Deploy traefik on kubernetes with helm and let's encrypt certificates

kubernetes

First create the traefik chart.

charts/appgw/

mkdir charts && mkdir appgw
touch Chart.yaml values.yaml
cd charts/appgw

Then add the traefik chart repository. This will allow us to pull the traefik chart.

helm repo add traefik https://helm.traefik.io/traefik

In the Chart.yaml add this following and make sure to check the traefik version.

charts/appgw/Chart.yml

apiVersion: v2
name: appgw
description: Install and create Traefik on kubernetes
type: application
version: 0.1.0

dependencies:
  - name: traefik
    version: "19.0.0"
    repository: "@traefik"

Then type this command, helm will download the chart from the traefik repository and put it in the charts folder.

helm dependency build

And edit the values.yaml file.

charts/appgw/values.yml

traefik:
  certResolvers:
    letsencryptresolver:
      email: your-email@your-domain.com
      httpChallenge:
        entryPoint: web
      storage: "/data/acme.json"

  persistence:
    enabled: true

  # This is a permission fix.
  # Issue : https://github.com/traefik/traefik-helm-chart/issues/164#issuecomment-1176866543
  initContainers: 
    - name: volume-permissions
      image: busybox:1.35
      command: ["sh", "-c", "touch /data/acme.json && chmod -Rv 600 /data/* && chown 65532:65532 /data/acme.json"]
      volumeMounts:
        - name: data
          mountPath: /data

Now you will be able to create https ingress with Let’s encrypt certificates.

charts/api/templates/ingress.yaml

{{- if .Values.ingress.enabled -}}
{{- $fullName := include "api.fullname" . -}}
{{- $svcPort := .Values.service.port -}}
{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
  {{- end }}
{{- end }}
{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1
{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: networking.k8s.io/v1beta1
{{- else -}}
apiVersion: extensions/v1beta1
{{- end }}
kind: Ingress
metadata:
  name: {{ $fullName }}
  labels:
    {{- include "api.labels" . | nindent 4 }}
  {{- with .Values.ingress.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
spec:
  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
  ingressClassName: {{ .Values.ingress.className }}
  {{- end }}
  {{- if .Values.ingress.tls }}
  tls:
    {{- range .Values.ingress.tls }}
    - hosts:
        {{- range .hosts }}
        - {{ . | quote }}
        {{- end }}
      secretName: {{ .secretName }}
    {{- end }}
  {{- end }}
  rules:
    {{- range .Values.ingress.hosts }}
    - host: {{ .host | quote }}
      http:
        paths:
          {{- range .paths }}
          - path: {{ .path }}
            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
            pathType: {{ .pathType }}
            {{- end }}
            backend:
              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
              service:
                name: {{ $fullName }}
                port:
                  number: {{ $svcPort }}
              {{- else }}
              serviceName: {{ $fullName }}
              servicePort: {{ $svcPort }}
              {{- end }}
          {{- end }}
    {{- end }}
{{- end }}

charts/api/values.yaml

...
ingress:
  enabled: true
  annotations:
    traefik.ingress.kubernetes.io/router.tls.certresolver: letsencryptresolver
  hosts:
    - host: your-domain.com
      paths:
        - path: /api
          pathType: ImplementationSpecific
...

And that it!