posts/kube-traefik-cert-manager-le/

[giscus[bot]]

posts/kube-traefik-cert-manager-le/

Traefik, cert-manager, Cloudflare, and Let’s Encrypt are a winning combination when it comes to securing your services with certificates in Kubernetes. Today, we’ll install and configure Traefik, the cloud native proxy and load balancer, as our Kubernetes Ingress Controller. We’ll then install and configure cert-manager to manage certificates for our cluster. We’ll set up Let’s Encrypt as our Cluster Issuer so that cert-manager can automatically provision TLS certificates and even wildcard certificates using Cloudflare DNS challenge absolutely free. We’ll walk through all of this, step by step, so you can help secure your cluster today.

https://technotim.live/posts/kube-traefik-cert-manager-le/

[re4s0n4]

Please note: There has been a significant change in how metallb does its address-pools. This took me quite a while to figure out since every other example I found shows it how you did it, but it has been deprecated. This is a lesson for me to RTFM sooner (https://metallb.universe.tf/configuration/#layer-2-configuration).

apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
  name: default
  namespace: metallb-system
spec:
  addresses:
  - 10.155.192.113-10.155.192.119

We'll also need an advertisement:

apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
  name: example
  namespace: metallb-system

[timothystewart6]

Thanks for the tip! Happy to update the docs!

[vrapcan]

Hi Tim,

Thanks for your awesome guides.

I was trying to issue Let's Encrypt certificates on a new cluster following this guide and I was getting this error: Error from server (NotFound): clusterissuers.cert-manager.io "letsencrypt" not found.

To fix it, I had to remove the double quotes around the name servers in the launchpad/kubernetes/traefik-cert-manager/cert-manager/values.yaml

I created a pull request for this issue on github: techno-tim/launchpad#34

Cheers,

Viliam

[jahknem]

Hi Tim,

I know it goes against exactly what you have achieved with this tutorial, but could you maybe explain how to use an existing certificate instead of cert-manager? I'm using your tutorial for a testing cluster in my internship and don't seem to be able to get it to work. Per my understanding cert-manager does not allow that?

Thanks

Jan

[cannfoddr]

Hi Tim,

Loving your K3S stuff - really interesting. I have a K8S (Kubeadm) piKube up and running with Traefik and cert manager all working. I have used your k3s ansible to setup a k3s cluster on proxmox and it was brilliant. I am now using this article to get Traefik and cert manager.

I am totally stuck on traefik - the helm install went fine but I cannot for the life of me get dashboard access. I can get chrome to prompt for a user name and password but no matter what I type I cannot get access. I have compared it to my almost identical working k8s dashboard setup for traefik and cannot see what I am doing wrong!

Interestingly I have tried removing the middleware from the ingressroute but I am still getting prompted for a password - I don't understand why that should be the case?

Next step is to completely remove traefik and start again wih a fresh helm install - any suggestions on why basicauth may not be working? I have in the back of my mind something to do with a security realm from my k8s install but I just cant see the problem

Adrian

[cannfoddr]

Ignore the above I am an idiot - there's a docker traffic instance running on my TrueNas Scale box with the same hostname!!! All my requests that I thought were ending up at k3s were actually going there! I fixed the local DNS and k3s traefik is now working as expected.

[CanisHelix]

This is great and I was able to tweak this and get route53 working for wildcards. But how can we get the dashboard to use the new live production cert instead of it's own?

I uncommented the following in the dashboard ingress.yml and applied it.

  tls:
    secretName: mydomain-com-tls

But it's still using the old self-signed traefik one.

[CanisHelix]

I believe it's due to the secret for the certifcate being in a different namespace. Using https://cert-manager.io/docs/tutorials/syncing-secrets-across-namespaces/ I've mirrored to traefik and default, but not sure if this is the best recommended method.

[JohnnySixStrings]

My dns provider is domains.google.com so I had to use a webhook. When the webhook makes a request to update the dns records it gets something like this : x509: certificate is valid for x.default.traefik not y. same thing happens with my rancher instance when I try to add a new repo similar issue. example Get "https://charts.jetstack.io/index.yaml": x509: certificate is valid for eed820bb8954c7e99e63219796ded95d.1c4467d7c584ce11c30c573d8a187bf4.traefik.default, not charts.jetstack.io

[JohnnySixStrings]

I figured it out I need to enable crossNameSpace in values for the traefik helm chart.
providers:
kubernetesCRD:
enabled: true
ingressClass: traefik-external
allowExternalNameServices: true
allowCrossNamespace: true

[CanisHelix]

Interesting solutions, I was having a similar error message when trying to add a plugin to Traefik. Turned out that a wildcard * A record on my domain was the cause because. I wonder if this might have resolved it too.

[cannfoddr]

Simplest thing to do would be to setup a port forward from your router to your metallb address using port 443. Then publish blog.mydomain.com <http://blog.mydomain.com/> to cloud flare as a CNAME of whatever host you are dynamically updating from home-assistant. This will in theory expose all of your services on the traffic host but you have to know the correct hostname to access them. I am considering running two traefik instances, one for external and one of internal and using different traffic classnames to direct services to internal or external

…

On 26 Apr 2023, at 14:26, madmurl0c ***@***.***> wrote: This may be a bit beyond the scope of this tutorial but what to do if I'd like to expose services from my k3s cluster to the outside world? Now that I have valid certificates I would like to have blog.mydomain.com reachable from the outside world. Is there a way to communicate the ipv4/ipv6 addresses of the metallb load balancer to cloudflare? Currently I have my DNS pointed to my Home Assistant VM (using the Home Assistant cloudflare integration) and use the Nginx Proxy Manager Add-on instead of traefik. — Reply to this email directly, view it on GitHub <#234 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAH4WOQ3PUNTAQYOMNACQXLXDEO7HANCNFSM6AAAAAAVK6YITM>. You are receiving this because you commented.

[afrojewelz]

hi , i ve been wondering among those traefik deploy issue on dashboard not showing up when turn on the options on values of traefik.
as for certmgr on k3s, i obtain successfully my third tier domain name with wild card *.k3s.example.com
but when i open up url like traefik.k3s.example.com ,the browser will always says

此网站无法提供安全连接traefik.k3s.example.com 使用了不受支持的协议。
ERR_SSL_VERSION_OR_CIPHER_MISMATCH

[afrojewelz]

and i think somehow you forgot mention to corporate certmanager with traefik, the certs needs define TLSstore kind yaml on certificate in order to let traefik automated load cert that acquire from certmgr. otherwise it's will always fallback to TRAEFIK DEFAULT.

[rdm0991]

Hi Tim, Excellent videos, and have been following to have the home lab setup. Now I have the k3s cluster up and running with Rancher. The cert-manager is giving trouble with DNS , it is ending with the error: ClusterIssuer letsencrypt-staging cert-manager-clusterissuers Error initializing issuer: Get "https://acme-staging-v02.api.letsencrypt.org./directory": dial tcp: lookup acme-staging-v02.api.letsencrypt.org.: i/o timeout. Is this any indication that the virtualized pfsense is blocking 443 traffic into kubernetes cluster? Please advise any work around for getting the cert manager up and running. thanks. pfsense

[sli3]

Hey Tim!, Fabulous video and I learnt so much about SSL thank you so much. I have a quest that still unclear, and wonder if you have any video that explain about more about Middleware part?

Thanks in advance.

[coco6789]

Hi,
awsome tutorial, following your videos one by one. so interesting, bit of a newbie here but i like the clallenge. i was wondering if you could make a template for duckdns webhook ? i found a few example while googling but cant seem to make it work. also i rather the way you do it.

thanks

[byrn-baker]

Tim,
Really have gotten a lot out of the series k3s including this one. Thanks for putting the time in to figure this out and explain it. I went ahead and added some ansible tasks to your k3s-ansible project for the steps you have in this post.

https://github.com/byrn-baker/k3s-ansible

[tidusff86]

Is it possible to use Namecheap instead of Cloudflare?

[timothystewart6]

You'll have to check cert-manager to see which DNS providers they support for DNS01

[mrkhachaturov]

apiVersion: traefik.containo.us/v1alpha1 must be updated to traefik.io/v1alpha1 for traefik 3

[Mithi83]

This has cost me a night of debugging. Thanks for the solution!

[cgraaaj]

Hey Geeks,

I wanted to know how the nginx deployment is working without making the service of nginx as load balancer.
how tim managed to point it out via lb to traefik to container pod

could anyone help me understand this!!!

[tscibilia]

Thanks so much for detailing this setup (along with your ansible playbook to configure kubernetes) I'm pretty sure I followed this guide to the letter but I was not able to reach the traefik dashboard page. I knew there was some issue with not being able to reach the metallb ip address (but since the rancher ui was in the same pool, I was confused).

I stumbled on this comment from github and I added the following to my L2Advertisement, and to my surprise it all worked. I just wanted to share in case anyone else runs into this issue.

spec:
  ipAddressPools:
  - first-pool