From edc25dea7330fbe1b79b430777b23fbf66053a11 Mon Sep 17 00:00:00 2001 From: Michel Loiseleur Date: Wed, 15 Mar 2023 09:56:17 +0100 Subject: [PATCH 1/7] :memo: Merge and simplify TLS examples --- EXAMPLES.md | 51 ++++++++++++++++++++------------------------------- 1 file changed, 20 insertions(+), 31 deletions(-) diff --git a/EXAMPLES.md b/EXAMPLES.md index 33c996681..c9ec661f1 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -277,9 +277,16 @@ additionalArguments: - "--experimental.plugins.bouncer.version=v1.1.9" ``` -# Use Traefik Let's Encrypt Integration with CloudFlare +# Use Traefik native Let's Encrypt Integration, without cert-manager + +This example is with CloudFlare, see here for other providers. + +In Traefik Proxy, ACME certificates are stored in a JSON file that needs to have a +0600 file mode. By default, Kubernetes recursively changes ownership and +permissions for the content of each volume. An initContainer is used to +avoid an issue on this sensitive file. See +[#396](https://github.com/traefik/traefik-helm-chart/issues/396) for more details. -It needs a CloudFlare token in a Kubernetes `Secret` and a working Storage Class ```yaml persistence: @@ -296,8 +303,15 @@ env: secretKeyRef: name: yyy key: zzz +deployment: + initContainers: + - name: volume-permissions + image: busybox:latest + command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] ``` +It needs a CloudFlare token in a Kubernetes `Secret` and a working Storage Class. + # Provide default certificate with cert-manager and CloudFlare DNS Setup: @@ -308,6 +322,7 @@ Setup: **Step 1**: Create `Secret` and `Issuer` needed by `cert-manager` with your API Token. See [cert-manager documentation](https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/) for creating this token with needed rights: + ```yaml --- apiVersion: v1 @@ -340,6 +355,7 @@ spec: ``` **Step 2**: Create `Certificate` in traefik namespace + ```yaml apiVersion: cert-manager.io/v1 kind: Certificate @@ -365,6 +381,7 @@ kubectl get certificate -n traefik If needed, logs of cert-manager pod can give you more information **Step 4**: Use it on the TLS Store in **values.yaml** file for this Helm Chart + ```yaml tlsStore: default: @@ -375,6 +392,7 @@ tlsStore: **Step 5**: Enjoy. All your `IngressRoute` use this certificate by default now. They should use websecure entrypoint like this: + ```yaml apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute @@ -390,32 +408,3 @@ spec: - name: XXXX port: 80 ``` - -# Keep TLS certificates on persistent volume - -This example is using the default StorageClass. If needed, you can set your own. - -In Traefik Proxy, ACME certificates are stored in a JSON file that needs to have a -0600 file mode. By default, Kubernetes recursively changes ownership and -permissions for the content of each volume. An initContainer is used to -avoid an issue on this sensitive file. See -[#396](https://github.com/traefik/traefik-helm-chart/issues/396) for more details. - -```yaml -additionalArguments: - - "--certificatesresolvers.letsencrypt.acme.email=my.email@my.company.com" # - <= Put your email here - - "--certificatesResolvers.letsencrypt.acme.tlschallenge=true" - - "--certificatesresolvers.le.acme.storage=/data/acme.json" -deployment: - initContainers: - - name: volume-permissions - image: busybox:latest - command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json; chown 65532:65532 /data/acme.json"] -persistence: - enabled: true - accessMode: ReadWriteOnce - size: 128Mi - path: /data - # storageClass: "specific-storage-class" - # annotations: {} -``` From 2ce054407bea9c81889c719fdc80805b89fd2325 Mon Sep 17 00:00:00 2001 From: mloiseleur <97035654+mloiseleur@users.noreply.github.com> Date: Wed, 15 Mar 2023 10:20:47 +0100 Subject: [PATCH 2/7] Update EXAMPLES.md Co-authored-by: sven --- EXAMPLES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EXAMPLES.md b/EXAMPLES.md index c9ec661f1..2be02d8fd 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -277,7 +277,7 @@ additionalArguments: - "--experimental.plugins.bouncer.version=v1.1.9" ``` -# Use Traefik native Let's Encrypt Integration, without cert-manager +# Use Traefik native Let's Encrypt integration, without cert-manager This example is with CloudFlare, see here for other providers. From 0d13c7215bd361b04253164f70658dcc935c2472 Mon Sep 17 00:00:00 2001 From: Michel Loiseleur Date: Wed, 15 Mar 2023 10:23:33 +0100 Subject: [PATCH 3/7] add missing link --- EXAMPLES.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/EXAMPLES.md b/EXAMPLES.md index 2be02d8fd..10a045085 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -279,7 +279,8 @@ additionalArguments: # Use Traefik native Let's Encrypt integration, without cert-manager -This example is with CloudFlare, see here for other providers. +This example is with CloudFlare, see [here](https://doc.traefik.io/traefik/https/acme/#providers) +for other providers. In Traefik Proxy, ACME certificates are stored in a JSON file that needs to have a 0600 file mode. By default, Kubernetes recursively changes ownership and From f3afec11036d0457788b26e508c4362a165d0be5 Mon Sep 17 00:00:00 2001 From: Michel Loiseleur Date: Wed, 15 Mar 2023 10:29:47 +0100 Subject: [PATCH 4/7] improve sentences --- EXAMPLES.md | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/EXAMPLES.md b/EXAMPLES.md index 10a045085..7bd4f4b58 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -279,15 +279,15 @@ additionalArguments: # Use Traefik native Let's Encrypt integration, without cert-manager -This example is with CloudFlare, see [here](https://doc.traefik.io/traefik/https/acme/#providers) -for other providers. +In Traefik Proxy, ACME certificates are stored in a JSON file. -In Traefik Proxy, ACME certificates are stored in a JSON file that needs to have a -0600 file mode. By default, Kubernetes recursively changes ownership and -permissions for the content of each volume. An initContainer is used to -avoid an issue on this sensitive file. See -[#396](https://github.com/traefik/traefik-helm-chart/issues/396) for more details. +This file needs to have 0600 permissions, meaning, only the owner of +the file has full read and write access to it. +By default, Kubernetes recursively changes ownership and +permissions for the content of each volume. +=> An initContainer can be used to avoid an issue on this sensitive file. +See [#396](https://github.com/traefik/traefik-helm-chart/issues/396) for more details. ```yaml persistence: @@ -311,7 +311,9 @@ deployment: command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] ``` -It needs a CloudFlare token in a Kubernetes `Secret` and a working Storage Class. +This example needs a CloudFlare token in a Kubernetes `Secret` and a working Storage Class. + +See [here](https://doc.traefik.io/traefik/https/acme/#providers) for other providers. # Provide default certificate with cert-manager and CloudFlare DNS From dc060f63ce39a8392b3f4d98d204aeed2f776af2 Mon Sep 17 00:00:00 2001 From: Michel Loiseleur Date: Wed, 15 Mar 2023 10:30:51 +0100 Subject: [PATCH 5/7] fix StorageClass wording --- EXAMPLES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EXAMPLES.md b/EXAMPLES.md index 7bd4f4b58..8cfd86f7d 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -311,7 +311,7 @@ deployment: command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] ``` -This example needs a CloudFlare token in a Kubernetes `Secret` and a working Storage Class. +This example needs a CloudFlare token in a Kubernetes `Secret` and a working `StorageClass`. See [here](https://doc.traefik.io/traefik/https/acme/#providers) for other providers. From f2b489a54cb5347beecccf1231e4ca786fd3b1e0 Mon Sep 17 00:00:00 2001 From: mloiseleur <97035654+mloiseleur@users.noreply.github.com> Date: Wed, 15 Mar 2023 10:37:32 +0100 Subject: [PATCH 6/7] Update EXAMPLES.md Co-authored-by: sven --- EXAMPLES.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EXAMPLES.md b/EXAMPLES.md index 8cfd86f7d..406ac3fc1 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -313,7 +313,7 @@ deployment: This example needs a CloudFlare token in a Kubernetes `Secret` and a working `StorageClass`. -See [here](https://doc.traefik.io/traefik/https/acme/#providers) for other providers. +See [the list of supported providers](https://doc.traefik.io/traefik/https/acme/#providers) for others. # Provide default certificate with cert-manager and CloudFlare DNS From f2873a546d3d0a3de0465a033ff1a36ab623f827 Mon Sep 17 00:00:00 2001 From: mloiseleur <97035654+mloiseleur@users.noreply.github.com> Date: Wed, 15 Mar 2023 10:38:48 +0100 Subject: [PATCH 7/7] Update EXAMPLES.md Co-authored-by: Ludovic Fernandez --- EXAMPLES.md | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/EXAMPLES.md b/EXAMPLES.md index 406ac3fc1..5cd0422db 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -281,10 +281,8 @@ additionalArguments: In Traefik Proxy, ACME certificates are stored in a JSON file. -This file needs to have 0600 permissions, meaning, only the owner of -the file has full read and write access to it. -By default, Kubernetes recursively changes ownership and -permissions for the content of each volume. +This file needs to have 0600 permissions, meaning, only the owner of the file has full read and write access to it. +By default, Kubernetes recursively changes ownership and permissions for the content of each volume. => An initContainer can be used to avoid an issue on this sensitive file. See [#396](https://github.com/traefik/traefik-helm-chart/issues/396) for more details.