K
Q

Traefik: How do I use the certificates generated by the dnsChallenge in my Ingress

7/10/2019

I can get my traefik controller to work with my ingress. And it seems to be navigating to all services as expected as well. But I cannot get https working. Would love some help figuring this piece out. My main question is which certificate does Traefik automatically create and how do I use it in my ingress.

Here's the configmap which generates my traefik.toml:

Name:         traefik-config
Namespace:    <redacted>
Labels:       app.kubernetes.io/component=traefik-config
              namespace=<redacted>

Data
====
traefik.toml:
----
debug = true
logLevel = "DEBUG"
keepTrailingSlash = true
defaultEntryPoints = ["http","https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
  compress = true
  [entryPoints.https]
  address = ":443"
  compress = true
    [entryPoints.https.tls]
  [entryPoints.traefik]
  address = ":8080"
    [entryPoints.traefik.auth.basic]
    users = ["<redacted>"]

[ping]
entryPoint = "http"

[kubernetes]

[api]
  entryPoint = "traefik"
  dashboard = true

[acme]
email = "myEmail@gmail.com"
entryPoint = "https"
storage = "/acme/acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
acmeLogging = true
  [acme.dnsChallenge]
  provider = "gcloud"

[[acme.domains]]
   main = "*.<redacted>.com"
   sans = ["<redacted>.com", "traefik.<redacted>.com"]

Here's my traefik deploy which deploys the traefik controller (kubectl describe pod traefik-deploy-7dbd69c994-klrrh:

Name:               traefik-deploy-7dbd69c994-klrrh
Namespace:          <redacted>
Priority:           0
PriorityClassName:  <none>
Start Time:         Wed, 10 Jul 2019 10:21:22 -0700
Labels:             app.kubernetes.io/component=traefik-pod
                    namespace=<redacted>
Annotations:        <none>
Status:             Running
IP:                 <redacted>
Controlled By:      ReplicaSet/traefik-deploy-7dbd69c994
Containers:
  traefik-pod:
    Container ID:  <redacted>
    Image:         traefik:v1.7.12
    Image ID:      docker-pullable://traefik@sha256:02cfdbXCCCCCCCXXXXXXXXXX7f0fe3ebeccb8
    Ports:         80/TCP, 443/TCP, 8080/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP
    Args:
      --configfile=/config/traefik.toml
    State:          Running
      Started:      Wed, 10 Jul 2019 10:21:53 -0700
    Ready:          True
    Restart Count:  0
    Environment:
      GCE_PROJECT:               <set to the key 'GCE_PROJECT' in secret 'traefik-dnsprovider-secret'>               Optional: false
      GCE_SERVICE_ACCOUNT_FILE:  <set to the key 'GCE_SERVICE_ACCOUNT_FILE' in secret 'traefik-dnsprovider-secret'>  Optional: false
    Mounts:
      /acme from acme (rw)
      /config from traefik-config (rw)
      /secret from traefik-dns-credentials (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from traefik-sa-token-24mp9 (ro)
.
.
.
Volumes:
  traefik-config:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      traefik-config
    Optional:  false
  acme:
    Type:       PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
    ClaimName:  traefik-acme-pvc
    ReadOnly:   false
  traefik-dns-credentials:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  traefik-dns-credentials
    Optional:    false
  traefik-sa-token-24mp9:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  traefik-sa-token-24mp9
    Optional:    false
.
.

The secret traefik-dnsprovider-secret provides the GCE_PROJECT and GCE_SERVICE_ACCOUNT_FILE Env variables to the pod, which are b64enc strings of my GCE_PROJECT and the filename /secrets/dns-admin-sa.json (for GCE_SERVICE_ACCOUNT_FILE).

The file /secrets/dns-admin-sa.json is mounted on the container through the secret traefik-dns-credentials, which is:

Name:         traefik-dns-credentials
Namespace:    <readcted>
Labels:       app.kubernetes.io/component=traefik-dns-credentials
Annotations:  helm.sh/hook: pre-install
              helm.sh/hook-weight: -5

Type:  Opaque

Data
====
dns-admin-sa.json:  2336 bytes

Traefik Dashboard Ingress:

Name:             traefik-dashboard-ingress
Namespace:        <redacted>
Address:
Default backend:  default-http-backend:80 (10.48.0.5:8080)
Rules:
  Host                 Path  Backends
  ----                 ----  --------
  traefik.<redacted>.com
                       /   traefik-dashboard-svc:dashboard-http (10.48.0.8:8080)
Annotations:
  kubernetes.io/ingress.class:                          traefik
  traefik.ingress.kubernetes.io/frontend-entry-points:  http,https
  traefik.ingress.kubernetes.io/redirect-entry-point:   https
  traefik.ingress.kubernetes.io/redirect-permanent:     true

Questions:

  1. How do I ssh into the traefik container kubectl exec -it traefik-deploy-7dbd69c994-klrrh bash doesn't work. Using this I can check the "/acme/acme.json" location

  2. Which certificate does traefik create and how do I use it in my ingress? I haven't added a TLS certificate to any of my ingresses (which is where my https is failing). The user guide here shows how to use a self signed certificate, but I don't want that and want the certificate using dns-01 challenge.

-- Panda
google-kubernetes-engine
kubernetes
traefik
traefik-ingress

Similar Questions

Communicating with a IP whitelisted service with EKS
How to change the IP and port of etcd listening
kibana 7.2 can't reach elasticsearch on kubernetes
What is the difference between ingress value as blank array and value - {}?
Health Check modification in OpenShift 3.11
Is it possible to configure a pod to prioritize using `hostNetwork` but still reference internal service endpoints?

0 Answers