k3s 中 let’s encrypt 配置示例

k3s 中默认使用 traefik,默认通过 helmchart config 来配置 traefik,配置文件需要放在目录 /var/lib/rancher/k3s/server/manifests/ , 推荐在该目录中添加配置文件 traefik-config.yaml,完整目录 /var/lib/rancher/k3s/server/manifests/traefik-config.yaml,k3s 会在该文件变更后自动重新部署 traefik。

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    securityContext: #指定traefik运行上下文以保证能正常访问 acme.json文件
      readOnlyRootFilesystem: true
      runAsGroup: 1000
      runAsNonRoot: true
      runAsUser: 1000
    deployment:
      additionalVolumes: # 添加用于保存 acme.json 的PVC
        - name: acme-storage
          persistentVolumeClaim:
            claimName: acme-pvc
    additionalVolumeMounts: # 添加用于保存 acme.json 的volumemount
      - name: acme-storage
        mountPath: /acme
    certResolvers:
      letsencrypt: #定义 letsencrpty证书resolvers
        email: example@email.com
        dnsChallenge:
          provider: tencentcloud #以dnspod为例
        storage: /acme/acme.json
    env: #用于 tencentcloud dnschallenge 所需的环境变量
      - name: TENCENTCLOUD_SECRET_ID
        value: idxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      - name: TENCENTCLOUD_SECRET_KEY
        value: keyxxxxxxxxxxxxxxxxxxxxxxxxxxx

关于更多的 dnsChallenge provider 可参考该文档: Traefik Let’s Encrypt Documentation – Traefik

traefik 配置完成后只需在 ingress route 中做如下简单配置便可使用 let’s encrypt 证书

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: argocd-websecure-ir
  namespace: xxxx
spec:
  entryPoints:
  - websecure
  tls:
    certResolver: letsencrypt # 指定certResolver