Hello,
As I know from the docs, currently Traefik v2 under Kubernetes doesn't play well with LetsEncrypt when multiple instances are running. The suggested workaround is to use cert-manager issues to kickstart an ingress that will perform the validation and ultimately create the TLS secret.
I have the current setup:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: dashboard
namespace: traefik
spec:
entryPoints:
- websecure
routes:
- match: Host(`traefiklb.emsclaimsengine.com`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`))
kind: Rule
services:
- name: api@internal
kind: TraefikService
tls:
secretName: dashboard-secret
domains:
- main: traefiklb.mydomain.com
---
kind: Ingress
apiVersion: networking.k8s.io/v1beta1
metadata:
name: dashboard-traefik-test
namespace: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: "web,websecure"
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: traefik-prod
acme.cert-manager.io/http01-ingress-class: "traefik2"
kubernetes.io/tls-acme: "true"
spec:
rules:
- host: traefiklb.mydomain.com
http:
paths:
- path: /test
backend:
serviceName: traefik
servicePort: 80
tls:
- hosts:
- "traefiklb.mydomain.com"
- secretName: dashboard-secret
Where traefik was started with the following arguments:
additionalArguments:
- "--log.level=WARN"
- "--api.dashboard=true"
- "--providers.kubernetesingress.ingressclass=traefik2"
The issuer "traefik-prod" seems ok as far as cert-manager is concerned (it picks up registration details and considers it a valid issuer as per logs, it's a ClusterIssuer)
However, nothing happens. The domain looks ok, if configure Traefik with a single instance and using the Traefik-proper way of handling ACME provider it works but I would like to be able to use cert-manager as in general I am going to need to scale Traefik instances.
I would appreciate any pointers/examples.
Thanks!