Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

added letsencrypt with http challenge configuration for traefik #37

Merged
merged 4 commits into from
Feb 3, 2022
Merged

added letsencrypt with http challenge configuration for traefik #37

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9b7375e
Add Hetzner placement group and link servers to it
waammar Jan 29, 2022
5384643
tweaked readme
Jan 30, 2022
285e115
added letsencrypt configuration for traefik
owngr Feb 1, 2022
23d1738
Replaced httpChallenge with tlsChallenge
Feb 2, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 0 additions & 8 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,14 +155,6 @@ Any contributions you make are **greatly appreciated**.
4. Push to the Branch (`git push origin AmazingFeature`)
5. Open a Pull Request

<!-- CONTACT -->

## Contributors

- Karim Naufal - [@mysticaltech](https://github.com/mysticaltech)
- Dennis Hoppe - [@dhoppe](https://github.com/dhoppe)
- Paul Härle - [@phaer](https://github.com/phaer)

<!-- ACKNOWLEDGEMENTS -->

## Acknowledgements
Expand Down
13 changes: 7 additions & 6 deletions agents.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,13 @@ resource "hcloud_server" "agents" {
count = var.agents_num
name = "k3s-agent-${count.index}"

image = data.hcloud_image.linux.name
rescue = "linux64"
server_type = var.agent_server_type
location = var.location
ssh_keys = [hcloud_ssh_key.default.id]
firewall_ids = [hcloud_firewall.k3s.id]
image = data.hcloud_image.linux.name
rescue = "linux64"
server_type = var.agent_server_type
location = var.location
ssh_keys = [hcloud_ssh_key.default.id]
firewall_ids = [hcloud_firewall.k3s.id]
placement_group_id = hcloud_placement_group.k3s_placement_group.id


labels = {
Expand Down
18 changes: 15 additions & 3 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,11 +166,23 @@ resource "local_file" "hetzner_csi_config" {

resource "local_file" "traefik_config" {
content = templatefile("${path.module}/templates/traefik_config.yaml.tpl", {
lb_disable_ipv6 = var.lb_disable_ipv6
lb_server_type = var.lb_server_type
location = var.location
lb_disable_ipv6 = var.lb_disable_ipv6
lb_server_type = var.lb_server_type
location = var.location
traefik_acme_tls = var.traefik_acme_tls
traefik_acme_email = var.traefik_acme_email
})
filename = "${path.module}/templates/rendered/traefik_config.yaml"
file_permission = "0644"
directory_permission = "0755"
}


resource "hcloud_placement_group" "k3s_placement_group" {
name = "k3s-placement-group"
type = "spread"
labels = {
"provisioner" = "terraform",
"engine" = "k3s"
}
}
13 changes: 7 additions & 6 deletions master.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,13 @@
resource "hcloud_server" "first_control_plane" {
name = "k3s-control-plane-0"

image = data.hcloud_image.linux.name
rescue = "linux64"
server_type = var.control_plane_server_type
location = var.location
ssh_keys = [hcloud_ssh_key.default.id]
firewall_ids = [hcloud_firewall.k3s.id]
image = data.hcloud_image.linux.name
rescue = "linux64"
server_type = var.control_plane_server_type
location = var.location
ssh_keys = [hcloud_ssh_key.default.id]
firewall_ids = [hcloud_firewall.k3s.id]
placement_group_id = hcloud_placement_group.k3s_placement_group.id

labels = {
"provisioner" = "terraform",
Expand Down
13 changes: 7 additions & 6 deletions servers.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,13 @@ resource "hcloud_server" "control_planes" {
count = var.servers_num - 1
name = "k3s-control-plane-${count.index + 1}"

image = data.hcloud_image.linux.name
rescue = "linux64"
server_type = var.control_plane_server_type
location = var.location
ssh_keys = [hcloud_ssh_key.default.id]
firewall_ids = [hcloud_firewall.k3s.id]
image = data.hcloud_image.linux.name
rescue = "linux64"
server_type = var.control_plane_server_type
location = var.location
ssh_keys = [hcloud_ssh_key.default.id]
firewall_ids = [hcloud_firewall.k3s.id]
placement_group_id = hcloud_placement_group.k3s_placement_group.id

labels = {
"provisioner" = "terraform",
Expand Down
5 changes: 5 additions & 0 deletions templates/traefik_config.yaml.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,3 +24,8 @@ spec:
- "--entryPoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,10.0.0.0/8"
- "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8"
- "--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8"
%{ if traefik_acme_tls ~}
- "--certificatesresolvers.le.acme.tlschallenge=true"
- "--certificatesresolvers.le.acme.email=${traefik_acme_email}"
- "--certificatesresolvers.le.acme.storage=/data/acme.json"
Copy link
Collaborator

@mysticaltech mysticaltech Feb 2, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe just use acme.json instead of /data/acme.json, both will work definitely but the former is how they do it on one Traefik example.

Anyways, this file will not be saved permanently, so if the pod restarts it will reissue a certificate (according to this article). But I believe that's not a problem.

I think a way to have the file saved permanently would be to let cert-manager do the certificate fetching and storing as a Kubernetes TLS secret, then they can be used inside of an ingress definition like the certificates we add manually.

Copy link
Contributor Author

@owngr owngr Feb 2, 2022
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mysticaltech Actually I started with acme.json but this didn't work, I had the following error on the traffic pod when I runned it:
is skipped from the resolvers list because: unable to get ACME account: open acme.json: read-only file system

I don't know really know why but storing it in the /data emptydir volume fixed it

%{ endif ~}
4 changes: 4 additions & 0 deletions terraform.tfvars.example
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,3 +25,7 @@ agents_num = 2
# that is probably the more "vanilla" option to keep these components always updated.
# hetzner_ccm_containers_latest = true
# hetzner_csi_containers_latest = true

# If you want to use letsencrypt with tls Challenge, the email address is used to send you certificates expiration notices
# traefik_acme_tls = true
# traefik_acme_email = "mail@example.com"
13 changes: 13 additions & 0 deletions variables.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,3 +78,16 @@ variable "hetzner_csi_containers_latest" {
default = false
description = "Whether to kustomize the Hetzner CSI manifest with the latest or canary tags for containers"
}

variable "traefik_acme_tls" {
type = bool
default = false
description = "Wheter to include the TLS configuration with the Traefik configuration"
}

variable "traefik_acme_email" {
type = string
default = false
description = "Email used to recieved expiration notice for certificate"
}