From 285e115475c9aeb41362b73963f727b0edd40906 Mon Sep 17 00:00:00 2001 From: Olivier Wenger Date: Tue, 1 Feb 2022 23:32:10 +0100 Subject: [PATCH] added letsencrypt configuration for traefik --- main.tf | 8 +++++--- templates/traefik_config.yaml.tpl | 6 ++++++ terraform.tfvars.example | 4 ++++ variables.tf | 13 +++++++++++++ 4 files changed, 28 insertions(+), 3 deletions(-) diff --git a/main.tf b/main.tf index 7e31d1d..bfd468e 100644 --- a/main.tf +++ b/main.tf @@ -166,9 +166,11 @@ resource "local_file" "hetzner_csi_config" { resource "local_file" "traefik_config" { content = templatefile("${path.module}/templates/traefik_config.yaml.tpl", { - lb_disable_ipv6 = var.lb_disable_ipv6 - lb_server_type = var.lb_server_type - location = var.location + lb_disable_ipv6 = var.lb_disable_ipv6 + lb_server_type = var.lb_server_type + location = var.location + traefik_acme_tls = var.traefik_acme_tls + traefik_acme_email = var.traefik_acme_email }) filename = "${path.module}/templates/rendered/traefik_config.yaml" file_permission = "0644" diff --git a/templates/traefik_config.yaml.tpl b/templates/traefik_config.yaml.tpl index 4b03c7a..4ccf29b 100644 --- a/templates/traefik_config.yaml.tpl +++ b/templates/traefik_config.yaml.tpl @@ -24,3 +24,9 @@ spec: - "--entryPoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,10.0.0.0/8" - "--entryPoints.web.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8" - "--entryPoints.websecure.forwardedHeaders.trustedIPs=127.0.0.1/32,10.0.0.0/8" +%{ if traefik_acme_tls ~} + - "--certificatesresolvers.le.acme.httpchallenge=true" + - "--certificatesresolvers.le.acme.httpchallenge.entrypoint=web" + - "--certificatesresolvers.le.acme.email=${traefik_acme_email}" + - "--certificatesresolvers.le.acme.storage=/data/acme.json" +%{ endif ~} \ No newline at end of file diff --git a/terraform.tfvars.example b/terraform.tfvars.example index 6cf5b54..15d500b 100644 --- a/terraform.tfvars.example +++ b/terraform.tfvars.example @@ -25,3 +25,7 @@ agents_num = 2 # that is probably the more "vanilla" option to keep these components always updated. # hetzner_ccm_containers_latest = true # hetzner_csi_containers_latest = true + +# If you want to use letsencrypt with tls Challenge, the email address is used to send you certificates expiration notices +# traefik_acme_tls = true +# traefik_acme_email = "mail@example.com" diff --git a/variables.tf b/variables.tf index 51dc3bd..3aa4598 100644 --- a/variables.tf +++ b/variables.tf @@ -78,3 +78,16 @@ variable "hetzner_csi_containers_latest" { default = false description = "Whether to kustomize the Hetzner CSI manifest with the latest or canary tags for containers" } + +variable "traefik_acme_tls" { + type = bool + default = false + description = "Wheter to include the TLS configuration with the Traefik configuration" +} + +variable "traefik_acme_email" { + type = string + default = false + description = "Email used to recieved expiration notice for certificate" +} +