certbotazure-container-instances

How to use Let's Encrypt certificates with InfluxDB v2 on Azure Container Services

I'd like to deploy an instance of InfluxDB v2 in an Microsoft Azure Container Instance and use TLS server certificates issued by Let's Encrypt to protect the traffic. My problem is, that the InfluxDB container image doesn't come with CertBot pre-installed and I don't want to generate my own InfluxDB container image containing CertBot. Any good idea how to work around this issue?

Solution

  • You can use Traefik, it automatically issues and synchronizes the Let's Encrypt certificates. In order to use Traefik you need to deploy it as an Azure Container Instance. Besides that you have to create Azure file shares, one to upload Traefiks configurations files and another one for the Let's Encrypt certificate. For a more detailed explanation how to deploy the container group and set up the file shares, see https://github.com/CarlaKlement/DocumentationExternalMonitoring.git.

    Traefik has two configuration files: the static and the dynamic configuration. In the static configuration the network entry points into Traefik are defined. This part of the static configuration should look like this:

    entryPoints:
  port80:
    addrress: ':80'
    http:
      redirections:
        entryPoint:
          to: port443
          scheme: https
          permanent: true

  port443:
    address: ':80'
    http:
      tls:
        certResolver: my-le-resovler

    Next, you have to integrate the dynamic configuration:

    providers:
  file:
    directory: "/etc/traefik/dynamic"
    watch: true

    “directory” gives the file path to the dynamic configuration and “watch: true” allows Traefik to automatically watch for file changes. Additionally, you need to define the certificate resolver, which are responsible for retrieving certificates from Let’s Encrypt:

    certificatesResolvers:
  my-le-resolver:
    acme:
      email: your@emailadress.com
      storage: "/tmp/letsencrypt/acme.json"
      certificateDuration: 36
      tlsChallenge: {}
      httpChallenge:
        entryPoint: port80

    At last, this is how your dynamic configuration should look like:

    http:
  routers:
    influxdb-ssl-router:
      entryPoints:
      - port443
      rule: host(`*insert your url here*`)
      service: influxdb-service
  services:
    influxdb-service:
      loadBalancer:
        servers:
        - url: http://localhost:8086/

    The router “influxdb-ssl-router” will connect the incoming requests of the entry point port 443 with rule "host(`insert your url here`)" to the service "influxdb-service", which is defined below.