Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Configuring Lets Encrypt with Traefik using Helm

I'm deploying taefik to my kubernetes cluster using helm. Here's what I have at the moment:

helm upgrade --install load-balancer --wait --set ssl.enabled=true,ssl.enforced=true,acme.enabled=true,[email protected] stable/traefik

I'm trying to configure letsencrypt. According to this documentation - you add the domains to the bottom of the .toml file.

Looking at the code for the helm chart, there's no provision for such configuration.

Is there another way to do this or do I need to fork the chart to create my own variation of the .toml file?

like image 566
Mitkins Avatar asked Feb 04 '23 07:02

Mitkins


2 Answers

Turns out this is the chicken and the egg problem, described here.

For the helm chart, if acme.enabled is set to true, then Treafik will automatically generate and serve certificates for domains configured in Kubernetes ingress rules. This is the purpose of the onHostRule = true line in the yaml file (referenced above).

To use Traefik with Let's Encrypt, we have to create an A record in our DNS server that points to the ip address of our load balancer. Which we can't do until Traefik is up and running. However, this configuration needs to exist before Traefik starts.

The only solution (at this stage) is to kill the first Pod after the A record configuration has propagated.

like image 140
Mitkins Avatar answered Feb 11 '23 21:02

Mitkins


Note that the stable/traefik chart now supports the ACME DNS-01 protocol. By using DNS it avoids the chicken and egg problem.

See: https://github.com/kubernetes/charts/tree/master/stable/traefik#example-aws-route-53

like image 36
Dan Garthwaite Avatar answered Feb 11 '23 22:02

Dan Garthwaite