acme: add external account binding support.

2020-12-01 10:40:05 +01:00 · 2020-12-01 10:40:05 +01:00 · a488430f23
commit a488430f23
parent b5db753e11
6 changed files with 96 additions and 21 deletions
--- a/docs/content/https/acme.md
+++ b/docs/content/https/acme.md
@ -10,7 +10,7 @@ You can configure Traefik to use an ACME provider (like Let's Encrypt) for autom

    Use Let's Encrypt staging server with the [`caServer`](#caserver) configuration option
    when experimenting to avoid hitting this limit too fast.
-    
+
 ## Certificate Resolvers

 Traefik requires you to define "Certificate Resolvers" in the [static configuration](../getting-started/configuration-overview.md#the-static-configuration), 
@ -408,6 +408,35 @@ certificatesResolvers:
 [ACME V2](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579) supports wildcard certificates.
 As described in [Let's Encrypt's post](https://community.letsencrypt.org/t/staging-endpoint-for-acme-v2/49605) wildcard certificates can only be generated through a [`DNS-01` challenge](#dnschallenge).

+## External Account Binding
+
+- `kid`: Key identifier from External CA
+- `hmacEncoded`: HMAC key from External CA, should be in Base64 URL Encoding without padding format
+
+```toml tab="File (TOML)"
+[certificatesResolvers.myresolver.acme]
+  # ...
+  [certificatesResolvers.myresolver.acme.eab]
+    kid = "abc-keyID-xyz"
+    hmacEncoded = "abc-hmac-xyz"
+```
+
+```yaml tab="File (YAML)"
+certificatesResolvers:
+  myresolver:
+    acme:
+      # ...
+      eab:
+        kid: abc-keyID-xyz
+        hmacEncoded: abc-hmac-xyz
+```
+
+```bash tab="CLI"
+# ...
+--certificatesresolvers.myresolver.acme.eab.kid=abc-keyID-xyz
+--certificatesresolvers.myresolver.acme.eab.hmacencoded=abc-hmac-xyz
+```
+
 ## More Configuration

 ### `caServer`
--- a/docs/content/reference/static-configuration/cli-ref.md
+++ b/docs/content/reference/static-configuration/cli-ref.md
@ -69,6 +69,12 @@ Use a DNS-01 based challenge provider rather than HTTPS.
 `--certificatesresolvers.<name>.acme.dnschallenge.resolvers`:  
 Use following DNS servers to resolve the FQDN authority.

+`--certificatesresolvers.<name>.acme.eab.hmacencoded`:  
+Base64 encoded HMAC key from External CA.
+
+`--certificatesresolvers.<name>.acme.eab.kid`:  
+Key identifier from External CA.
+
 `--certificatesresolvers.<name>.acme.email`:  
 Email address used for registration.

--- a/docs/content/reference/static-configuration/env-ref.md
+++ b/docs/content/reference/static-configuration/env-ref.md
@ -69,6 +69,12 @@ Use a DNS-01 based challenge provider rather than HTTPS.
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_DNSCHALLENGE_RESOLVERS`:  
 Use following DNS servers to resolve the FQDN authority.

+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_EAB_HMACENCODED`:  
+Base64 encoded HMAC key from External CA.
+
+`TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_EAB_KID`:  
+Key identifier from External CA.
+
 `TRAEFIK_CERTIFICATESRESOLVERS_<NAME>_ACME_EMAIL`:  
 Email address used for registration.

--- a/docs/content/reference/static-configuration/file.toml
+++ b/docs/content/reference/static-configuration/file.toml
@ -103,7 +103,7 @@
    namespaces = ["foobar", "foobar"]
    labelSelector = "foobar"
    ingressClass = "foobar"
-    throttleDuration = "10s"
+    throttleDuration = "42s"
    [providers.kubernetesIngress.ingressEndpoint]
      ip = "foobar"
      hostname = "foobar"
@ -251,9 +251,6 @@
    addEntryPointsLabels = true
    addServicesLabels = true

-[pilot]
-  token = "foobar"
-
 [ping]
  entryPoint = "foobar"
  manualRouting = true
@ -343,6 +340,9 @@
      preferredChain = "foobar"
      storage = "foobar"
      keyType = "foobar"
+      [certificatesResolvers.CertificateResolver0.acme.eab]
+        kid = "foobar"
+        hmacEncoded = "foobar"
      [certificatesResolvers.CertificateResolver0.acme.dnsChallenge]
        provider = "foobar"
        delayBeforeCheck = 42
@ -358,6 +358,9 @@
      preferredChain = "foobar"
      storage = "foobar"
      keyType = "foobar"
+      [certificatesResolvers.CertificateResolver1.acme.eab]
+        kid = "foobar"
+        hmacEncoded = "foobar"
      [certificatesResolvers.CertificateResolver1.acme.dnsChallenge]
        provider = "foobar"
        delayBeforeCheck = 42
@ -367,6 +370,9 @@
        entryPoint = "foobar"
      [certificatesResolvers.CertificateResolver1.acme.tlsChallenge]

+[pilot]
+  token = "foobar"
+
 [experimental]
  [experimental.plugins]
    [experimental.plugins.Descriptor0]
--- a/docs/content/reference/static-configuration/file.yaml
+++ b/docs/content/reference/static-configuration/file.yaml
@ -270,8 +270,6 @@ metrics:
    password: foobar
    addEntryPointsLabels: true
    addServicesLabels: true
-pilot:
-  token: foobar
 ping:
  entryPoint: foobar
  manualRouting: true
@ -358,6 +356,9 @@ certificatesResolvers:
      preferredChain: foobar
      storage: foobar
      keyType: foobar
+      eab:
+        kid: foobar
+        hmacEncoded: foobar
      dnsChallenge:
        provider: foobar
        delayBeforeCheck: 42
@ -375,6 +376,9 @@ certificatesResolvers:
      preferredChain: foobar
      storage: foobar
      keyType: foobar
+      eab:
+        kid: foobar
+        hmacEncoded: foobar
      dnsChallenge:
        provider: foobar
        delayBeforeCheck: 42
@ -385,6 +389,8 @@ certificatesResolvers:
      httpChallenge:
        entryPoint: foobar
      tlsChallenge: {}
+pilot:
+  token: foobar
 experimental:
  plugins:
    Descriptor0: