attempt automatic letsencrypt

README.md

@@ -30,3 +30,7 @@ spec:
           serviceName: jf
           servicePort: 8096
 ```
+
+## Create a name.com secret for traefik to use:
+
+kubectl create secret generic namedotcom -n kube-system --from-literal=NAMECOM_USERNAME= --from-literal-NAMECOM_API_TOKEN= --from-literal=NAMECOM_SERVER=

k8s/deploy.yaml

@@ -19,6 +19,9 @@ spec:
       containers:
         - name: traefik
           image: traefik:v2.2
+          envFrom:
+            - secretRef:
+              name: namedotcom
           args:
             - --log.level=DEBUG
             - --api
@@ -29,10 +32,22 @@ spec:
             - --providers.kubernetescrd
             - --metrics.statsd=true
             - --metrics.statsd.address=graphite.ducoterra.net:8125
+            - --certificatesresolvers.myresolver.acme.email=ducoterra@icloud.com
+            - --certificatesresolvers.myresolver.acme.storage=/acme/acme.json
+            - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
+            - --certificatesresolvers.myresolver.acme.dnschallenge.provider=namedotcom
+            - --certificatesresolvers.myresolver.acme.dnschallenge.delaybeforecheck=0
+          volumeMounts:
+          - mountPath: /acme
+            name: traefik-acme
           ports:
             - name: web
               containerPort: 9080
             - name: websecure
               containerPort: 9443
             - name: admin
-              containerPort: 8080
+              containerPort: 8080
+      volumes:
+        - name: traefik-acme
+          persistentVolumeClaim:
+              claimName: traefik-acme

k8s/pvc/pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: traefik-acme
+spec:
+  storageClassName: nfs-encrypted
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi