How to configure TLS with CLI

Hi everyone,

We just deployed Traefik v2.0 in our environments, great work and congratulation to all the team.
Let me describe our context:

  • We use Kubernetes and Traefik is our Ingress controller
  • We use KubernetesCRD to define our routes
  • We use Helm template to deploy on K8S (homemade templates)
  • We use CLI args to configure our Traefik

Until now, everything works fine. So I wanted to offload TLS to Traefik.
I did not find in the documentation how to configure TLS with CLI?
File provider does not embrace cloud readiness very well.
Do someone already deploy Traefik v2.0 on Kubernetes with TLS?
Could you point me to working documentation?

Thank you in advance.
Wish you all the best!

Hello, thank you :smiley:

The TLS configuration is a part of the dynamic configuration, so it cannot be define with the CLI.

Hi @Julien,

you can either:

  • defined TLS certificate in the IngressRoute (scenario where certificates are stored per namespace with the deployments, services and ingressroute objects) following the traefik's documentation (e.g. referencing the kubernetes secrets used for the TLS certificate):
  • define a kubernetes secret and mount it in the Traefik's deployment, along with a configmap which defines a traefik-dyn.toml file (or yaml), enabling the file provider. Cloud Native doesn't mean "no file" at all. Cloud Native means "provide automation and primitives to operational systems to facilitate scaling and innovative patterns": Kubernetes provides ConfigMap for this use case, which allows you to define the certificates only 1 time in Traefik's namespace, and everything is good.

Hi @dduportal,

First of all thank you for your answer.
You are right using file provider is not a dilemma at all. But I have an issue with the file provider.
I cannot make Kubernetes provider working if I have file and Kubernetes providers enable at the same time. This is why I do not wanted to use it. Sorry I forgot to mention this.

I will give another try in our test environment.
Note that your second approach looks the best in our deployment.

PS: I have another bug, file provider watch for change do not work with K8S configmap. But I'm about to open un bug in Github for this one.

PS2: @ldez Thanks for your answer :wink:

Hi @Julien can you share with us your configuration first (I mean: before opening bugs) ?

We have a lot of users (and ourselves as well) using both providers at the same time (and if you search the forum, you'll find example given by us to users with both). So I suppose there is either a misconfiguration or you might be running on a special case :slight_smile:

About the ConfigMap not refreshed, I'm 100 % sure there is already an issue opened about this. One of the main concerns here is that configmap are symlinks to file, and that the propagation across cluster (distributed system) is not synchronous when you push a change. This is one of the reason why the (beta) helm chart is using a full CLI for the static configuration.
But this might be a non-issue, as TLS certificate changes are not picked up by Traefik, as well as mounting secrets: adding a new TLS certificate required pod restart (like draining a node). You should not require the filesystem change to be picked up in your case, but again, maybe I missed something that we'll check if you can share both:

  • Your intention (e.g. what are you trying to achieve)?
  • Your configuration

Thanks again for your quick answer.

I did not want to puzzle you by writing down here all my issues.
I just wanna talk here about TLS with CLI. And you answered me:

  • TLS configuration only with file
  • I can have multiple provider working

Regarding my other issues, the one with the 2 providers was something else:
I wanted to redirect traffic to an URL and I saw that is only possible with file provider.
So I configured K8S and file provider. Everything regarding file was working but nothing regardin K8S.
In the UI, I saw the 2 providers but no route from K8S. But in the logs everything was deployed.
I thought it was only a UI bug but no packet was deliver using K8S routes.

The last issue I encountered is the file watch. In the previous issue I deployed URL routing but when I changed the configuration (configMap), the file was changed in my pods, but Traefik never read it again. As a workaround I had to delete my pods.

Thanks again to take time to answer me.
Keep making some good stuff!

PS: I will give another try to multiple provider tomorrow. I will let you know.

1 Like

No problem, we are all always happy to help as a community.

Feel free to add the IngressRoute definition (+ middlewares + file provider config) if you want to get some pair of eyes if it ain't working for you :slight_smile: