Less talk, more code

The blog of Iskandar Soesman

Kubernetes Traefik and Letsencrypt

Just like everyone here #4349, #4279 and #2931, I'm a bit struggling when try to implement Traefik in Kubernetes with Letsencrypt, and stored all the generated certificates in a file. After trying it a couple of times, I finally found this simple step to run it. Be aware, this doc is meant for quick understanding for running Traefik in Kubernetes with Letsencrypt enabled and this following configuration is not suitable for the production environment. For this tutorial, I use Traefik version 1.7.

First, create a folder to store all the generated certificates. Please adjust with your own location folder.

mkdir /data/volume/traefik

Enable ClusterRoleBinding for Traefik just like on this docs

kubectl apply -f https://raw.githubusercontent.com/containous/traefik/v1.7/examples/k8s/traefik-rbac.yaml

Heres my yaml ecxample

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik-ingress-controller
  namespace: kube-system
  labels:
    k8s-app: traefik-ingress-lb
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: traefik-ingress-lb
  template:
    metadata:
      labels:
        k8s-app: traefik-ingress-lb
        name: traefik-ingress-lb
    spec:
      tolerations:
        - key: "node-role.kubernetes.io/master"
          effect: "NoSchedule"
          operator: "Exists"
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      containers:
      - image: traefik:v1.7
        ports:
        - name: http
          containerPort: 80
        - name: https
          containerPort: 443
        name: traefik-ingress-lb
        volumeMounts:
        - mountPath: /etc/traefik
          name: traefik-volume
        args:
        - --kubernetes
        - --kubernetes.watch
        - --logLevel=DEBUG
        - --defaultentrypoints=http,https
        - --entrypoints=Name:https Address::443 TLS
        - --entrypoints=Name:http Address::80
        - --acme
        - --acme.caserver=https://acme-v02.api.letsencrypt.org/directory
        # use your own email for this
        - --acme.email=YOUR-EMAIL@WEBSITE.COM
        - --acme.entrypoint=https
        - --acme.onhostrule=true
        - --acme.storage=/etc/traefik/acme.json
        - --acme.ondemand=true
        - --acme.tlschallenge=true
      volumes:
      - name: traefik-volume
        hostPath:
          path: /data/volumes/traefik
          type: Directory
---
kind: Service
apiVersion: v1
metadata:
  name: traefik-ingress-service
  namespace: kube-system
spec:
  selector:
    k8s-app: traefik-ingress-lb
  ports:
    - protocol: TCP
      port: 80
      name: http
    - protocol: TCP
      port: 443
      name: https
  externalIPs:
    # use your internet facing IP on this
    - x.x.x.x
    - x.x.x.x

Good luck!