I am extremly new to Traefik 2 Ingress controller, which is deployed by my Cloud provider: (Chart here: https://github.com/civo/kubernetes-marketplace/tree/master/traefik2).
I got my app frontend
and backend
services running. Now I wanna add a LetsEncrypt
-certificate mechanism, but it seems quite difficult.
If I understand that right, I HAVE TO modify, the chart deployment (traefik-controller), which is something I do not like, because I will end up later in a declarative way with GitOps.
• Are there options to configure Letsencrypt through configMaps
and Secrets
?
• Do I need Cert-Manager
for that? Do I need it anyway?
• If that is not possible, may I have to deploy the whole chart through Gitops by myself?
• Should certificates stored in a volume
to be not ephemeral?
I was not able to find a guide nor a snippet which illustrates my specific issue, most examples are using TOML, or the traefik-controller
. Isn't that possible? A Traefik-V2 and Letsencrypt setup not touching the deployment?
Thank you in advance
That is my current IngressRoute which is enough to have my app running:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
annotations:
kubernetes.io/ingress.class: traefik
name: demo-ingress-route
namespace: default
spec:
entryPoints:
- web
routes:
- kind: Rule
match: Host(`demo.mydomain.at`)
priority: 0
services:
- name: frontend-app
port: 80
- kind: Rule
match: Host(`demo.mydomain.at`) && PathPrefix(`/backend/`)
middlewares:
- name: demo-middleware-backend
priority: 0
services:
- name: backend-api
port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: demo-middleware-backend
namespace: default
spec:
stripPrefix:
prefixes:
- /backend
I don't have all the answers to your question but I can maybe help with showing how I deploy Traefik:
I am using Traefik as a helm chart watched by FluxCD to implement GitOps only for infrastructure.
I leverage the wildcard to match any entry, and then my applications can choose any ingress route without having to update my traefik chart.
This is what my values.yaml
looks like:
values:
image:
tag: 2.5.1
additionalArguments:
- "--certificatesresolvers.le.acme.storage=/data/acme.json"
- --certificatesresolvers.le.acme.dnschallenge.provider=digitalocean
- --certificatesresolvers.le.acme.email=xxxx@xxxxxx.com
ports:
traefik:
expose: false
exposedPort: 9000
port: 9000
protocol: TCP
web:
expose: true
exposedPort: 80
port: 8000
protocol: TCP
# redirects traffic to the HTTPS section by default
redirectTo: websecure
websecure:
expose: true
exposedPort: 443
port: 8443
protocol: TCP
tls:
certResolver: le
domains:
- main: my.domain.com
sans:
- '*.my.domain.com'
enabled: true
options: ""
env:
- name: DO_AUTH_TOKEN
valueFrom:
secretKeyRef:
key: apiKey
name: do-api-credentials
ingressRoute:
dashboard:
enabled: true
persistence:
enabled: true
path: /data
size: 1Gi
accessMode: ReadWriteOnce
deployment:
initContainers:
# The "volume-permissions" init container is required if you run into permission issues.
# Related issue: https://github.com/containous/traefik/issues/6972
- name: volume-permissions
image: busybox:1.31.1
command: ["sh", "-c", "chmod -Rv 600 /data/*"]
volumeMounts:
- name: data
mountPath: /data
With this secret:
apiVersion: v1
kind: Secret
metadata:
name: do-api-credentials
type: Opaque
stringData:
email: xxxx@xxxxxx.com
apiKey: xxxxxxxx
Example of route in the application repository:
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: app-ingress
spec:
entryPoints:
- web
- websecure
routes:
- match: Host(`{{ template "app.url" . }}`)
kind: Rule
services:
- name: app
port: 80
tls:
certResolver: le
A helpful resource: https://corstianboerman.com/2021-03-17/configuring-traefik-on-kubernetes.html
Cert Manager is helpful to avoid a Single Point of Failure, as it is used to store and issue certificates. With Traefik community you only have one pod, which could lead to downtime. So it depends on what are your objectives concerning availability. Is it important for you? I don't have numbers to provide but on a cluster where our availability SLO is low, a single instance of Traefik is enough for our case.
So yes, if you need it, you need to deploy it with or without GitOps.
I hope I did answer some of your questions, have a nice day