Giters

jakubhajek / traefik-cert-manager

Traefik with Cert Manager and Cloudflare

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

cert-managerkubernetesletsencrypttraefik

Traefik with Cert Manager + Cloudflare

This is simple tutorial that presents how to configure Traefik with Cert Manager and DNS challenge with Cloudflare.

Configuring Traefik through the official Helm Chart Repo

Add Traefik's chart repository to Helm:

helm repo add traefik https://helm.traefik.io/traefik
helm repo update

Install Traefik with custom values:

kubectl create namespace traefik
helm upgrade --install traefik -f traefik/values.yaml traefik/traefik -n traefik

Deploy Cert Manager

Install Cert-Manager 1.5.3

kubectl apply -f cert-manager/

Create Cloudflare API Token to manage your domain / domains

According to Cert-manager documentation, in order to use Cloudflare you have to create the appropriate API Token. In order to do that you need to create create at User Profile -> API Tokens -> API Token.

The token needs to have the following settings:

  • Permissions
    • Zone - DNS - Edit
    • Zone - Zone - Read
  • Zone Resources:
    • Include - All Zones or Include - Specific Zone and Select the domain from the drop down list.

Configure Cert Manager and create the appropriate objects

The API token should be places as the Kubernetes Secret. It can be created with the following command:

kubectl create secret generic cloudflare-api-token-secret --from-literal=api-token=<API_TOKEN> -n cert-manager --dry-run=client -o yaml > cloudflare-api-token-secret.yaml
apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-api-token-secret
  namespace: cert-manager
type: Opaque
stringData:
  api-token: <API Token>

Then you need to create the Cluster Issuer that can be consumed in multiple namespaces. From the other hand Issuer is a namespaced scope.

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: cloudflare-issuer
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: <email@domain.org> # fix-me
    # name of a secret that is used to store the ACME private account
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - dns01:
        cloudflare:
          email: <cloudflare-email-address> # fix-me
          apiTokenSecretRef:
            name: cloudflare-api-token-secret
            key: api-token

Obtain a TLS certificate using created Cluster Issuer

Create the certificate request manifest:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: whoami-prod
  namespace: app
spec:
  commonName: whoami.ds36.net
  secretName: whoami-prod
  issuerRef:
    name: cloudflare-issuer
    kind: ClusterIssuer
  dnsNames:
    - "whoami.ds36.net"
    - "whoami-prod.ds36.net"

Deploying sample application

Just deploy the manifest using the command:

kubectl apply -f whoami/

In the created Ingressroute, TLS section (spec.tls) should refer to the Kubernetes secret that has been created by Certificate request for the domain.

About

Traefik with Cert Manager and Cloudflare

cert-managerkubernetesletsencrypttraefik