Configuring Lets Encrypt with Traefik using Helm

Configuring Lets Encrypt with Traefik using Helm

I'm deploying taefik to my kubernetes cluster using helm.  Here's what I have at the moment:
helm upgrade --install load-balancer --wait --set ssl.enabled=true,ssl.enforced=true,acme.enabled=true,acme.email=an@email.com stable/traefik

I'm trying to configure letsencrypt. According to this documentation - you add the domains to the bottom of the .toml file.
Looking at the code for the helm chart, there's no provision for such configuration.
Is there another way to do this or do I need to fork the chart to create my own variation of the .toml file?

Solutions/Answers:

Solution 1:

Turns out this is the chicken and the egg problem, described here.

For the helm chart, if acme.enabled is set to true, then Treafik will automatically generate and serve certificates for domains configured in Kubernetes ingress rules. This is the purpose of the onHostRule = true line in the yaml file (referenced above).

To use Traefik with Let’s Encrypt, we have to create an A record in our DNS server that points to the ip address of our load balancer. Which we can’t do until Traefik is up and running. However, this configuration needs to exist before Traefik starts.

The only solution (at this stage) is to kill the first Pod after the A record configuration has propagated.

Solution 2:

Note that the stable/traefik chart now supports the ACME DNS-01 protocol. By using DNS it avoids the chicken and egg problem.

See: https://github.com/kubernetes/charts/tree/master/stable/traefik#example-aws-route-53

References

Related:  Whats the difference between OpenSSL and LetsEncrypt? [closed]