Let’s Encrypt for AKS with Traefik v2
Part 3 of the Traefik blog explains how to configure Traefik to use an ACME provider like Let’s Encrypt / letsencrypt (https://letsencrypt.org/) on Azure Kubernetes Service (AKS) for automatic SSL certificate deployment including wildcard support.
For wildcard support in Azure’s AKS we need a dnschallenge. If wildcards are not needed, you can use a tlschallenge too. Because I need a wildcard certificate I need the dnschallenge and DNS need to be hosted in Azure. To make the dnschallenge work we need a DNS zone in Azure. If you don’t know how to create a DNS zone in Azure, read the Microsoft documentation: https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-portal.
In the values.yaml file used in part 1 we can add additionalArguments. Make sure that you add your email address. Also make sure to add – –certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory. Testing with Let’s Encrypt should always use the acme-staging environment. See Let’s Encrypt rate limits.
Acme.storage allows you to store the certificates on persistent storage, which will be described later. Note myresolver, as this will be used in the IngressRoute.
Configure the values.yaml used in part 1 with the following lines:
# Configure Traefik static configuration # Additional arguments to be passed at Traefik's binary # All available options available on https://docs.traefik.io/reference/static-configuration/cli/ ## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"` additionalArguments: - --certificatesresolvers.myresolver.acme.dnschallenge.provider=azure - --certificatesresolvers.myresolver.acme.dnschallenge=true - --certificatesresolvers.myresolver.acme.email=youremail@yourdomain.com - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory - --certificatesresolvers.myresolver.acme.storage=/data/acme.json
After updating the values.yaml you have to update the helm deployment:
helm upgrade --namespace=traefik --values=values.yaml traefik traefik/traefik
After the update the TLS section need to be added for the IngressRoute. I’ve also added a HostRegexp that allows all subdcomains with a-z 0-9 and – in the name, using the wildcard, that will be send to another service. Apply the updated IngressRoute by:
kubectl apply -f ingressroute.yaml
apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: ingress-app1 namespace: app1 spec: entryPoints: - websecure routes: - match: Host(`www.cloudt.it`) kind: Rule services: - name: app1-service port: 80 - match: HostRegexp(`cloudt.it`, `{subdomain:[a-z0-9-]+}.cloudt.it`) kind: Rule services: - name: app2-service port: 80 tls: certResolver: myresolver domains: - main: cloudt.it sans: - "*.cloudt.it"
After this your website should have a temp certificate. Once we’re done testing we can remove or comment out the following line and upgrade the Traefik deployment.
- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
We can store certificates on persistent storage by changing the values.yaml file:
# Enable persistence using Persistent Volume Claims # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ # After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg: # additionalArguments: # - "--certificatesresolvers.le.acme.storage=/data/acme.json" # It will persist TLS certificates. persistence: enabled: true name: data # existingClaim: "" accessMode: ReadWriteOnce size: 128Mi storageClass: managed-standard-retain path: /data annotations: {} # subPath: "" # only mount a subpath of the Volume into the pod
The storageClass is created with the yaml below. This is an Azure disk and I will change this to Azure Files later.
kind: StorageClass apiVersion: storage.k8s.io/v1 metadata: name: managed-premium-retain provisioner: kubernetes.io/azure-disk reclaimPolicy: Retain parameters: storageaccounttype: Premium_LRS kind: Managed
1 thought on “TRAEFIK v2 (Part 3)”