cert-manager

Provision TLS Certificate for Traefik Proxy with cert-manager on Kubernetes

Pre-requisites

To obtain certificates from cert-manager that can be used in Traefik Proxy, you will need to:

  1. Have cert-manager properly configured
  2. Have Traefik Proxy configured

The certificates can then be used in an Ingress / IngressRoute / HTTPRoute.

Example with ACME and HTTP challenge

ACME issuer for HTTP challenge

Issuer

  1. apiVersion: cert-manager.io/v1
  2. kind: Issuer
  3. metadata:
  4.   name: acme
  6. spec:
  7.   acme:
  8.     # Production server is on https://acme-v02.api.letsencrypt.org/directory
  9.     # Use staging by default.
  10.     server: https://acme-staging-v02.api.letsencrypt.org/directory
  11.     privateKeySecretRef:
  12.       name: acme
  13.     solvers:
  14.       - http01:
  15.           ingress:
  16.             ingressClassName: traefik

Certificate

  1. apiVersion: cert-manager.io/v1
  2. kind: Certificate
  3. metadata:
  4.   name: whoami
  5.   namespace: traefik
  6. spec:
  7.   secretName: domain-tls        # <===  Name of secret where the generated certificate will be stored.
  8.   dnsNames:
  9.     - "domain.example.com"
  10.   issuerRef:
  11.     name: acme
  12.     kind: Issuer

Let’s see now how to use it with the various Kubernetes providers of Traefik Proxy. The enabled providers can be seen on the dashboard of Traefik Proxy and also in the INFO logs when Traefik Proxy starts.

With an Ingress

To use this certificate with an Ingress, the Kubernetes Ingress provider has to be enabled.

Info

This provider is enabled by default in the Traefik Helm Chart.

Route with this Certificate

Ingress

  1. apiVersion: networking.k8s.io/v1
  2. kind: Ingress
  3. metadata:
  4.   name: domain
  5.   annotations:
  6.     traefik.ingress.kubernetes.io/router.entrypoints: websecure
  8. spec:
  9.   rules:
  10.   - host: domain.example.com
  11.     http:
  12.       paths:
  13.       - path: /
  14.         pathType: Exact
  15.         backend:
  16.           service:
  17.             name:  domain-service
  18.             port:
  19.               number: 80
  20.   tls:
  21.   - secretName: domain-tls # <=== Use the name defined in Certificate resource.

With an IngressRoute

To use this certificate with an IngressRoute, the Kubernetes CRD provider has to be enabled.

Info

This provider is enabled by default in the Traefik Helm Chart.

Route with this Certificate

IngressRoute

  1. apiVersion: traefik.io/v1alpha1
  2. kind: IngressRoute
  3. metadata:
  4.   name: domain
  6. spec:
  7.   entryPoints:
  8.     - websecure
  10.   routes:
  11.   - match: Host(`domain.example.com`)
  12.     kind: Rule
  13.     services:
  14.     - name: domain-service
  15.       port: 80
  16.   tls:
  17.     secretName: domain-tls    # <=== Use the name defined in Certificate resource.

With an HTTPRoute

To use this certificate with an HTTPRoute, the Kubernetes Gateway provider has to be enabled.

Info

This provider is disabled by default in the Traefik Helm Chart.

Route with this Certificate

HTTPRoute

  1. ---
  2. apiVersion: gateway.networking.k8s.io/v1
  3. kind: Gateway
  4. metadata:
  5.   name: domain-gateway
  6. spec:
  7.   gatewayClassName: traefik
  8.   listeners:
  9.     - name: websecure
  10.       port: 8443
  11.       protocol: HTTPS
  12.       hostname: domain.example.com
  13.       tls:
  14.         certificateRefs:
  15.           - name: domain-tls  # <==== Use the name defined in Certificate resource.
  16. ---
  17. apiVersion: gateway.networking.k8s.io/v1
  18. kind: HTTPRoute
  19. metadata:
  20.   name: domain
  21. spec:
  22.   parentRefs:
  23.     - name: domain-gateway
  24.   hostnames:
  25.     - domain.example.com
  26.   rules:
  27.     - matches:
  28.         - path:
  29.             type: Exact
  30.             value: /
  32.       backendRefs:
  33.         - name: domain-service
  34.           port: 80
  35.           weight: 1

Troubleshooting

There are multiple event sources available to investigate when using cert-manager:

  1. Kubernetes events in Certificate and CertificateRequest resources
  2. cert-manager logs
  3. Dashboard and/or (debug) logs from Traefik Proxy

cert-manager documentation provides a detailed guide on how to troubleshoot a certificate request.

Using Traefik OSS in Production?

If you are using Traefik at work, consider adding enterprise-grade API gateway capabilities or commercial support for Traefik OSS.

Adding API Gateway capabilities to Traefik OSS is fast and seamless. There’s no rip and replace and all configurations remain intact. See it in action via this short video.