diff --git a/EXAMPLES.md b/EXAMPLES.md index 33c996681..5cd0422db 100644 --- a/EXAMPLES.md +++ b/EXAMPLES.md @@ -277,9 +277,15 @@ additionalArguments: - "--experimental.plugins.bouncer.version=v1.1.9" ``` -# Use Traefik Let's Encrypt Integration with CloudFlare +# Use Traefik native Let's Encrypt integration, without cert-manager -It needs a CloudFlare token in a Kubernetes `Secret` and a working Storage Class +In Traefik Proxy, ACME certificates are stored in a JSON file. + +This file needs to have 0600 permissions, meaning, only the owner of the file has full read and write access to it. +By default, Kubernetes recursively changes ownership and permissions for the content of each volume. + +=> An initContainer can be used to avoid an issue on this sensitive file. +See [#396](https://github.com/traefik/traefik-helm-chart/issues/396) for more details. ```yaml persistence: @@ -296,8 +302,17 @@ env: secretKeyRef: name: yyy key: zzz +deployment: + initContainers: + - name: volume-permissions + image: busybox:latest + command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"] ``` +This example needs a CloudFlare token in a Kubernetes `Secret` and a working `StorageClass`. + +See [the list of supported providers](https://doc.traefik.io/traefik/https/acme/#providers) for others. + # Provide default certificate with cert-manager and CloudFlare DNS Setup: @@ -308,6 +323,7 @@ Setup: **Step 1**: Create `Secret` and `Issuer` needed by `cert-manager` with your API Token. See [cert-manager documentation](https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/) for creating this token with needed rights: + ```yaml --- apiVersion: v1 @@ -340,6 +356,7 @@ spec: ``` **Step 2**: Create `Certificate` in traefik namespace + ```yaml apiVersion: cert-manager.io/v1 kind: Certificate @@ -365,6 +382,7 @@ kubectl get certificate -n traefik If needed, logs of cert-manager pod can give you more information **Step 4**: Use it on the TLS Store in **values.yaml** file for this Helm Chart + ```yaml tlsStore: default: @@ -375,6 +393,7 @@ tlsStore: **Step 5**: Enjoy. All your `IngressRoute` use this certificate by default now. They should use websecure entrypoint like this: + ```yaml apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute @@ -390,32 +409,3 @@ spec: - name: XXXX port: 80 ``` - -# Keep TLS certificates on persistent volume - -This example is using the default StorageClass. If needed, you can set your own. - -In Traefik Proxy, ACME certificates are stored in a JSON file that needs to have a -0600 file mode. By default, Kubernetes recursively changes ownership and -permissions for the content of each volume. An initContainer is used to -avoid an issue on this sensitive file. See -[#396](https://github.com/traefik/traefik-helm-chart/issues/396) for more details. - -```yaml -additionalArguments: - - "--certificatesresolvers.letsencrypt.acme.email=my.email@my.company.com" # - <= Put your email here - - "--certificatesResolvers.letsencrypt.acme.tlschallenge=true" - - "--certificatesresolvers.le.acme.storage=/data/acme.json" -deployment: - initContainers: - - name: volume-permissions - image: busybox:latest - command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json; chown 65532:65532 /data/acme.json"] -persistence: - enabled: true - accessMode: ReadWriteOnce - size: 128Mi - path: /data - # storageClass: "specific-storage-class" - # annotations: {} -```