A simple how-to configure Traefik on Kubernetes with Certmanager using Letsencrypt for issuing certificates. Tested on GKE.
I'm using Letsencrypt's HTTP01 verification so your hosts must resolve. Other validation methods and providers work just fine.
This example assumes you intend to use an external loadBalancerIP ingress. (In GCP this is a Regional static address.)
Certmanager stores what it needs in etcd instead of Traefiks default method of using persistent volumes. This lets you run multiple replicas on separate nodes if your k8s platform doesn't support ReadWriteMany
persistent volumes.
This was just something I threw together, contributions for improving it / testing on other platforms, etc. are gladly welcome.
I don't plan on making this into a helm chart.
(Following Installing with regular manifests):
$ kubectl create namespace cert-manager
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.13.1/cert-manager.yaml
$ kubectl create clusterrolebinding cluster-admin-binding \
--clusterrole=cluster-admin \
--user=$(gcloud config get-value core/account)
Verify it's running:
$ kubectl get pods --namespace cert-manager
- Modify
cert-manager/00-clusterIssuer.yaml
replace{{[email protected]}}
with your email address. kubectl apply -f cert-manager/00-clusterIssuer.yaml
- Modify
traefik/02-service.yaml
replace{{replace_me}}
with your external IP address. - (Optional) Modify
traefik/04-deployment.yaml
. Change whatever you'd like. The resource limits are tuned to my environment. YMMV. kubectl apply -f traefik
- Verify traefik is now running: `kubectl get pods --namespace traefik
- Modify
httpbin/01-certificate.yaml
- Replace every
{{replace this line}}
with your hostname. IMPORTANT: This must be mapped to receive a TLS Certificate!
- Replace every
- Modify
httpbin/04-traefik-ingress.yaml
- Modify the
match
rules with your hostname. - Replace the
secretName
to match the secret name defined inhttpbin/01-certificate.yaml
- Modify the
kubectl apply -f httpbin
- Verify the pod is running:
kubectl get pods --namespace httpbin
- Wait about 10-15 minutes.
- Navigate to httpbin.example.com and https://httpbin.example.com
Hopefully by this step you will have httpbin running with a valid TLS certificate.
- I have not been able to figure out how to get the dashboard working, it hasn't been a big deal as I don't rely on it.
- I haven't been able to figure out how to correctly forward the remote IP Address