As I know from the docs, currently Traefik v2 under Kubernetes doesn't play well with LetsEncrypt when multiple instances are running. The suggested workaround is to use cert-manager issues to kickstart an ingress that will perform the validation and ultimately create the TLS secret.
I have the current setup:
apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: dashboard namespace: traefik spec: entryPoints: - websecure routes: - match: Host(`traefiklb.emsclaimsengine.com`) && (PathPrefix(`/dashboard`) || PathPrefix(`/api`)) kind: Rule services: - name: api@internal kind: TraefikService tls: secretName: dashboard-secret domains: - main: traefiklb.mydomain.com --- kind: Ingress apiVersion: networking.k8s.io/v1beta1 metadata: name: dashboard-traefik-test namespace: traefik annotations: traefik.ingress.kubernetes.io/router.entrypoints: "web,websecure" traefik.ingress.kubernetes.io/router.tls: "true" cert-manager.io/cluster-issuer: traefik-prod acme.cert-manager.io/http01-ingress-class: "traefik2" kubernetes.io/tls-acme: "true" spec: rules: - host: traefiklb.mydomain.com http: paths: - path: /test backend: serviceName: traefik servicePort: 80 tls: - hosts: - "traefiklb.mydomain.com" - secretName: dashboard-secret
Where traefik was started with the following arguments:
additionalArguments: - "--log.level=WARN" - "--api.dashboard=true" - "--providers.kubernetesingress.ingressclass=traefik2"
The issuer "traefik-prod" seems ok as far as cert-manager is concerned (it picks up registration details and considers it a valid issuer as per logs, it's a ClusterIssuer)
However, nothing happens. The domain looks ok, if configure Traefik with a single instance and using the Traefik-proper way of handling ACME provider it works but I would like to be able to use cert-manager as in general I am going to need to scale Traefik instances.
I would appreciate any pointers/examples.