posts/k8s-reflector/ #251
giscus[bot]
bot
Replies: 2 comments 2 replies
-
Traefik + Cert-Manager + Reflector = AwesomeFound the same as you that reflector combined with cert-manager and traefik works wonders. Like this certs is created in the cert-manager namespace and mirrored to the two traefik namespaces depending on need. Then using the default tlsstore in each traefik instance to ensure that the certficates is loaded into each traefik instance. I have seperate certifcates and domains on the instancs. This ensures that I do not need to add the certificate to all namespaces and reference the certificate as secret on every ingressroute. ExampleSelf signed certificate---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: self-signed-certificate
namespace: cert-manager
spec:
secretName: self-signed-certificate-tls
issuerRef:
name: self-signed
kind: ClusterIssuer
commonName: "*.self.signed"
dnsNames:
- "*.self.signed"
secretTemplate:
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "traefik-internal,traefik-external"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "traefik-internal,traefik-external"Internal domain certificate---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: certificate-name
namespace: cert-manager
spec:
secretName: internal-domain-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "*.internal-domain.tld"
dnsNames:
- "domain.tld"
- "*.domain.tld"
secretTemplate:
annotations:
reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "traefik-internal"
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "traefik-internal"TLSstore & TLSOptionUsed self signed certificate as default under testing to make sure that host name and certificate matching was working with the strict SNI option ---
apiVersion: traefik.io/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: traefik-internal
spec:
certificates:
- secretName: internal-domain-tls
- secretName: self-signed-certificate-tls
defaultCertificate:
secretName: self-signed-certificate-tls
---
apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: traefik-internal
spec:
sniStrict: trueIngressRoute---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
namespace: traefik-internal
annotations:
kubernetes.io/ingress.class: traefik-internal
spec:
entryPoints:
- websecure
routes:
- match: Host(`traefik.internal-domain.tld`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
tls: {} |
Beta Was this translation helpful? Give feedback.
-
|
bugfix in the IngressRoute: routes:
--- - match: Host(`traefik.domain.tld`)
+++ - match: Host(`traefik.internal-domain.tld`) |
Beta Was this translation helpful? Give feedback.
-
|
Thanks! Opening a PR to fix would be great :) |
Beta Was this translation helpful? Give feedback.
-
|
Just thought I would mentioned that for reflector to work you need
otherwise, as far as I understand, you need to manually create a secret that reflects the original secret in the the namespace your desire using:
More docs can be found here for whoever reads this: https://artifacthub.io/packages/helm/emberstack/reflector#X-annotate-the-mirror-secret-or-configmap |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
posts/k8s-reflector/
What is Reflector?
https://techno-tim.github.io/posts/k8s-reflector/
Beta Was this translation helpful? Give feedback.
All reactions