-
Notifications
You must be signed in to change notification settings - Fork 5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document LE caveats with Kubernetes on v2 #5902
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Thanks
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Couldn't one use a DNS entry that resolves to a dedicated traefik instance within a HA setup (e.g. traefik-master.myzone.tld)? Furthermore, this instance could be configured differently from the other instances. IMO the problem is not with routing the challenge requests to the correct Traefik instance. It's that traefik does (currently) not allow to share the received certificates with other instances (in read-only mode), e.g. by means of a KV store. |
@dtomcej You mention that there is currently work being done on integrating cert-manager with Traefik CRDs. Can you share what the current status is there? |
What does this PR do?
This PR improves the documentation for LetsEncrypt use by making note of the HA caveats, and providing workarounds for known design choices.
Motivation
Documentation was not clear on the removal of distributed LetsEncrypt, and how it would affect kubernetes users.
More
Fixes #5792