Use PVC for Traefik ACME data

env.yaml.bash

@@ -13,6 +13,7 @@ networking:
 
 contact:
   letsEncryptEmail: ops@example.com  # FIXME
+  letsEncryptProductionEnabled: false
 
 metallb:
   secretkey: "$(pwgen -s 256 1)"

k8s/riju.yaml

@@ -119,6 +119,3 @@ spec:
     - name: http
       port: 80
       targetPort: 6119
-
----
-kind: Ingress

k8s/traefik-config.in.yaml

@@ -15,19 +15,27 @@ data:
           tls: true
       healthcheck:
         address: ":9000/tcp"
+      metrics:
+        address: ":9100/tcp"
       docker:
         address: ":31000/tcp"
         http:
           tls: true
     ping:
       entryPoint: "healthcheck"
+    metrics:
+      prometheus:
+        entryPoint: "metrics"
     providers:
       kubernetescrd: true
       kubernetesingress: true
     certificatesResolvers:
       riju:
         acme:
+          {{- if not .contact.letsEncryptProductionEnabled }}
+          caServer: https://acme-staging-v02.api.letsencrypt.org/directory
+          {{- end }}
           email: "{{ .contact.letsEncryptEmail }}"
-          storage: acme.json
+          storage: /data/acme.json
           httpChallenge:
             entryPoint: http

k8s/traefik.yaml

@@ -1,8 +1,21 @@
 # Based on traefik/traefik helm chart 20.8.0 for traefik v2.9.6
 
 ---
-apiVersion: apps/v1
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  namespace: traefik
+  name: traefik-data
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 128Mi
+  storageClassName: openebs-hostpath
+
+---
 kind: Deployment
+apiVersion: apps/v1
 metadata:
   namespace: traefik
   name: traefik
@@ -83,7 +96,8 @@ spec:
           configMap:
             name: traefik-config
         - name: data
-          emptyDir: {}
+          persistentVolumeClaim:
+            claimName: traefik-data
         - name: tmp
           emptyDir: {}
       securityContext: