added letsencrypt with http challenge configuration for traefik #37
Conversation
|
I think you should also allow overriding the |
| - "--certificatesresolvers.le.acme.httpchallenge=true" | ||
| - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web" | ||
| - "--certificatesresolvers.le.acme.email=${traefik_acme_email}" | ||
| - "--certificatesresolvers.le.acme.storage=/data/acme.json" |
There was a problem hiding this comment.
Maybe just use acme.json instead of /data/acme.json, both will work definitely but the former is how they do it on one Traefik example.
Anyways, this file will not be saved permanently, so if the pod restarts it will reissue a certificate (according to this article). But I believe that's not a problem.
I think a way to have the file saved permanently would be to let cert-manager do the certificate fetching and storing as a Kubernetes TLS secret, then they can be used inside of an ingress definition like the certificates we add manually.
There was a problem hiding this comment.
@mysticaltech Actually I started with acme.json but this didn't work, I had the following error on the traffic pod when I runned it:
is skipped from the resolvers list because: unable to get ACME account: open acme.json: read-only file system
I don't know really know why but storing it in the /data emptydir volume fixed it
|
Love this proposal @Olivierwenger, thanks! It's definitely useful to have the option to configure it out of the box. |
@mnencia Indeed, having the option to start with staging would be good. And later one can re-apply the generated HelmChartConfig without the line in question:
|
|
@Olivierwenger I can add the staging option later no worries, as soon as you confirm that all works, we can merge this. |
owngr
force-pushed
the
feature/add-tls
branch
from
f2d8a2e
to
c8de6ed
Compare
|
@mysticaltech I tested @mnencia proposed changes and it works. I just force pushed to change the |
|
@Olivierwenger The |
Co-authored-by: Marco Nenciarini <mnencia@kcore.it>
owngr
force-pushed
the
feature/add-tls
branch
from
dbcd45a
to
23d1738
Compare
|
@mysticaltech done, it should work now |
|
Awesome! Thanks again for this nice contribution @Olivierwenger! 🙏 |
|
Hey this is great - is there any way some documentation could be added to readme on how to use this though? Ideally, how do you create the Ingress after these options are enabled -- both for subdomains (e.g., blog.mysite.com) as well as the Ingress for the root (mysite.com)? @Olivierwenger |
|
@TimHeckel Yep I'll try to provide an example to test it. Would it be better to use Ingress or IngressRoute ? |
|
Hi Oliver - for my money I think Ingress, just cause people may want to swap Traefik out for something, but if IngressRoute is what's working - then by all means just use that. Thanks! |
|
Both should work folks, it's just a matter of taste IMHO. Indeed, using Ingress definitions is more portable, as ingress routes are specific to Traefik. |
I added two optional variables
traefik_acme_tlsandtraefik_acme_emailto enable TLS with letsencrypt, this will directly create a prod acme. I chose the http Challenge as it isn't dependent on the DNS provider.I noticed afterwards that some people already changed their config the same way after I finished the modification #18 so I don't know if my PR is really relevant, please remove it if it isn't how you want to do it.