
2. Setting Up the Helm Chart
3. Creating values.yaml
4. Configuring the Deployment
5. Setting Up the Service
6. Persistent Storage with PVC
7. Ingress Configuration with Traefik
8. TLS with Self-Signed Certificate
9. Ensuring Correct Platform Image
10. Opening Required Ports
    • On Windows
    • On macOS
11. Deploying the Helm Chart
12. Conclusion

Prerequisites

Before proceeding, ensure you have the following:

• Kubernetes Cluster: A local Kubernetes cluster set up using either k3s or Rancher Desktop.
• Helm: Installed and configured on your machine. Install it here.
• kubectl: Configured to interact with your Kubernetes cluster.
• Traefik Ingress Controller: Installed in your Kubernetes cluster. For k3s, Traefik is included by default. For Rancher Desktop, you can enable it via the UI or CLI.
• Docker: Installed and configured for building images.
• Administrator Access: On your local machine to open firewall ports.

Setting Up the Helm Chart

First, create a new Helm chart for Globaleaks:

helm create globaleaks

This command generates a scaffold of directories and files which we’ll customize.

Creating values.yaml

Replace the contents of globaleaks/values.yaml with the following:

replicaCount: 1

image:
 repository: ristabel/globaleaks
 tag: v1.0
 pullPolicy: IfNotPresent

service:
 type: ClusterIP
 ports:
 - port: 80
 targetPort: 8080
 name: http
 - port: 443
 targetPort: 8443
 name: https

pvc:
 storage: 100Mi

ingressRoute:
 host: "your.example.com" # Replace with your domain or use localhost for testing
 secretName: "globaleaks-tls"
 serversTransportName: "globaleaks-transport"

certificate:
 commonName: "your.example.com" # Replace with your domain
 dnsNames:
 - "your.example.com" # Replace with your domain

issuerName: "selfsigned-issuer"

Note: Replace your.example.com with your actual domain or localhost if you’re testing locally.

Configuring the Deployment

In globaleaks/templates/deployment.yaml, define the Deployment resource:

apiVersion: apps/v1
kind: Deployment
metadata:
 name: {{ .Release.Name }}
 labels:
 app: {{ .Release.Name }}
spec:
 replicas: {{ .Values.replicaCount }}
 selector:
 matchLabels:
 app: {{ .Release.Name }}
 strategy:
 type: Recreate
 template:
 metadata:
 labels:
 app: {{ .Release.Name }}
 spec:
 containers:
 - name: {{ .Release.Name }}
 image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
 ports:
 - containerPort: 8080
 protocol: TCP
 - containerPort: 8443
 protocol: TCP
 volumeMounts:
 - mountPath: /var/globaleaks
 name: globaleaks-storage
 volumes:
 - name: globaleaks-storage
 persistentVolumeClaim:
 claimName: {{ .Release.Name }}
 restartPolicy: Always

Setting Up the Service

In globaleaks/templates/service.yaml, define the Service resource:

apiVersion: v1
kind: Service
metadata:
 name: {{ .Release.Name }}
 labels:
 app: {{ .Release.Name }}
spec:
 type: {{ .Values.service.type }}
 ports:
 {{- range .Values.service.ports }}
 - port: {{ .port }}
 targetPort: {{ .targetPort }}
 name: {{ .name }}
 {{- end }}
 selector:
 app: {{ .Release.Name }}

Persistent Storage with PVC

In globaleaks/templates/pvc.yaml, define the PersistentVolumeClaim:

apiVersion: v1
kind: PersistentVolumeClaim
metadata:
 name: {{ .Release.Name }}
spec:
 accessModes:
 - ReadWriteOnce
 resources:
 requests:
 storage: {{ .Values.pvc.storage }}

Ingress Configuration with Traefik

In globaleaks/templates/ingressroute.yaml, define the IngressRoute for Traefik:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
 name: {{ .Release.Name }}-ingressroute
spec:
 entryPoints:
 - websecure
 routes:
 - match: Host(`{{ .Values.ingressRoute.host }}`)
 services:
 - name: {{ .Release.Name }}
 port: 443
 scheme: https
 serversTransport: {{ .Values.ingressRoute.serversTransportName }}
 tls:
 secretName: {{ .Values.ingressRoute.secretName }}

Also, define the ServersTransport in templates/serverstransport.yaml:

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
 name: {{ .Values.ingressRoute.serversTransportName }}
spec:
 insecureSkipVerify: true

TLS with Self-Signed Certificate

We’ll use cert-manager to handle TLS certificates. Define the Certificate in templates/certificate.yaml:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
 name: {{ .Release.Name }}-certificate
spec:
 secretName: {{ .Values.ingressRoute.secretName }}
 issuerRef:
 kind: Issuer
 name: {{ .Values.issuerName }}
 commonName: {{ .Values.certificate.commonName }}
 dnsNames:
 {{- range .Values.certificate.dnsNames }}
 - {{ . }}
 {{- end }}

And the Issuer in templates/issuer.yaml:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
 name: {{ .Values.issuerName }}
spec:
 selfSigned: {}

Note: Ensure that cert-manager is installed in your cluster. You can install it by following the instructions here.

Ensuring Correct Platform Image

The Docker image must match your system’s architecture to avoid errors like exec format error. If you’re on an amd64system (common for most PCs), ensure the image is built for amd64.

If the provided image is for arm64 (common for Apple M1/M2 or Raspberry Pi), you may need to rebuild the image:

docker buildx build --platform linux/amd64 -t ristabel/globaleaks:v1.0 .

This command rebuilds the image for the amd64 platform.

For windows you can use the image ristabel/globaleaks:v1.1

Opening Required Ports

To allow external access to your application, ensure that ports 8080 and 8443 are open on your machine.

On Windows

Run the following commands in PowerShell with administrator privileges:

# powershell
New-NetFirewallRule -DisplayName "Allow Port 8080" -Direction Inbound -Protocol TCP -LocalPort 8080 -Action Allow
New-NetFirewallRule -DisplayName "Allow Port 8443" -Direction Inbound -Protocol TCP -LocalPort 8443 -Action Allow

These commands create new firewall rules that allow inbound TCP traffic on ports 8080 and 8443.

On macOS

On macOS, you can enable ports through the firewall settings:

1. Open System Preferences > Security & Privacy > Firewall.
2. Click the Firewall Options button.
3. Click the + button to add an application (e.g., Terminal or Docker) that will receive incoming connections on these ports.
4. Alternatively, configure the built-in pf firewall:bashCopy code. sudo pfctl -e echo "pass in proto tcp from any to any port {8080,8443}" | sudo pfctl -f -

Note: Use caution when modifying firewall settings. Ensure you understand the security implications.

Deploying the Helm Chart

With all configurations in place, deploy the Helm chart:

helm install globaleaks ./globaleaks

This command installs the globaleaks release into your Kubernetes cluster.

Conclusion

By following this guide, you’ve successfully deployed Globaleaks on your local Kubernetes cluster using a custom Helm chart and Traefik as the ingress controller. You’ve also ensured that the necessary ports are open on your machine, and the Docker image matches your system’s architecture.

This setup provides a solid foundation for further customization and scaling. You can adjust the values.yaml file to suit different environments or requirements.

Troubleshooting Tips

• Image Architecture Mismatch: If you encounter an exec format error, rebuild the Docker image for your platform as mentioned above.
• Port Accessibility: Ensure no other applications are using ports 8080 or 8443.
• Traefik Not Routing Traffic: Verify that Traefik is correctly installed and configured in your cluster.
• Certificate Issues: Check that cert-manager is installed and the Issuer and Certificate resources are correctly defined.

References

• Helm Documentation
• Traefik Documentation
• cert-manager Documentation
• Docker Buildx Documentation
• Opening Ports on Windows Firewall
• pfctl Man Page

By automating your deployments with Helm and ensuring proper configurations, you make your Kubernetes deployments more reliable and maintainable. Happy deploying!