I can get my traefik controller to work with my ingress. And it seems to be navigating to all services as expected as well. But I cannot get https
working. Would love some help figuring this piece out. My main question is which certificate does Traefik automatically create and how do I use it in my ingress.
Here's the configmap which generates my traefik.toml
:
Name: traefik-config
Namespace: <redacted>
Labels: app.kubernetes.io/component=traefik-config
namespace=<redacted>
Data
====
traefik.toml:
----
debug = true
logLevel = "DEBUG"
keepTrailingSlash = true
defaultEntryPoints = ["http","https"]
[entryPoints]
[entryPoints.http]
address = ":80"
compress = true
[entryPoints.https]
address = ":443"
compress = true
[entryPoints.https.tls]
[entryPoints.traefik]
address = ":8080"
[entryPoints.traefik.auth.basic]
users = ["<redacted>"]
[ping]
entryPoint = "http"
[kubernetes]
[api]
entryPoint = "traefik"
dashboard = true
[acme]
email = "myEmail@gmail.com"
entryPoint = "https"
storage = "/acme/acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
acmeLogging = true
[acme.dnsChallenge]
provider = "gcloud"
[[acme.domains]]
main = "*.<redacted>.com"
sans = ["<redacted>.com", "traefik.<redacted>.com"]
Here's my traefik deploy which deploys the traefik controller (kubectl describe pod traefik-deploy-7dbd69c994-klrrh
:
Name: traefik-deploy-7dbd69c994-klrrh
Namespace: <redacted>
Priority: 0
PriorityClassName: <none>
Start Time: Wed, 10 Jul 2019 10:21:22 -0700
Labels: app.kubernetes.io/component=traefik-pod
namespace=<redacted>
Annotations: <none>
Status: Running
IP: <redacted>
Controlled By: ReplicaSet/traefik-deploy-7dbd69c994
Containers:
traefik-pod:
Container ID: <redacted>
Image: traefik:v1.7.12
Image ID: docker-pullable://traefik@sha256:02cfdbXCCCCCCCXXXXXXXXXX7f0fe3ebeccb8
Ports: 80/TCP, 443/TCP, 8080/TCP
Host Ports: 0/TCP, 0/TCP, 0/TCP
Args:
--configfile=/config/traefik.toml
State: Running
Started: Wed, 10 Jul 2019 10:21:53 -0700
Ready: True
Restart Count: 0
Environment:
GCE_PROJECT: <set to the key 'GCE_PROJECT' in secret 'traefik-dnsprovider-secret'> Optional: false
GCE_SERVICE_ACCOUNT_FILE: <set to the key 'GCE_SERVICE_ACCOUNT_FILE' in secret 'traefik-dnsprovider-secret'> Optional: false
Mounts:
/acme from acme (rw)
/config from traefik-config (rw)
/secret from traefik-dns-credentials (rw)
/var/run/secrets/kubernetes.io/serviceaccount from traefik-sa-token-24mp9 (ro)
.
.
.
Volumes:
traefik-config:
Type: ConfigMap (a volume populated by a ConfigMap)
Name: traefik-config
Optional: false
acme:
Type: PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
ClaimName: traefik-acme-pvc
ReadOnly: false
traefik-dns-credentials:
Type: Secret (a volume populated by a Secret)
SecretName: traefik-dns-credentials
Optional: false
traefik-sa-token-24mp9:
Type: Secret (a volume populated by a Secret)
SecretName: traefik-sa-token-24mp9
Optional: false
.
.
The secret traefik-dnsprovider-secret
provides the GCE_PROJECT
and GCE_SERVICE_ACCOUNT_FILE
Env variables to the pod, which are b64enc
strings of my GCE_PROJECT and the filename /secrets/dns-admin-sa.json
(for GCE_SERVICE_ACCOUNT_FILE).
The file /secrets/dns-admin-sa.json
is mounted on the container through the secret traefik-dns-credentials
, which is:
Name: traefik-dns-credentials
Namespace: <readcted>
Labels: app.kubernetes.io/component=traefik-dns-credentials
Annotations: helm.sh/hook: pre-install
helm.sh/hook-weight: -5
Type: Opaque
Data
====
dns-admin-sa.json: 2336 bytes
Traefik Dashboard Ingress:
Name: traefik-dashboard-ingress
Namespace: <redacted>
Address:
Default backend: default-http-backend:80 (10.48.0.5:8080)
Rules:
Host Path Backends
---- ---- --------
traefik.<redacted>.com
/ traefik-dashboard-svc:dashboard-http (10.48.0.8:8080)
Annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/frontend-entry-points: http,https
traefik.ingress.kubernetes.io/redirect-entry-point: https
traefik.ingress.kubernetes.io/redirect-permanent: true
Questions:
How do I ssh into the traefik container kubectl exec -it traefik-deploy-7dbd69c994-klrrh bash
doesn't work. Using this I can check the "/acme/acme.json"
location
Which certificate does traefik create and how do I use it in my ingress? I haven't added a TLS certificate to any of my ingresses (which is where my https is failing). The user guide here shows how to use a self signed certificate, but I don't want that and want the certificate using dns-01
challenge.