Setup Traefik with Cloudflare

Rjomar · June 16, 2020, 12:47pm

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: *.geminisolutions.com

The operating system my web server runs on is (include version): Centos 7

My hosting provider, if applicable, is: Cloudflare

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): No

Hi Team, I have a domain registered on Cloudflare, I am running a traefik ingress in my kubernetes cluster, can you help me how to setup my traefik ingress so that I can have a https connection setup for an application running in kubernetes

ahaw021 · June 17, 2020, 4:32am

Hi @Rjomar

I think it’s pretty well documented in the Traefik documentation?

https://docs.traefik.io/https/acme/

Andrei

Rjomar · June 17, 2020, 9:41am

Hi @ahaw021

I have followed the same doc but not able to make https work.

and it’s not using the certificate as well which I saved like cloudflare account email id and it’s global access key as a secret inside traefik deployment, inspite it’s using default traefik certs for https which fails to authorise

traefik deployment yaml

apiVersion: apps/v1

kind: Deployment
metadata:
labels:
app: traefik
release: traefik
name: traefik
namespace: default

spec:
replicas: 1
selector:
matchLabels:
app: traefik
release: traefik
template:
metadata:
labels:
app: traefik
release: traefik
spec:
hostNetwork: true
containers:
- args:

    - --api
    - --api.insecure
   # - --api.insecure=false
    - --api.dashboard=true
    - --accesslog
    - --global.checknewversion=true
    - --entryPoints.traefik.address=:8100
    - --entryPoints.web.address=:80
    - --entryPoints.websecure.address=:443

    # permanent redirecting of all requests on http (80) to https (443)
    - --entrypoints.web.http.redirections.entryPoint.to=websecure
    - --entrypoints.websecure.http.tls.certResolver=le

    # Let's Encrypt Configurtion:
    # Please note that this is the staging Let's Encrypt server configuration.
    # Once you get things working, you should remove that following line.
    - --certificatesresolvers.le.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/dire
    - --certificatesresolvers.le.acme.email=xyz@abc.in
    - --certificatesresolvers.le.acme.storage=acme.json
    - --certificatesresolvers.le.acme.dnsChallenge=true
    - --certificatesResolvers.le.acme.dnsChallenge.provider=cloudflare

    - --ping=true
    - --providers.kubernetescrd=true
    - --providers.kubernetesingress=true
   
    - --log.level=INFO
 
    env:
      - name: CF_API_EMAIL
        value: abc.xyz@xx.in
      - name: CF_API_KEY
        valueFrom:
          secretKeyRef:
            name: cloudflare-credentials
            key: globalApiKey

    image: traefik:2.2.0
    imagePullPolicy: IfNotPresent
    livenessProbe:
      failureThreshold: 3
      httpGet:
        path: /ping
        port: 8100
        scheme: HTTP
      initialDelaySeconds: 10
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 2
    name: traefik
    ports:
    - containerPort: 8100
      name: admin
      protocol: TCP
    - containerPort: 80
      name: web
      protocol: TCP
    - containerPort: 443
      name: websecure
      protocol: TCP
    readinessProbe:
      failureThreshold: 1
      httpGet:
        path: /ping
        port: 8100
        scheme: HTTP
      initialDelaySeconds: 10
      periodSeconds: 10
      successThreshold: 1
      timeoutSeconds: 2
    resources: {}
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File
  dnsPolicy: ClusterFirst
  restartPolicy: Always
  schedulerName: default-scheduler
  securityContext: {}
  serviceAccount: traefik
  serviceAccountName: traefik
  terminationGracePeriodSeconds: 60

below is the ingressroute rule for whoami application
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: whoami-route
namespace: default

spec:
entryPoints:
- websecure

routes:
- match: Host(whoami.geminisolutions.com)
kind: rule
services:
- name: whoami
port: 80
tls:
certResolver: le

rekirk82 · July 4, 2020, 5:03pm

Ive recently set something up following some of the guides online of course tailored to what I needed, but when I was done I got this same error and was puzzled. You ever figure it??

system · August 3, 2020, 5:03pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.