Wildcard Certificates with Traefik + cert-manager + Let's Encrypt in Kubernetes Tutorial

Are you using certificates yet for your services??

Suggestion for people wanting to have HA Traefik, if your K3s is already HA (3 or more master nodes) then consider setting Deployment "Kind" to DaemonSet. This will automatically place 1 and only 1 Traefik instance per master node making it actually HA (it creates the nodeSelector). Just bumping replicas to 3 (without setting affinity/anti-affinity) could put all 3 instances on one node which is not an HA configuration. Awesome video as always!

You look tired man. Really appreciate the hard work you put in for this video. The level of detail is really something you cant find anywhere else.

I have been trying to get this to work for a good 5 Days now.
THANK YOU for colecting, presentingand explaining all this information.
You are awesome.

Just a note to viewers and you Tim : `commonName` in Certificate object is deprecated. At least one dnsNames is enough.
Thanks for this very detailed and comprehensive video

Hey Tim, great tutorial! Would you consider creating a video on how you backup your data? Or perhaps a sort of 'best practices' video on data backup?

Great job explaining the DNS01 challenge for self hosted DNS. I wish this video existed 4 months ago, lol!

Awesome! This came just in time after spending this week learning about certificates and how to apply them to my services. Still a lot to learn and practice... Thanks!

I feel like you have been teasing this tutorial for YEARS, thank you Tim, a lot.

This is one of the areas I struggle with the most, cluster networking in general. You make it easy to understand so thanks for that

This is just what I needed to move from my Docker + Traefik + Cloudflare setup that never really seemed to work. Thanks for the vid!

This is the best tutorial about kubernetes, that I ever seen!!! You great, better than ChatGPT :) Thank YOU very much, this is what I needed. Everything works like a charm. Great job. Than you, thank you, thank you. You are great :)

Freaking awesome Tim. Completely demystified the process for me and am currently using it in MY 'production' environment. Thank you!

This was such an excellent video. You are really good at explaining things. I keep coming back to this video, I've seen it more than five times already. I've wanted to set this up for a long time and I am happy with the results.

I’m gonna come back to this when I outgrow Traefik with Docker. This looks amazing.

Ok I had to watch this video 5 times in a row. I totally get it now.

Oh Man is this the upgrade video to the Docker Version? But for Kubernetes?!?! I am soo excited It's like I been waiting for this video to move forward with my lab...

I use your k3s-ansible playbook extensively and find it very useful. Would you consider adding a feature to allow adding nodes to the cluster via ansible?

Excellent breakdown Tim. Much appreciated.

Thanks, Tim. This helped me.

This is amazing!
Thank you!

Really love your videos. Especially the k8s/dev tools ones like grafana and it's companions

I like that you call this 'homelab' this is enterprise grade production work.

Amazing and a very helpful video. You're amazing Tim.

Hey tim, your videos are awesome, it helped in many different ways, can you make a video on installing rancher using helm on k3s v1.24.3+k3s1, it feels like banging my head in the wall.

Just a word of warning. If your password contains special characters like a $-sign you need to escape that sign with a leading backspace --> \$ within the htpasswd command: 'htpasswd -nb user pa\$\$word | openssl base64'. Further note: it doesn't change the outcome whether or not you put the password between quotation marks in the htpasswd command. While the string you should paste to the secret-dashboard.yaml file is a bit different, the actual basic-auth challenge will accept the password without quotation marks anyway

Amazing. I learned so much. Thank you for all you do.

Great tutorial as always. This was very informative and helpful. Keep up the great work.

Wanted to say thank you again for this video, my cluster has been chugging along but failed to renew the cert recently. I used this video to help remedy the issue! Have you thought about doing a video on upgrading a k3s cluster? I realized mine is now way out of date since spinning it up with your playbook a year ago lol!

Damn, this was not a walk in the park. Thanks.

This is awesome Tim, thank you very much!

random question, if you want to add the certificate to the traefik dashboard, do you also need to make a certificate in the traefik namespace? or how does that work?

Just got it working. I did have an issue with nginx still using the staging cert, but that's because I forgot to change the cert its ingress route was to change lol.

I think my previous comment was deleted, perhaps due to the label being interpreted as a link. In any case, quick repost:
1. Love your videos and all that you give back to the community -- thank you!
2. When you were tailing the logs for the cert-manager pods, you don't have to look at them individually. If you use the label for the controller pods, you can look at or tail them all simultaneously. Here's an example: kubectl -n cert-manager logs -l="put the pod labels here" -f. You can get the pod labels by doing a kubectl -n cert-manager get po --show-labels. I'm guessing you already know about this, but passing it along just in case.
3. When it comes to the helm commands, a couple of things I do to reuse the same commands so that they work whether I'm upgrading or installing for the first time:
"helm upgrade --install --namespace=traefik --create-namespace traefik traefik/traefik --values=values.yaml"
Using upgrade with the "--install" option allows you upgrade the release if it exists, or install it if it does not with the same command. Similarly, passing "--create-namespace" will create the namespace for the release if it does not exist, which can save you some time. These may or may not be useful, but passing them along just in case.

Great teacher. Kudos!

Thanks for the great how-to video and notes!
I have a k3s cluster that fetches daily certificates from a - homelab internal Smallstep "step" certificate authority on a raspberry pi. And an internal BIND9 DNS server for challenges with my non-public homelab domains. These work the same way, same protocols as Letsencrypt and Cloudflare DNS - but provide a way for my k3s setup to use internal-only domains with homelab certificates via a similar setup to yours. I have to put my own homelab public cert into my browsers, but only once as all my certs, while self-signed, come from a homelab root certificate.

Comment on the Traefik HA limit (16:25 in video). [My apologies, if you were keeping things simple. Just want to keep you honest]. The limit is not due to the storage or PVC as you hinted. That is old Traefik 1.x days and was removed in Traefik 2.x. The issue is because there is no way to insure the correct instance of Traefik will receive the Challenge Request and subsequent responses when you have more than one instance. It is just not possible to run multiple instances of Traefik with LetsEncrypt enabled. You need something else like Cert-Manager to handle the certs as you demonstrated.

does anyone get pending for the EXTERNAL-IP ?

A cool video for end-to-end.

awesome job Tim. Thank. you so much

cool video , thanks for all the information made me think if i should also switch from nginx ingress controller to traefik :)))

Absolutely brilliant.. as always :)

Thanks for the great video! My current setup is based on your previous video "Put Wildcard Certificates and SSL on EVERYTHING - Traefik Tutorial" and I am excited to move this functionality into the cluster. But I am stuck on one thing - how do you implement the Authelia and Crowdsec middleware with this method (I'm assuming they have to have their own deployments?)

Would it be possible to use this traefik also for services outside of kubernetes ? Like we did in "Put Wildcard Certificates and SSL on EVERYTHING - Traefik Tutorial" ?

Hey Tim this is a long shot but would you do a video on how to connect TWO HA kuberneties clusters in different parts of the world for true HA
Thanks love the videos

I set this up right after setting up my k3s cluster following your HA tutorial. Great work Tim.
I then installed rancher, and am struggling to get it to work with the traefik Lets Encrypt certs.

I tried this to use two domains on one target with Traefik and RKE2 ... the second domain always shows the CA is provided by Traefik not Let's Encrypt

What IP does your dns resolve to/router route to when using ingress? The IP of the traefik pod?

This is the first time I've not been able to just follow what you're saying.
But that's mostly because I'm not doing kubernetes...
However great video

Can you use this method to create certificates for other internal services that aren't being run within Kubernetes? For instance, Proxmox or UniFi (controller is running on my UDM-Pro)? Didn't know if this was limited to only services running on Kubernetes. Thanks for all the amazing content, I follow your tutorials for a lot of my homelab ventures.

Been following along and I have K3S setup from the previous video. One thing I'm confused about is say you have a range of a few IP addresses on the WAN end, do you put these in the load balancer itself (metallb) during the initial cluster setup? Or do you do add a rule in your firewall to port forward 80/443 to the internal traefik IP? Unsure how to get external IPs coming into the reverse proxy properly.

Been running through these kubernetes tutorials,
I did this
k3s ansible
this tutorial
then I wanted to install rancher. However, the install of rancher completely obliterates the cluster, making all services unavailable. Cant even get logs from the failed pods.
any idea what might be going on?

I wanted to know how the nginx deployment is working without making the service of nginx as load balancer.
how tim managed to point it out via lb to traefik to container pod
could anyone help me understand this!!!

Can you please give me examples on how to add other applications?
How would I make Traefik to give Rancher a cert?

It somehow sounds like SOMEONE has learned the hard way why you should use the staging thingy in Let's Encrypt. 😉😇

Whats the background music? I like that

Hi Tim, at first I want to thank you for all your great videos and tutorials. I tried to apply this tutorial, but with only half success. I am using external-dns to automatically register new internal services to my pihole. But external-dns only supports kubernetes ingresses and services. On the github site of external-dns there are some discussions about this. But my knowledge isn't sufficient to understand the solutions there. Maybe you can bring more light in the dark how to set traefik's values or the dashboard ingress to get this running. Thank you

ah terrific. maybe this'll replace my current messy setup using my pi-hole DNS to redirect to metallb services. >.

Hey! Thank you for the greate Videos. I got a problem with your example here, if i deploy traefik, its not creating the traefik-external ingressclass, any ideas?

1+ year later still gold 🤓!!

In which location of the k8s node do you save your .yaml files? How do you manage them? Do you keep all of them inside a folder on ~/my-yaml-files/ and sync them to a local copy? What's the best practice?

YAS!! Cert-manager!!!

It is fine and good, but the apache2 secret didn't help me with let'sencrypt of course. Ended up learning more than I wanted.

Thanks for the video.
Anyone else having issues where nginx doesn't load on https?

I really want video on dns over tls with traefik + pihole. I believe that you can set these dns over tls server on android phone natively and all requests will be forwarded to your pihole server!

Thank u man... u r Awsome 🔥

I've got my SSL certs set up using the OG traefik acme.json, but it's just using NFS for storage on a single raspberry pi SD card - this definitely seems more resilient!

What if I want to use OCI to provision the lb used by traefik and not metallb

excellent, thanks!

I think certs are valid for 3 months. How would schedule auto-renewal ?

Is this k8s cluster running at your home set up? How did you get a external load balancer?😮

I got it all set up in production mode and even added Heimdall using your sample Nginx yaml as template. Works like a charm.
However using HELM to install Portainer is challenging because the the HELM charts create 'Ingress' instead of 'IngressRoute'. Is there a way around the disconnect between HELM Charts and the necessary overrides for IngressRoute that are required to specify Middleware 'default-headers?
i suspect whenever using HELM with Traefix we need to download the Chart and manually fix the templates for IngressRoute? Would it be better to reinstall Traefix and use the k8s Ingress instead of Traefix CRD IngressRoute to allow compatibility with HELM? Thank you. You videos are the best.

how does one create a dns entry for 13:18, I am super stuck on this, I cant have my UDM set a static ip / insternal dns record for this IP because it requires a mac address, and the traefik ip given by metal lb is a virtual IP. Any way to fix this?

Excellent video Tim, I need to use cert-manager with Let's Encrypt and Private PKI/CA wish me luck.
Do you tend to run two separate traefik instances in your cluster one for external and one for internal applications, and for internal is it consider bad practice to use the kube-system traefik provided or should you deploy a separate one for other internal apps as well?

Techno music is a +

Incredible.

How would you find the IP address for the DNS entry you mention at the 31 minute mark

Does this auto renew the certificates if they come to expiry?

Can you make a video on cilium , cni network driver alternative to aws vpc netowrk dirver

To make lets encrypted verifying the dns.
Does it mean I have to expose k8s ingress to public Network without any reverse proxy?

Thanks Tim, I roughly followed the same steps. I am using DuckDns therefore I had to use a slightly different path to get the Certificate. Quick question, once you have created the certificate, are these certificate-manager pods necessary to keep around? I guess they do rotate the certificates so we would have to keep them running.

Thanks!

8:30 what would i use if i got servers in the cloud? The IP of one of my nodes?

Thank you for your amazing tutorial. I started fresh in the kubernetes world. I used nginx reverse proxy with docker before but want to migrate to kubernetes now.
Is there any good solution for using the wildcard zertifikates across namespaces? So i can use it on all of my homelab services. So i could use it for traefik dashboard as well. Or do i need to create my own certificate under my specific namespace

Hey Tim,
Great tutorial! Keep up the good work :)
I've managed to get it all running on my Pi4 cluster. with IPv6 (if someone is interested getting that up and running with RKE let me know)
Just one question about the Traefik dashboard though, it seems the middleware takes me to a link with a certificate from Treafik instead of the wildcard.
I'm not sure where to adjust that....I suspect its the traefik first setup...from helm...
I've changed the ingress yaml to use the TLS wildcard but that only works after authentication.
Any idea's?
Cheers!
***edit***
Fixed that....
Same problem with the namespace where the certificate is created so Traefik won't be able to fetch it.
When creating a separate cert for traefik in the namespace of Traefik and run a helm upgrade it works fine.

Any ideas if I can pass a challenge with a domain in Google Domains, I was able to generate a token but not sure how to configure the letsencrypt yaml config

just one question: by make dns01 resolver, how to operate cloudflare dashboard when local kubernetes is setup well just like tutorial. i watched the
kubectl get challenges for every 2 minutes, status of course is pending ,then open CF dash and i can see my challenges.but when it is over? i was doing the stage steps btw

Just more complicated to setup than your other video about automating k8s deployment using ansible, sounds like deploying certs for home-lab environments is an overkill for me

do you have terraform code to perform the same ? if yes, please share thx

For the life of me, I can't get the external-ip for traefik off of a "pending" status.

Hi, how are you? I have some problem with set the ingressRoute. The host when try to catch give me ERR_TOO_MANY_REDIRECTS. Any idea? If delete the ingressroute open ok but using the SSL DEFAULT TRAEFIK SSL

I landed here because I want to watch Cpt. Jack Sparrow do a tech talk.

How do you expose workloads inside of Rancher with an ingress configuration like what you defined for nginx?

Great video! Everything was explained perfectly, although I'm having some trouble. (@31:00) I'm slightly confused about this process. Do I have to have the Nginx test deployment have a LoadBalancer service to get an IP? Then do I tell my local DNS (pihole) that the ingress route match host goes to my LoadBalancer IP? Sorry, just slightly confused. Thanks!

Hey Tim, great video. Based on your previous video "Put Wildcard Certificates and SSL on EVERYTHING - Traefik Tutorial" I have created a Traefik container and since then I don't have to worry about certificates cause Traefik is taking care of that. What is de difference between that approach (the previous video) and this one?

On my end the audio clipping, anyone else with the same issue?

hey can someone name me the song that plays at 4:55

Any suggestions how to store cert manager certificates in external volume?

So what happens when the certificate is renewed? The new certificate will be updated in the secret, but typically the container apps load the certificate at start up and use that and require a reload/restart to start using the certificate. Lets Encrypt certificates are 90 days. Is there anything to automatically restart the pods? Edit: Thinking about my question, it seems traefik may monitor for changes in the secret and load the certificate when the secret (certificate) changes.

@technotim, can I use Namecheap instead of Cloudflare?