added letsencrypt configuration for traefik

kube-hetzner · Feb 2, 2022 · c8de6ed · c8de6ed
1 parent d722c0e
commit c8de6ed
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 3 deletions.
diff --git a/main.tf b/main.tf
@@ -166,9 +166,11 @@ resource "local_file" "hetzner_csi_config" {
 
 resource "local_file" "traefik_config" {
   content = templatefile("${path.module}/templates/traefik_config.yaml.tpl", {
-    lb_disable_ipv6 = var.lb_disable_ipv6
-    lb_server_type  = var.lb_server_type
-    location        = var.location
+    lb_disable_ipv6     = var.lb_disable_ipv6
+    lb_server_type      = var.lb_server_type
+    location            = var.location
+    traefik_acme_tls    = var.traefik_acme_tls
+    traefik_acme_email  = var.traefik_acme_email
   })
   filename             = "${path.module}/templates/rendered/traefik_config.yaml"
   file_permission      = "0644"

diff --git a/templates/traefik_config.yaml.tpl b/templates/traefik_config.yaml.tpl
@@ -24,3 +24,9 @@ spec:
       - "--entryPoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,10.0.0.0/8"
       - "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8"
       - "--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8"
+%{ if traefik_acme_tls ~}
+      - "--certificatesresolvers.le.acme.httpchallenge=true"
+      - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web"
+      - "--certificatesresolvers.le.acme.email=${traefik_acme_email}"
+      - "--certificatesresolvers.le.acme.storage=/data/acme.json"
+%{ endif ~}
diff --git a/terraform.tfvars.example b/terraform.tfvars.example
@@ -25,3 +25,7 @@ agents_num                = 2
 # that is probably the more "vanilla" option to keep these components always updated. 
 # hetzner_ccm_containers_latest = true
 # hetzner_csi_containers_latest = true
+
+# If you want to use letsencrypt with tls Challenge, the email address is used to send you certificates expiration notices
+# traefik_acme_tls = true
+# traefik_acme_email = "mail@example.com"
diff --git a/variables.tf b/variables.tf
@@ -78,3 +78,16 @@ variable "hetzner_csi_containers_latest" {
   default     = false
   description = "Whether to kustomize the Hetzner CSI manifest with the latest or canary tags for containers"
 }
+
+variable "traefik_acme_tls" {
+  type        = bool
+  default     = false
+  description = "Wheter to include the TLS configuration with the Traefik configuration"
+}
+
+variable "traefik_acme_email" {
+  type        = string
+  default     = false
+  description = "Email used to recieved expiration notice for certificate"
+}
+