TLS¶
Traefik Enterprise provides support for TLS over HTTP and TCP. It can be enabled on any router either using ACME or user-provided certificates. This section will explain how to load user-provided certificates into a cluster and how to configure routers to use them.
teectl is required
The teectl binary must be installed for cluster management.
Manage TLS Certificates¶
A TLS certificate can be added to a cluster using the following teectl command:
teectl create tls-cert \ 
    --cert="cert.pem" \
    --key="key.pem"Once added, the certificate will be used on routers that have TLS enabled when the domain matches.
Traefik Enterprise can use a default certificate when there's no matching domain. A certificate will be served by default
if the --isdefault option is given.
Certificate information can be retrieved from a cluster using the following command:
teectl get tls-certsID                         CN                  SANs  NOT AFTER             STORE    DEFAULT
u7vxw9esw9vuyjqokgpvza9cl  whoami.example.com        2022-01-22T15:27:25Z  default  falsePlease note that each certificate is assigned a unique ID which is used to remove it from the cluster:
teectl delete tls-cert --id="u7vxw9esw9vuyjqokgpvza9cl"Examples¶
Kubernetes¶
Setup a cluster on Kubernetes:
# Setup a cluster to manage.
teectl setup --kubernetes
# Generate manifest file and install it on the Kubernetes cluster.
teectl setup gen \
    --license="$TRAEFIKEE_LICENSE" \
    --controllers=1 \
    --proxies=2 | kubectl apply -f -Add the certificate to the cluster:
teectl create tls-cert \ 
    --cert="cert.pem" \
    --key="key.pem"Copy the following static configuration in a file named static.yaml. It configures Traefik Enterprise to
use the kubernetesCRD provider and adds a websecure entrypoint to listen for incoming HTTP requests 
on the port 443.
providers:
  kubernetesCRD: {}
entryPoints:
  websecure:
    address: ":443"Once the cluster is ready, apply the static configuration:
teectl apply --file="./static.yaml"Create a new file whoami.yaml with the following kubernetes objects:
- Namespace: Create a new namespace whoami-nswhere the following objects will reside.
- Deployment: Deploy a single pod running the traefik/whoami image.
- Service: Declare a service whoami-svcto expose the whoami pods on port80.
- IngressRoute: Declare a new router which routes requests coming from the websecureentrypoint (port443, defined in the static configuration) to thewhoami-svcservice if the hostname iswhoami.example.com. Please note thattlsis enabled on this route.
---
apiVersion: v1
kind: Namespace
metadata:
  name: whoami-ns
---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: whoami
  namespace: whoami-ns
spec:
  selector:
    matchLabels:
      app: whoami
  replicas: 1
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
        - name: whoami
          image: traefik/whoami:v1.6.1
          imagePullPolicy: Always
---
apiVersion: v1
kind: Service
metadata:
  name: whoami-svc
  namespace: whoami-ns
spec:
  type: ClusterIP
  ports:
    - port: 80
      name: whoami
  selector:
    app: whoami
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-ingressroute
  namespace: whoami-ns
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`whoami.example.com`)
      kind: Rule
      services:
        - name: whoami-svc
          port: 80
  tls: {}Deploy the whoami service and the ingress route:
kubectl apply -f ./whoami.yamlThe application is now deployed and accessible on https://whoami.example.com. 
EXTERNAL_IP=$(kubectl -n traefikee get service/default-proxy-svc -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
openssl s_client -showcerts -servername whoami.example.com "$EXTERNAL_IP:443"Docker Swarm¶
Setup a cluster on Docker Swarm:
# Setup a cluster to manage.
teectl setup --swarm --swarm.hosts="<the swarm hosts>"
# Setup Traefik Enterprise controllers.
teectl setup gen \
    --license="$TRAEFIKEE_LICENSE" \
    --controllers=1 | docker stack deploy -c - traefikee
# Setup Traefik Enterprise proxies once the controlers are ready.
teectl setup gen \
    --license="$TRAEFIKEE_LICENSE" \
    --proxies=2 | docker stack deploy -c - traefikeeAdd the certificate to the cluster:
teectl create tls-cert \ 
    --cert="cert.pem" \
    --key="key.pem"Copy the following static configuration in a file named static.yaml. It configures Traefik Enterprise to
use the docker provider with swarmMode enabled and adds a websecure entrypoint to listen for incoming HTTP requests
on the port 443.
providers:
  docker:
    swarmMode: true
    exposedByDefault: false
entryPoints:
  websecure:
    address: ":443"Once the cluster is ready, apply the static configuration:
teectl apply --file="./static.yaml"Create a new file whoami.yaml to define a whoami service. Please note that tls is enabled on this whoami router.
version: '3.4'
networks:
  traefikee_traefikee-ingress:
    external: true
services:
  whoami:
    image: traefik/whoami:v1.6.1
    deploy:
      mode: replicated
      replicas: 1
      labels:
        - "traefik.http.routers.whoami.entrypoints=websecure"
        - "traefik.http.routers.whoami.rule=Host(`whoami.example.com`)"
        - "traefik.http.routers.whoami.tls=true"
        - "traefik.http.services.whoami.loadbalancer.server.port=80"
    networks:
      - traefikee_traefikee-ingressDeploy the whoami service:
docker stack deploy -c whoami.yaml traefikeeThe application is now deployed and accessible on https://whoami.example.com. 
openssl s_client -showcerts -servername whoami.example.com "127.0.0.1:443"