Setup of Traefik 2, Kubernetes, LetsEncrypt and it's configuration question

11/22/2021

I am extremly new to Traefik 2 Ingress controller, which is deployed by my Cloud provider: (Chart here: https://github.com/civo/kubernetes-marketplace/tree/master/traefik2).

I got my app frontend and backend services running. Now I wanna add a LetsEncrypt-certificate mechanism, but it seems quite difficult.

If I understand that right, I HAVE TO modify, the chart deployment (traefik-controller), which is something I do not like, because I will end up later in a declarative way with GitOps.

• Are there options to configure Letsencrypt through configMaps and Secrets?

• Do I need Cert-Manager for that? Do I need it anyway?

• If that is not possible, may I have to deploy the whole chart through Gitops by myself?

• Should certificates stored in a volume to be not ephemeral?

I was not able to find a guide nor a snippet which illustrates my specific issue, most examples are using TOML, or the traefik-controller. Isn't that possible? A Traefik-V2 and Letsencrypt setup not touching the deployment?

Thank you in advance

That is my current IngressRoute which is enough to have my app running:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  annotations:
    kubernetes.io/ingress.class: traefik
  name: demo-ingress-route
  namespace: default
spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`demo.mydomain.at`)
      priority: 0
      services:
        - name: frontend-app
          port: 80
    - kind: Rule
      match: Host(`demo.mydomain.at`) && PathPrefix(`/backend/`)
      middlewares:
        - name: demo-middleware-backend
      priority: 0
      services:
        - name: backend-api
          port: 80
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: demo-middleware-backend
  namespace: default
spec:
  stripPrefix:
    prefixes:
      - /backend
-- Jan
kubernetes
lets-encrypt
traefik
traefik-ingress

1 Answer

1/19/2022

I don't have all the answers to your question but I can maybe help with showing how I deploy Traefik:

I am using Traefik as a helm chart watched by FluxCD to implement GitOps only for infrastructure.

I leverage the wildcard to match any entry, and then my applications can choose any ingress route without having to update my traefik chart.

This is what my values.yaml looks like:

  values:
    image:
      tag: 2.5.1
    additionalArguments:
      - "--certificatesresolvers.le.acme.storage=/data/acme.json"
      - --certificatesresolvers.le.acme.dnschallenge.provider=digitalocean
      - --certificatesresolvers.le.acme.email=xxxx@xxxxxx.com
    ports:
      traefik:
        expose: false
        exposedPort: 9000
        port: 9000
        protocol: TCP
      web:
        expose: true
        exposedPort: 80
        port: 8000
        protocol: TCP
        # redirects traffic to the HTTPS section by default
        redirectTo: websecure
      websecure:
        expose: true
        exposedPort: 443
        port: 8443
        protocol: TCP
        tls:
          certResolver: le
          domains:
          - main: my.domain.com
            sans:
            - '*.my.domain.com'
          enabled: true
          options: ""

    env:
      - name: DO_AUTH_TOKEN
        valueFrom:
          secretKeyRef:
            key: apiKey
            name: do-api-credentials  

    ingressRoute:
      dashboard:
        enabled: true

    persistence:
      enabled: true
      path: /data
      size: 1Gi
      accessMode: ReadWriteOnce

    deployment:
      initContainers:
        # The "volume-permissions" init container is required if you run into permission issues.
        # Related issue: https://github.com/containous/traefik/issues/6972
        - name: volume-permissions
          image: busybox:1.31.1
          command: ["sh", "-c", "chmod -Rv 600 /data/*"]
          volumeMounts:
            - name: data
              mountPath: /data

With this secret:

apiVersion: v1
kind: Secret
metadata:
  name: do-api-credentials
type: Opaque
stringData:
  email: xxxx@xxxxxx.com
  apiKey: xxxxxxxx

Example of route in the application repository:

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app-ingress
spec:
  entryPoints:
    - web
    - websecure
  routes:
  - match: Host(`{{ template "app.url" . }}`)
    kind: Rule
    services:
    - name: app
      port: 80
  tls:
    certResolver: le

A helpful resource: https://corstianboerman.com/2021-03-17/configuring-traefik-on-kubernetes.html

Cert Manager is helpful to avoid a Single Point of Failure, as it is used to store and issue certificates. With Traefik community you only have one pod, which could lead to downtime. So it depends on what are your objectives concerning availability. Is it important for you? I don't have numbers to provide but on a cluster where our availability SLO is low, a single instance of Traefik is enough for our case.

So yes, if you need it, you need to deploy it with or without GitOps.

I hope I did answer some of your questions, have a nice day

-- François
Source: StackOverflow