Handling Multiple Domains on K3s with TLS

K3s is using Traefik ingress and Traefik allows for a simple configuration of Let’s Encrypt out of the box to achieve multi-domain applications without hassle.

Here is what you need to do to make it work:

  1. Install K3s – see instructions at https://k3s.io/
  2. Patch Traefik to support Let’s Encrypt – essentially, you’re looking to inject following 4 settings into Traefik startup (use your valid email to receive notifications):
 - "--certificatesresolvers.le.acme.storage=/data/acme.json"
 - "--certificatesresolvers.le.acme.email=email@yourdomain.com"
 - "--certificatesresolvers.le.acme.tlschallenge=true"
 - "--providers.kubernetesingress=true"

here is a one-liner with kubectl for K3s:

kubectl patch deployment traefik -n kube-system -p "{\\"spec\\":{\\"template\\":{\\"spec\\":{\\"containers\\":[{\\"name\\": \\"traefik\\", \\"args\\":[\\"--entrypoints.metrics.address=:9100/tcp\\", \\"--entrypoints.traefik.address=:9000/tcp\\", \\"--entrypoints.web.address=:8000/tcp\\", \\"--entrypoints.websecure.address=:8443/tcp\\", \\"--api.dashboard=true\\", \\"--ping=true\\", \\"--metrics.prometheus=true\\", \\"--metrics.prometheus.entrypoint=metrics\\", \\"--providers.kubernetescrd\\", \\"--providers.kubernetesingress\\", \\"--providers.kubernetesingress.ingressendpoint.publishedservice=kube-system/traefik\\", \\"--entrypoints.websecure.http.tls=true\\", \\"--certificatesresolvers.le.acme.storage=/data/acme.json\\", \\"--certificatesresolvers.le.acme.email=email@yourdomain.com\\", \\"--certificatesresolvers.le.acme.tlschallenge=true\\", \\"--providers.kubernetesingress=true\\"]}]}}}}"

That is pretty much it. Once the above is done, you should be able to use Traefik very own ingressroute resources for your application – https://doc.traefik.io/traefik/v2.2/routing/providers/kubernetes-crd/ .

All you need to do is to use match host instructions in rules, such as:

  routes:
  - kind: Rule
    match: Host(`mydomain.com`)

and set TLS resolver instruction as:

  tls:
    certResolver: le

This would automatically resolve the domain to application and provision a valid Let’s Encrypt certificate.

Alternatively, you can even use plain Kubernetes Ingress resources, using Traefik annotations (see documentation for more details – https://doc.traefik.io/traefik/v2.2/routing/providers/kubernetes-ingress/):

traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.tls.certresolver: le

1 comment

  1. Pingback: Ephemerals in K8s Namespaces - Work & Life Notes

Leave a comment

Your email address will not be published. Required fields are marked *