Traefik with Cert Manager + Cloudflare
This is simple tutorial that presents how to configure Traefik with Cert Manager and DNS challenge with Cloudflare.
Configuring Traefik through the official Helm Chart Repo
Add Traefik's chart repository to Helm:
helm repo add traefik https://helm.traefik.io/traefik
helm repo update
Install Traefik with custom values:
kubectl create namespace traefik
helm upgrade --install traefik -f traefik/values.yaml traefik/traefik -n traefik
Deploy Cert Manager
Install Cert-Manager 1.5.3
kubectl apply -f cert-manager/
Create Cloudflare API Token to manage your domain / domains
According to Cert-manager documentation, in order to use Cloudflare you have to create the appropriate API Token. In order to do that you need to create create at User Profile -> API Tokens -> API Token.
The token needs to have the following settings:
- Permissions
- Zone - DNS - Edit
- Zone - Zone - Read
- Zone Resources:
- Include - All Zones or Include - Specific Zone and Select the domain from the drop down list.
Configure Cert Manager and create the appropriate objects
The API token should be places as the Kubernetes Secret. It can be created with the following command:
kubectl create secret generic cloudflare-api-token-secret --from-literal=api-token=<API_TOKEN> -n cert-manager --dry-run=client -o yaml > cloudflare-api-token-secret.yaml
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
namespace: cert-manager
type: Opaque
stringData:
api-token: <API Token>
Then you need to create the Cluster Issuer that can be consumed in multiple namespaces. From the other hand Issuer is a namespaced scope.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: cloudflare-issuer
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <email@domain.org> # fix-me
# name of a secret that is used to store the ACME private account
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
cloudflare:
email: <cloudflare-email-address> # fix-me
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
Obtain a TLS certificate using created Cluster Issuer
Create the certificate request manifest:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: whoami-prod
namespace: app
spec:
commonName: whoami.ds36.net
secretName: whoami-prod
issuerRef:
name: cloudflare-issuer
kind: ClusterIssuer
dnsNames:
- "whoami.ds36.net"
- "whoami-prod.ds36.net"
Deploying sample application
Just deploy the manifest using the command:
kubectl apply -f whoami/
In the created Ingressroute, TLS section (spec.tls) should refer to the Kubernetes secret that has been created by Certificate request for the domain.