Traefik new default ingress: changes required to ClusterIssuer #5351
Description
Summary
As of MicroK8s v1.35, Traefik is now the new default Ingress Controller.
I couldn't make it work with what the MicroK8s cert-manager guide tells me to, meaning to use the Ingress Class Name public.
Details
With the change as of MicroK8s v1.35 when you install the "ingress" addon you get Traefik, not NGINX.
Also, you'll notice that various Ingress Class Names exists, but they all point to the Traefik controller.
microk8s kubectl get ingressclass
NAME CONTROLLER PARAMETERS AGE
nginx traefik.io/ingress-controller <none> 4d14h
public traefik.io/ingress-controller <none> 4d14h
traefik traefik.io/ingress-controller <none> 4d14h
and as far as the ingressclass.kubernetes.io/is-default-class annotation goes, it looks like this:
| ingressclass | value of annotation |
|---|---|
| nginx | <not present> |
| public | "true" |
| traefik | "false" |
So, on the face of it, "nginx", "public" and "traefik" should be aliases for the same thing, but "public" being the default.
Now, with a ClusterIssuer that has a "solvers" section that looks like recommended, i.e.:
spec:
acme:
...
solvers:
- http01:
ingress:
class: publicwhat happens is that cert-manager will create ingress for the temporary solver pod without any ingress class on it at all. (I guess it thinks it doesn't need to mention it, since it is the default, dunno).
However, an Ingress defined with no explicit IngressClass doesn't seem to be picked up by Traefik at all. The obvious consequence is that the ACME challenge will receive a 404 - Not found error message.
The fix (or workaround) is to change your ClusterIssuer, so that it uses traefik rather than public for the solver.
spec:
acme:
...
solvers:
- http01:
ingress:
class: traefikThis immediately worked for me.
Thoughts
I like the idea of the more neutral name "public" that should make it irrelevant exactly which Ingress controller is in use. I use "public" explicitly on application's Ingress definition and that works just fine, meaning that the Traefik controller picks it up.
Why Traefik doesn't pick up an Ingress with no explicitly defined ingress class name, I don't know.
And why cert-manager generates an Ingress for the temporary solver Pod with no explicit Ingress Class Name (when it was set to "public" in the ClusterIssuer), I also don't know or can explain.
Reproduction Steps
- Install MicroK8s 1.35 from scratch. For example, on Ubuntu something like:
snap install microk8s --classic --channel=1.35/stable
microk8s start
microk8s status --wait-ready
microk8s enable dns
microk8s enable ingress # as of v1.35 this provides Traefik, not Nginx
microk8s enable cert-manager- Follow MicroK8s documentation for cert-manager, i.e. set up a ClusterIssuer and test it with some Service and Ingress definition.
Other
I think there are places in the MicroK8s documentation where "nginx" should be replaced with "traefik".