Skip to content

Commit

Permalink
📝 Merge and simplify TLS examples
Browse files Browse the repository at this point in the history
  • Loading branch information
mloiseleur authored Mar 17, 2023
1 parent f91858a commit 6593c0e
Showing 1 changed file with 21 additions and 31 deletions.
52 changes: 21 additions & 31 deletions EXAMPLES.md
Original file line number Diff line number Diff line change
Expand Up @@ -277,9 +277,15 @@ additionalArguments:
- "--experimental.plugins.bouncer.version=v1.1.9"
```

# Use Traefik Let's Encrypt Integration with CloudFlare
# Use Traefik native Let's Encrypt integration, without cert-manager

It needs a CloudFlare token in a Kubernetes `Secret` and a working Storage Class
In Traefik Proxy, ACME certificates are stored in a JSON file.

This file needs to have 0600 permissions, meaning, only the owner of the file has full read and write access to it.
By default, Kubernetes recursively changes ownership and permissions for the content of each volume.

=> An initContainer can be used to avoid an issue on this sensitive file.
See [#396](https://github.com/traefik/traefik-helm-chart/issues/396) for more details.

```yaml
persistence:
Expand All @@ -296,8 +302,17 @@ env:
secretKeyRef:
name: yyy
key: zzz
deployment:
initContainers:
- name: volume-permissions
image: busybox:latest
command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
```

This example needs a CloudFlare token in a Kubernetes `Secret` and a working `StorageClass`.

See [the list of supported providers](https://doc.traefik.io/traefik/https/acme/#providers) for others.

# Provide default certificate with cert-manager and CloudFlare DNS

Setup:
Expand All @@ -308,6 +323,7 @@ Setup:
**Step 1**: Create `Secret` and `Issuer` needed by `cert-manager` with your API Token.
See [cert-manager documentation](https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/)
for creating this token with needed rights:

```yaml
---
apiVersion: v1
Expand Down Expand Up @@ -340,6 +356,7 @@ spec:
```

**Step 2**: Create `Certificate` in traefik namespace

```yaml
apiVersion: cert-manager.io/v1
kind: Certificate
Expand All @@ -365,6 +382,7 @@ kubectl get certificate -n traefik
If needed, logs of cert-manager pod can give you more information

**Step 4**: Use it on the TLS Store in **values.yaml** file for this Helm Chart

```yaml
tlsStore:
default:
Expand All @@ -375,6 +393,7 @@ tlsStore:
**Step 5**: Enjoy. All your `IngressRoute` use this certificate by default now.

They should use websecure entrypoint like this:

```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
Expand All @@ -390,32 +409,3 @@ spec:
- name: XXXX
port: 80
```
# Keep TLS certificates on persistent volume
This example is using the default StorageClass. If needed, you can set your own.
In Traefik Proxy, ACME certificates are stored in a JSON file that needs to have a
0600 file mode. By default, Kubernetes recursively changes ownership and
permissions for the content of each volume. An initContainer is used to
avoid an issue on this sensitive file. See
[#396](https://github.com/traefik/traefik-helm-chart/issues/396) for more details.
```yaml
additionalArguments:
- "--certificatesresolvers.letsencrypt.acme.email=my.email@my.company.com" # - <= Put your email here
- "--certificatesResolvers.letsencrypt.acme.tlschallenge=true"
- "--certificatesresolvers.le.acme.storage=/data/acme.json"
deployment:
initContainers:
- name: volume-permissions
image: busybox:latest
command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json; chown 65532:65532 /data/acme.json"]
persistence:
enabled: true
accessMode: ReadWriteOnce
size: 128Mi
path: /data
# storageClass: "specific-storage-class"
# annotations: {}
```

0 comments on commit 6593c0e

Please sign in to comment.