traefik · traefiker · May 31, 2022 · May 15, 2021 · May 15, 2021 · May 15, 2021
diff --git a/traefik/Chart.yaml b/traefik/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: traefik
 description: A Traefik based Kubernetes ingress controller
 type: application
-version: 10.20.0
+version: 10.20.1
 appVersion: 2.7.0
 keywords:
   - traefik

diff --git a/traefik/templates/_podtemplate.tpl b/traefik/templates/_podtemplate.tpl
@@ -274,6 +274,17 @@
           {{- if hasKey .Values.pilot "dashboard" }}
           - "--pilot.dashboard={{ .Values.pilot.dashboard }}"
           {{- end }}
+          {{- range $resolver, $config := $.Values.certResolvers }}
+          {{- range $option, $setting := $config }}
+          {{- if kindIs "map" $setting }}
+          {{- range $field, $value := $setting }}
+          - "--certificatesresolvers.{{ $resolver }}.acme.{{ $option }}.{{ $field }}={{ if kindIs "slice" $value }}{{ join "," $value }}{{ else }}{{ $value }}{{ end }}"
+          {{- end }}
+          {{- else }}
+          - "--certificatesresolvers.{{ $resolver }}.acme.{{ $option }}={{ $setting }}"
+          {{- end }}
+          {{- end }}
+          {{- end }}
           {{- with .Values.additionalArguments }}
           {{- range . }}
           - {{ . | quote }}

diff --git a/traefik/tests/pod-config_test.yaml b/traefik/tests/pod-config_test.yaml
@@ -232,6 +232,34 @@ tests:
       - contains:
           path: spec.template.spec.containers[0].args
           content: "--providers.kubernetesgateway"
+  - it: should have the certificate resolver options applied
+    set:
+      certResolvers:
+        myAcmeResolver:
+          email: email@example.com
+          dnsChallenge:
+            provider: myProvider
+            resolvers:
+              - 1.1.1.1
+              - 8.8.8.8
+          tlsChallenge: true
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content:
+            "--certificatesresolvers.myAcmeResolver.acme.email=email@example.com"
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content:
+            "--certificatesresolvers.myAcmeResolver.acme.dnsChallenge.provider=myProvider"
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content:
+            "--certificatesresolvers.myAcmeResolver.acme.dnsChallenge.resolvers=1.1.1.1,8.8.8.8"
+      - contains:
+          path: spec.template.spec.containers[0].args
+          content:
+            "--certificatesresolvers.myAcmeResolver.acme.tlsChallenge=true"
   - it: should have the pilot dashboard enabled by default
     asserts:
       - notContains:

diff --git a/traefik/values.yaml b/traefik/values.yaml
@@ -433,6 +433,27 @@ persistence:
   annotations: {}
   # subPath: "" # only mount a subpath of the Volume into the pod
 
+certResolvers: {}
+#   letsencrypt:
+#     # for challenge options cf. https://doc.traefik.io/traefik/https/acme/
+#     email: email@example.com
+#     dnsChallenge:
+#       # also add the provider's required configuration under env
+#       # or expand then from secrets/configmaps with envfrom
+#       # cf. https://doc.traefik.io/traefik/https/acme/#providers
+#       provider: digitalocean
+#       # add futher options for the dns challenge as needed
+#       # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge
+#       delayBeforeCheck: 30
+#       resolvers:
+#         - 1.1.1.1
+#         - 8.8.8.8
+#     tlsChallenge: true
+#     httpChallenge:
+#       entryPoint: "web"
+#     # match the path to persistence
+#     storage: /data/acme.json
+
 # If hostNetwork is true, runs traefik in the host network namespace
 # To prevent unschedulabel pods due to port collisions, if hostNetwork=true
 # and replicas>1, a pod anti-affinity is recommended and will be set if the