Wildcard Let's Encrypt certs on Kubernetes with Traefik

1 minute read Published:

Get wildcard Let's Encrypt certificates for your sites with style.

Ingredients

For this recipe we will need:

  • A kubernetes cluster. In our case k3s
  • AWS Route 53 DNS zone
  • A VPS instance or other server preferably with 1GB ram
Heads-up: Content in progress below!

Steps

  1. First get a server 😄 Scaleway, Amazon Lightsail, DigitalOcean and Vultr are among the popular and cheap choices. You can get a decent VPS for as less as 5$ that will easily get the job done.

  2. Choose your favorite distro. This exercise has been done on Ubuntu 18.04 but other distros will also work fine. Just pick your favorite one and install your k3s server.

  3. Head over to k3s.io and follow the recommended method to install a single node k3s directly on your host.

    curl -sfL https://get.k3s.io | sh -
    # Check for Ready node, takes maybe 30 seconds
    k3s kubectl get node  
  4. Create your DNS record sets to match your domain and static IP on AWS Route 53. While you are here retrieve your AWS_HOSTED_ZONE_ID

  5. In the IAM console of AWS create a user with administrator access to your AWS account.

  6. Retrieve the AWS_ACCESS_KEY_ID & the AWS_SECRET_ACCESS_KEY for the account you created in the previous step.

  7. Apply the following configmap for your traefik pod.

    apiVersion: v1
    data:
    traefik.toml: |
    # traefik.toml
    logLevel = "DEBUG"
    defaultEntryPoints = ["http","https"]
    insecureSkipVerify = true
    [entryPoints]
      [entryPoints.http]
      address = ":80"
      compress = true
      [entryPoints.http.redirect]
          entryPoint = "https"
      [entryPoints.https]
      address = ":443"
      compress = true
        [entryPoints.https.tls]
          [[entryPoints.https.tls.certificates]]
          CertFile = "/ssl/tls.crt"
          KeyFile = "/ssl/tls.key"
      [acme]
        email = "admin@example.com"
        storage = "acme.json"
        entryPoint = "https"
        acmeLogging = true
        caServer = "https://acme-staging-v02.api.letsencrypt.org/directory"
      [acme.dnsChallenge]
       provider = "route53"
      [[acme.domains]]
        main = "*.example.com"
        sans = ["example.com"]
     [kubernetes]
     [traefikLog]
      format = "json"
    kind: ConfigMap