You can use an ACME server to issue certificates to your cluster dynamically, but there are some additional steps that must be taken for On Premise environments.
When using Cloud Providers such as AWS your ClusterIssuer will create solvers that are configured to route through the Kommander Traefik instance with the following annotation:
traefik.ingress.kubernetes.io/router.priority: "2147483647"
This annotation is not created in On Premise environments so we must instead add the annotation:
traefik.ingress.kubernetes.io/router.tls: "true"
You can add this annotation directly to the Ingress object created by the Cluster Issuer as part of the ACME challenge process, but a better solution is to edit the Cluster Issuer itself to always add this annotation for you:
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: acmeServer
spec:
acme:
email: user@local
server: https://acme-server.local/acme/acme/directory
privateKeySecretRef:
name: acme-server-issuer-key
solvers:
- http01:
ingress:
ingressTemplate:
metadata:
annotations:
kubernetes.io/ingress.class: kommander-traefik
traefik.ingress.kubernetes.io/router.tls: "true"
By adding the annotations to our Cluster Issuer object's ingressTemplate, we ensure that all ingress objects will also carry these annotations. You can add any other custom annotations required for your ingress solution in this manner.