k3s 中默认使用 traefik,默认通过 helmchart config 来配置 traefik,配置文件需要放在目录 /var/lib/rancher/k3s/server/manifests/ , 推荐在该目录中添加配置文件 traefik-config.yaml,完整目录 /var/lib/rancher/k3s/server/manifests/traefik-config.yaml,k3s 会在该文件变更后自动重新部署 traefik。
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
securityContext: #指定traefik运行上下文以保证能正常访问 acme.json文件
readOnlyRootFilesystem: true
runAsGroup: 1000
runAsNonRoot: true
runAsUser: 1000
deployment:
additionalVolumes: # 添加用于保存 acme.json 的PVC
- name: acme-storage
persistentVolumeClaim:
claimName: acme-pvc
additionalVolumeMounts: # 添加用于保存 acme.json 的volumemount
- name: acme-storage
mountPath: /acme
certResolvers:
letsencrypt: #定义 letsencrpty证书resolvers
email: example@email.com
dnsChallenge:
provider: tencentcloud #以dnspod为例
storage: /acme/acme.json
env: #用于 tencentcloud dnschallenge 所需的环境变量
- name: TENCENTCLOUD_SECRET_ID
value: idxxxxxxxxxxxxxxxxxxxxxxxxxxxx
- name: TENCENTCLOUD_SECRET_KEY
value: keyxxxxxxxxxxxxxxxxxxxxxxxxxxx
关于更多的 dnsChallenge provider 可参考该文档: Traefik Let’s Encrypt Documentation – Traefik
traefik 配置完成后只需在 ingress route 中做如下简单配置便可使用 let’s encrypt 证书
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: argocd-websecure-ir
namespace: xxxx
spec:
entryPoints:
- websecure
tls:
certResolver: letsencrypt # 指定certResolver