Traefik: How do I use the certificates generated by the dnsChallenge in my Ingress

7/10/2019

I can get my traefik controller to work with my ingress. And it seems to be navigating to all services as expected as well. But I cannot get https working. Would love some help figuring this piece out. My main question is which certificate does Traefik automatically create and how do I use it in my ingress.

Here's the configmap which generates my traefik.toml:

Name:         traefik-config
Namespace:    <redacted>
Labels:       app.kubernetes.io/component=traefik-config
              namespace=<redacted>

Data
====
traefik.toml:
----
debug = true
logLevel = "DEBUG"
keepTrailingSlash = true
defaultEntryPoints = ["http","https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
  compress = true
  [entryPoints.https]
  address = ":443"
  compress = true
    [entryPoints.https.tls]
  [entryPoints.traefik]
  address = ":8080"
    [entryPoints.traefik.auth.basic]
    users = ["<redacted>"]

[ping]
entryPoint = "http"

[kubernetes]

[api]
  entryPoint = "traefik"
  dashboard = true

[acme]
email = "myEmail@gmail.com"
entryPoint = "https"
storage = "/acme/acme.json"
caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
acmeLogging = true
  [acme.dnsChallenge]
  provider = "gcloud"

[[acme.domains]]
   main = "*.<redacted>.com"
   sans = ["<redacted>.com", "traefik.<redacted>.com"]

Here's my traefik deploy which deploys the traefik controller (kubectl describe pod traefik-deploy-7dbd69c994-klrrh:

Name:               traefik-deploy-7dbd69c994-klrrh
Namespace:          <redacted>
Priority:           0
PriorityClassName:  <none>
Start Time:         Wed, 10 Jul 2019 10:21:22 -0700
Labels:             app.kubernetes.io/component=traefik-pod
                    namespace=<redacted>
Annotations:        <none>
Status:             Running
IP:                 <redacted>
Controlled By:      ReplicaSet/traefik-deploy-7dbd69c994
Containers:
  traefik-pod:
    Container ID:  <redacted>
    Image:         traefik:v1.7.12
    Image ID:      docker-pullable://traefik@sha256:02cfdbXCCCCCCCXXXXXXXXXX7f0fe3ebeccb8
    Ports:         80/TCP, 443/TCP, 8080/TCP
    Host Ports:    0/TCP, 0/TCP, 0/TCP
    Args:
      --configfile=/config/traefik.toml
    State:          Running
      Started:      Wed, 10 Jul 2019 10:21:53 -0700
    Ready:          True
    Restart Count:  0
    Environment:
      GCE_PROJECT:               <set to the key 'GCE_PROJECT' in secret 'traefik-dnsprovider-secret'>               Optional: false
      GCE_SERVICE_ACCOUNT_FILE:  <set to the key 'GCE_SERVICE_ACCOUNT_FILE' in secret 'traefik-dnsprovider-secret'>  Optional: false
    Mounts:
      /acme from acme (rw)
      /config from traefik-config (rw)
      /secret from traefik-dns-credentials (rw)
      /var/run/secrets/kubernetes.io/serviceaccount from traefik-sa-token-24mp9 (ro)
.
.
.
Volumes:
  traefik-config:
    Type:      ConfigMap (a volume populated by a ConfigMap)
    Name:      traefik-config
    Optional:  false
  acme:
    Type:       PersistentVolumeClaim (a reference to a PersistentVolumeClaim in the same namespace)
    ClaimName:  traefik-acme-pvc
    ReadOnly:   false
  traefik-dns-credentials:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  traefik-dns-credentials
    Optional:    false
  traefik-sa-token-24mp9:
    Type:        Secret (a volume populated by a Secret)
    SecretName:  traefik-sa-token-24mp9
    Optional:    false
.
.

The secret traefik-dnsprovider-secret provides the GCE_PROJECT and GCE_SERVICE_ACCOUNT_FILE Env variables to the pod, which are b64enc strings of my GCE_PROJECT and the filename /secrets/dns-admin-sa.json (for GCE_SERVICE_ACCOUNT_FILE).

The file /secrets/dns-admin-sa.json is mounted on the container through the secret traefik-dns-credentials, which is:

Name:         traefik-dns-credentials
Namespace:    <readcted>
Labels:       app.kubernetes.io/component=traefik-dns-credentials
Annotations:  helm.sh/hook: pre-install
              helm.sh/hook-weight: -5

Type:  Opaque

Data
====
dns-admin-sa.json:  2336 bytes

Traefik Dashboard Ingress:

Name:             traefik-dashboard-ingress
Namespace:        <redacted>
Address:
Default backend:  default-http-backend:80 (10.48.0.5:8080)
Rules:
  Host                 Path  Backends
  ----                 ----  --------
  traefik.<redacted>.com
                       /   traefik-dashboard-svc:dashboard-http (10.48.0.8:8080)
Annotations:
  kubernetes.io/ingress.class:                          traefik
  traefik.ingress.kubernetes.io/frontend-entry-points:  http,https
  traefik.ingress.kubernetes.io/redirect-entry-point:   https
  traefik.ingress.kubernetes.io/redirect-permanent:     true

Questions:

  1. How do I ssh into the traefik container kubectl exec -it traefik-deploy-7dbd69c994-klrrh bash doesn't work. Using this I can check the "/acme/acme.json" location

  2. Which certificate does traefik create and how do I use it in my ingress? I haven't added a TLS certificate to any of my ingresses (which is where my https is failing). The user guide here shows how to use a self signed certificate, but I don't want that and want the certificate using dns-01 challenge.

-- Panda
google-kubernetes-engine
kubernetes
traefik
traefik-ingress

0 Answers