I followed the "User Guide: Kubernetes and Let's Encrypt" in the v2.1 documentation to stand up Traefik in Kubernetes.
Link to the documentation: https://docs.traefik.io/user-guides/crd-acme/
I followed the guide to the T but ended up making some small changes when I couldn't get the LetsEncrypt/SSL/HTTPS working:
- Changed web/websecure on the port names to http/https to be consistent with the rest of Traefik
- Stood up an Apache site, Plex and a variety of other services with UIs to see if LetsEncrypt would kick in
- Added httpchallenge as I could not get Kubernetes IngressRoute to work but Ingress was working fine
My Traefik Deployment:
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: default
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v2.1
args:
- --api.insecure
- --accesslog
- --entrypoints.http.Address=:80
- --entrypoints.https.Address=:443
- --providers.kubernetescrd
- --providers.kubernetesIngress
- --certificatesresolvers.default.acme.tlschallenge
- --certificatesresolvers.default.acme.httpchallenge
- --certificatesresolvers.default.acme.httpchallenge.entrypoint
- --certificatesresolvers.default.acme.email=MYEMAIL@gmail.com
- --certificatesresolvers.default.acme.storage=acme.json
# volumeMounts:
# - name: nfs-traefik-config
# mountPath: "/config"
# - name: nfs-traefik-cert
# mountPath: "/etc/traefik"
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: admin
containerPort: 8080
# volumes:
# - name: nfs-traefik-config
# configMap:
# name: traefik-conf
# - name: nfs-traefik-cert
# persistentVolumeClaim:
# claimName: nfs-traefik-cert
---
kind: Service
apiVersion: v1
metadata:
name: traefik-ingress-service
namespace: default
spec:
selector:
app: traefik
ports:
- protocol: TCP
port: 80
nodePort: 30000
name: http
- protocol: TCP
port: 443
nodePort: 30001
name: https
- protocol: TCP
port: 8080
nodePort: 30002
name: admin
type: NodePort
Example Ingress:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: plex
spec:
rules:
- host: "plex.SITE.com"
http:
paths:
- path: /
backend:
serviceName: plex
servicePort: 32400
Expected Behavior:
When I go to plex.SITE .com, I get https://plex.SITE .com and everything works (no errors).
Current Behavior:
When I go to plex.SITE .com, I get a "your connection is not private" and if I advance through the error, I get a 404 message (Traefik not redirecting the port/no working SSL).
When I go to http://plex.SITE .com, the site works as expected, just no SSL.
What kills me is that this all works perfectly in my Docker machine but I can not for the life of me get this working in Kubernetes.
Help?