How to Setup Distributed ACME in Traefik Enterprise¶
Traefik Enterprise uses a dedicated agent to issue and share ACME certificates between multiple clusters. This agent operates along with a Vault KV provider, which retrieves generated certificates from a Vault server. The distributed ACME agent only supports the DNS challenge, because the HTTP and TLS challenges are inherently multicluster-friendly.
This guide assumes that you are using Kubernetes.
Configure the Agent¶
The agent stores generated certificates in a Vault server. It must have a KV Secrets Engine version 2 enabled.
Dedicated Secrets Engine
For security reasons, the best practice is to use a dedicated Secrets Engine to store certificates.
Enabling a Secrets Engine
Here is an example to enable a new Secrets Engine under the "customPath" path: vault secrets enable -path=customPath -version=2 kv
In order to enable mTLS between the Traefik Enterprise controllers and the Distributed ACME Agent, you must provide certificates in the configuration of the agent. It is recommended to store those certificates in Kubernetes TLS Secrets and mount them on your ACME Agent and Traefik Enterprise Controller deployments or StatefulSets.
Additionally, you have to configure the certificate resolvers to use for solving DNS challenges. You'll need to configure at least one DNS provider for the agent to work.
Required Environment Variables
All the DNS providers have their own sets of required environment variables you'll need to set in order to authenticate. The Traefik documentation contains a list of providers and their associated variables.
To avoid recreating new ACME accounts every time the agent restarts, it persists account credentials on its filesystem. Mounting a Persistent Volume to /var/lib/acme-agent/state/state.json allows the agent to keep its state across restarts.
Below is a complete example of how to deploy the ACME agent with mTLS. Commented lines potentially need to be edited.
apiVersion: apps/v1
kind: Deployment
metadata:
name: acme-agent-deployment
namespace: traefikee
labels:
app: acme-agent
spec:
selector:
matchLabels:
app: acme-agent
template:
metadata:
labels:
app: acme-agent
spec:
containers:
- name: acme-agent
image: traefik/acme-agent:v1.0.0
# Edit these environment variables with what your DNS provider requires.
env:
- name: CLOUDFLARE_DNS_API_TOKEN
value: $CLOUDFLARE_API_TOKEN
volumeMounts:
# Here we mount the configuration of the agent.
- name: config
mountPath: /etc/acme-agent/
# This allows preserving the state if the agent restarts.
- name: state
mountPath: /var/lib/acme-agent/state/
- name: mtls-ca
mountPath: /var/lib/acme-agent/mtls/ca/
- name: mtls-server
mountPath: /var/lib/acme-agent/mtls/server/
volumes:
- name: config
configMap:
name: acme-agent-config
items:
- key: config.yml
path: config.yml
- name: state
persistentVolumeClaim:
claimName: acme-agent-state
- name: mtls-ca
secret:
secretName: acme-agent-mtls-ca
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.key
- name: mtls-server
secret:
secretName: acme-agent-mtls-server
items:
- key: tls.crt
path: tls.crt
- key: tls.key
path: tls.keyapiVersion: v1
kind: Service
metadata:
name: acme-agent
namespace: traefikee
spec:
selector:
app: acme-agent
ports:
# This needs to match the port on which the agent is listening.
- port: 5505apiVersion: v1
kind: ConfigMap
metadata:
name: acme-agent-config
namespace: traefikee
data:
# Edit the agent configuration here. Note that the agent must be restarted to take changes into account.
config.yml: |-
listenAddr: 0.0.0.0:5505
tls:
ca: /var/lib/acme-agent/mtls/ca/tls.crt
cert: /var/lib/acme-agent/mtls/server/tls.crt
key: /var/lib/acme-agent/mtls/server/tls.key
vault:
url: http://vault.traefikee.svc.cluster.local:8200
token: root
enginePath: customPath
certificateResolvers:
myResolver:
email: [email protected]
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
provider: cloudflareapiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: acme-agent-state
namespace: traefikee
spec:
accessModes:
- ReadWriteOnce
# Replace the storageClassName with the storage you use in your Kubernetes cluster.
storageClassName: local-path
resources:
requests:
# The state only consists of ACME account credentials which are a few kilobytes per account used.
storage: 10MiapiVersion: v1
kind: Secret
metadata:
name: acme-agent-mtls-ca
namespace: traefikee
type: kubernetes.io/tls
data:
tls.crt: # Your base64-encoded certificate goes here
tls.key: # Your base-64 encoded key goes here
---
apiVersion: v1
kind: Secret
metadata:
name: acme-agent-mtls-server
namespace: traefikee
type: kubernetes.io/tls
data:
tls.crt: # Your base64-encoded certificate goes here
tls.key: # Your base64-encoded key goes here
---
apiVersion: v1
kind: Secret
metadata:
name: acme-agent-mtls-client
namespace: traefikee
type: kubernetes.io/tls
data:
tls.crt: # Your base64-encoded certificate goes here
tls.key: # Your base64-encoded key goes hereConfigure Traefik Enterprise¶
In the Traefik Enterprise static configuration, you'll need to enable the Distributed ACME certificate resolver as well as the Vault KV provider. The certificate resolver will issue requests to the Distributed ACME agent, and the Vault KV provider is in charge of fetching certificates from the Vault server that runs with the ACME agent.
Just like the ACME agent, Traefik Enterprise controllers can be configured to use mTLS, in which case the certificate resolver configuration needs paths to the mTLS certificates. It is also recommended to store them in Kubernetes TLS Secrets and mount them on your Traefik Enterprise Controller StatefulSets.
Below is an example of a Traefik Enterprise static configuration that uses the distributed ACME agent:
entryPoints:
https:
address: 0.0.0.0:443
providers:
kubernetesCRD: { }
plugin:
vault:
url: http://vault.traefikee.svc.cluster.local:8200
token: root
enginePath: customPath
certificatesResolvers:
# Define your certificate resolver here.
myResolver:
distributedACME:
url: https://acme-agent.traefikee.svc.cluster.local:5505
tls:
ca: /var/lib/acme-agent/mtls/ca/tls.crt
cert: /var/lib/acme-agent/mtls/client/tls.crt
key: /var/lib/acme-agent/mtls/client/tls.keyIf you are using mTLS, which is recommended for a production environment, you also need to update your Traefik Enterprise StatefulSet and add the following volumes and volume mounts so that it has access to mTLS certificates:
spec:
template:
spec:
containers:
- name: "default-controller"
volumeMounts:
- name: mtls-ca
mountPath: /var/lib/acme-agent/mtls/ca/
- name: mtls-client
mountPath: /var/lib/acme-agent/mtls/client/
volumes:
- name: mtls-ca
secret:
secretName: acme-agent-mtls-ca
- name: mtls-client
secret:
secretName: acme-agent-mtls-clientYou can apply the above patch on your existing Traefik Enterprise StatefulSet with the following command:
kubectl patch statefulset -n traefikee default-controller -p "$(cat traefikee-mtls-patch.yml)"kubectl patch statefulset -n traefikee default-controller -p (cat traefikee-mtls-patch.yml | string collect)kubectl patch statefulset -n traefikee default-controller -p $(Get-Content traefikee-mtls-patch.yml -Raw)Configure your IngressRoutes¶
To use the distributed ACME agent you must reference the certificate resolver configured in your static configuration:
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: myservice
namespace: traefikee
spec:
entryPoints:
- https
routes:
- match: Host(`myservice.corp.com`)
kind: Rule
services:
- name: myservice
namespace: traefikee
port: 80
tls:
# Reference your certificate resolver here.
certResolver: myResolverConfiguration References¶
Agent Configuration¶
listenAddr¶
Required, Default="0.0.0.0:5505"
Defines the interface and port on which the distributed ACME agent listens for requests.
listenAddr: 0.0.0.0:5505checkRenewalInterval¶
Optional, Default="24h"
Defines the interval at which the agent checks if ACME certificates need to be renewed.
checkRenewalInterval: 24htls.ca, tls.cert and tls.key¶
Optional, Default=""
Paths to certificates required for enabling mTLS to secure communication between Traefik Enterprise and the ACME agent. If these are not set, mTLS is disabled and the connection between the ACME agent and Traefik Enterprise controllers is not secured.
tls:
ca: /var/lib/acme-agent/mtls/ca/ca.pem
cert: /var/lib/acme-agent/mtls/server/server.pem
key: /var/lib/acme-agent/mtls/server/server-key.pemvault.url¶
Required, Default=""
Defines the URL of the Vault server, including the scheme and port.
vault:
url: https://vault.devault.svc.cluster.local:9200vault.token¶
Optional(one of vault.token or vault.appRole must be set), Default=""
Defines the token to authenticate with Vault.
Supported Authentication Mechanisms
The Vault certificate resolver currently supports token authentication only.
vault:
token: myVaultTokenvault.appRole¶
Optional(one of vault.token or vault.appRole must be set), Default=None
Enables the AppRole authentication method. See vault.appRole.* options
to see what needs to be provided.
vault.appRole.roleID¶
Required, Default=""
Defines the ID of the role to use when authenticating to Vault with AppRole.
vault:
appRole:
roleID: "4cf1dc0d-f431-f76d-42fd-ed1264f0b893"vault.appRole.secretID¶
Required, Default=""
Defines the ID of the secret to use when authenticating to Vault with AppRole.
vault:
appRole:
secretID: "63cffb45-b404-18c4-cdbb-af723aaef1e7"vault.appRole.path¶
Optional, Default="approle"
Defines the path under which the AppRole authentication method is enabled in Vault.
vault:
appRole:
path: "customAppRolePath"vault.enginePath¶
Optional, Default="tls"
Defines the path under which the PKI secret engine is enabled.
Vault Namespaces
If using Vault Namespaces, simply prefix the engine path
with the name of the namespace. If using the engine path secret under the default namespace, set
default/secret as the engine path.
vault:
enginePath: customPathvault.syncInterval"¶
Optional, Default="1m"
Defines the interval at which the agent checks if an ACME certificates was manually deleted in Vault.
vault:
syncInterval: 1mcertificateResolvers.resolverName.email¶
Required, Default=""
The email to use for the ACME account of this resolver.
certificateResolvers:
resolverName:
email: [email protected]certificateResolvers.resolverName.caServer¶
Required, Default=""
The URL to the ACME directory from which to obtain certificates.
certificateResolvers:
resolverName:
caServer: https://acme-staging-v02.api.letsencrypt.org/directorycertificateResolvers.resolverName.provider¶
Required, Default=""
The DNS provider used to automate DNS verifications for the ACME challenges.
Required Environment Variables
All the DNS providers have their own sets of required environment variables you'll need to set in order to authenticate. The Traefik documentation contains a list of providers and their associated variables.
certificateResolvers:
resolverName:
provider: cloudflarecertificateResolvers.resolverName.keyType¶
Required, Default="RSA4096"
The key type to use for the private keys associated with the generated certificates. Allowed values are the following:
EC256, EC384, RSA2048, RSA4096, RSA8192.
certificateResolvers:
resolverName:
keyType: RSA4096Certificate Resolver Configuration¶
url¶
Required, Default=""
The URL of the Distributed ACME Agent.
url: https://dacme.example.orgurl = "https://dacme.example.org"tls.ca, tls.cert and tls.key¶
Optional, Default=""
Paths to certificates required for enabling mTLS to secure communication between Traefik Enterprise and the ACME agent. If these are not set, mTLS is disabled and the connection between the ACME agent and Traefik Enterprise controllers is not secured.
tls:
ca: /var/lib/acme-agent/mtls/ca/ca.pem
cert: /var/lib/acme-agent/mtls/server/server.pem
key: /var/lib/acme-agent/mtls/server/server-key.pem[tls]
ca = "/var/lib/acme-agent/mtls/ca/ca.pem"
cert = "/var/lib/acme-agent/mtls/server/server.pem"
key = "/var/lib/acme-agent/mtls/server/server-key.pem"Configuration Examples¶
Agent Configuration¶
Below is a complete distributed ACME agent configuration example:
listenAddr: 0.0.0.0:5505
checkRenewalInterval: 24h
tls:
ca: /path/to/mtls/ca.pem
cert: /path/to/mtls/server/cert.pem
key: /path/to/mtls/server/key.pem
vault:
url: https://vault.corp.com:8200
token: myVaultToken
enginePath: customPath
syncInterval: 1m
certificateResolvers:
myResolver:
email: [email protected]
caServer: https://acme-staging-v02.api.letsencrypt.org/directory
provider: cloudflareCertificate Resolver Configuration¶
Below is a complete distributed ACME certificate resolver configuration example:
url: https://acme-agent.traefikee.svc.cluster.local:5505
tls:
ca: /var/lib/acme-agent/mtls/ca/tls.crt
cert: /var/lib/acme-agent/mtls/client/tls.crt
key: /var/lib/acme-agent/mtls/client/tls.keyurl = "https://acme-agent.traefikee.svc.cluster.local:5505"
[tls]
ca = "/var/lib/acme-agent/mtls/ca/tls.crt"
cert = "/var/lib/acme-agent/mtls/client/tls.crt"
key = "/var/lib/acme-agent/mtls/client/tls.key"