TRAEFIK v2 (Part 3)

Let’s Encrypt for AKS with Traefik v2

Part 3 of the Traefik blog explains how to configure Traefik to use an ACME provider like Let’s Encrypt / letsencrypt (https://letsencrypt.org/) on Azure Kubernetes Service (AKS) for automatic SSL certificate deployment including wildcard support.

For wildcard support in Azure’s AKS we need a dnschallenge. If wildcards are not needed, you can use a tlschallenge too. Because I need a wildcard certificate I need the dnschallenge and DNS need to be hosted in Azure. To make the dnschallenge work we need a DNS zone in Azure. If you don’t know how to create a DNS zone in Azure, read the Microsoft documentation: https://docs.microsoft.com/en-us/azure/dns/dns-getstarted-portal.

In the values.yaml file used in part 1 we can add additionalArguments. Make sure that you add your email address. Also make sure to add – –certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory. Testing with Let’s Encrypt should always use the acme-staging environment. See Let’s Encrypt rate limits.

Acme.storage allows you to store the certificates on persistent storage, which will be described later. Note myresolver, as this will be used in the IngressRoute.

Configure the values.yaml used in part 1 with the following lines:

# Configure Traefik static configuration
# Additional arguments to be passed at Traefik's binary
# All available options available on https://docs.traefik.io/reference/static-configuration/cli/
## Use curly braces to pass values: `helm install --set="additionalArguments={--providers.kubernetesingress.ingressclass=traefik-internal,--log.level=DEBUG}"`
additionalArguments:
   - --certificatesresolvers.myresolver.acme.dnschallenge.provider=azure
   - --certificatesresolvers.myresolver.acme.dnschallenge=true
   - --certificatesresolvers.myresolver.acme.email=youremail@yourdomain.com
   - --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
   - --certificatesresolvers.myresolver.acme.storage=/data/acme.json

After updating the values.yaml you have to update the helm deployment:

helm upgrade --namespace=traefik --values=values.yaml traefik traefik/traefik

After the update the TLS section need to be added for the IngressRoute. I’ve also added a HostRegexp that allows all subdcomains with a-z 0-9 and – in the name, using the wildcard, that will be send to another service. Apply the updated IngressRoute by:

kubectl apply -f ingressroute.yaml

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingress-app1
  namespace: app1
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`www.cloudt.it`)
    kind: Rule
    services:
    - name: app1-service
      port: 80
  - match: HostRegexp(`cloudt.it`, `{subdomain:[a-z0-9-]+}.cloudt.it`)
    kind: Rule
    services:
    - name: app2-service
      port: 80
  tls:
    certResolver: myresolver
    domains: 
     - main: cloudt.it
       sans:
         - "*.cloudt.it"

After this your website should have a temp certificate. Once we’re done testing we can remove or comment out the following line and upgrade the Traefik deployment.

- --certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory

We can store certificates on persistent storage by changing the values.yaml file:

# Enable persistence using Persistent Volume Claims
# ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
# After the pvc has been mounted, add the configs into traefik by using the `additionalArguments` list below, eg:
#  additionalArguments:
#  - "--certificatesresolvers.le.acme.storage=/data/acme.json"
# It will persist TLS certificates.
persistence:
  enabled: true
  name: data
#  existingClaim: ""
  accessMode: ReadWriteOnce
  size: 128Mi
  storageClass: managed-standard-retain
  path: /data
  annotations: {}
  # subPath: "" # only mount a subpath of the Volume into the pod

The storageClass is created with the yaml below. This is an Azure disk and I will change this to Azure Files later.

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  name: managed-premium-retain
provisioner: kubernetes.io/azure-disk
reclaimPolicy: Retain
parameters:
  storageaccounttype: Premium_LRS
  kind: Managed

1 thought on “TRAEFIK v2 (Part 3)

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll Up