Gateway API with TLS support for a HTTPRoute

Trying to get TLS support for an HTTPRoute with the gateway-api. There are a couple of questions and discussions like

• Default gateway is incompatible with cert-manager · Issue #1126 · traefik/traefik-helm-chart · GitHub
• Traefik Kubernetes Gateway | Traefik | v3.3
• Annotated Gateway resource - cert-manager Documentation

A couple of sections are outdate (like the sectionName is no longer https but websecure and a couple of values.yaml changes) but easy to transform, but the general idea does not scale in my head (as of right now).

I deploy traefik with gateway support (including experimantal with fullfulls 1.4.0 gw api spec?) via:

ingressClass:
  enabled: true
  isDefaultClass: false
  name: traefik-external

providers:
  kubernetesCRD:
    enabled: true
    allowCrossNamespace: true
  kubernetesIngress:
    enabled: true
    ingressClass: traefik-external
  kubernetesIngressNginx:
    enabled: false
    #controllerClass: "k8s.io/${name}-ingress-nginx"
    #ingressClass: "${ingressClassName}"
    #ingressClassByName: true
  kubernetesGateway:
    enabled: true
    experimentalChannel: true

experimental:
  kubernetesGateway:
    enabled:true

gateway:
  enabled: true
  annotations:
    "cert-manager.io/cluster-issuer": "le"
  listeners:
    web:
      port: 8000
      # see https://gateway-api.sigs.k8s.io/reference/spec/#fromnamespaces
      namespacePolicy:
        from: "All"
    websecure:
      # see https://gateway-api.sigs.k8s.io/reference/spec/#fromnamespaces
      namespacePolicy:
        from: "All"
      port: 8443
      protocol: HTTPS
      # see https://gateway-api.sigs.k8s.io/reference/spec/#gatewaytlsconfig
      certificateRefs:
        - name: default-gateway-api-tls
          namespace: default
      # see https://gateway-api.sigs.k8s.io/reference/spec/#tlsmodetype
      mode: "Terminate"

gatewayClass:
  name: traefik-external

certificatesResolvers:
  via_acme:
    .....

envFrom:
  - secretRef:
      name: cloudflare-apitoken

And a HTTPRoute

spec:
  hostnames:
    - redacted-public-tld-domain.tld
  parentRefs:
    - group: gateway.networking.k8s.io
      kind: Gateway
      name: traefik-gateway
      namespace: traefik-external
      sectionName: websecure
  rules:
    - backendRefs:
        - group: ''
          kind: Service
          name: whatsmyip
          namespace: whatsmyip-external
          port: 8080
          weight: 1
      filters: []
      matches:
        - path:
            type: PathPrefix
            value: /
      name: default

To enable TLS support i planned 2 ways, and i currently do not mind which one works out

a) Via Cert-manager, thus i deployed the latest cert-manager chart with

securityContext:
  fsGroup: 1000
  runAsUser: 1000
  runAsNonRoot: true
podDnsConfig:
  nameservers:
    - "1.1.1.1"
    - "2.2.2.2"
installCRDs: true
replicaCount: 1
extraArgs:
  - --dns01-recursive-nameservers-only
  - --dns01-recursive-nameservers=1.1.1.1:53
  - --cluster-resource-namespace=${namespace}
namespace: cert-manager

config:
  enableGatewayAPI: true

The cert-manager has DNS01 ACME support via CF.

I tried to create default-gateway-api-tls in the default namespace manually using a sel-signed-cert via cert-manager.io/v1``Certificate using a self-signed ca. The cert-manager created the secret and i also let cert-manager do it itself using this

  annotations:
    "cert-manager.io/issuer": le
    "cert-manager.io/cluster-issuer": "le"

In the traefik chart

b) i configured a certificatesResolver within traefik.

Actual Problem / Questions

1. The HTTPRouter does not show up in the dashboard and is not accissible - it created as CRD without issues
2. How should the cert-manager create the certificate for the http-route itself - it seems like in the examples the listener is adjusted so the hostname already matches “the one hostname” of the HTTPRoute - but i’am not creating a listener per HTTPRoute or manually adjusting the listener every time i add a new application/HTTPRoute - this would never scale
3. Is there a way to just use the traefik internal certificatesResolver for the gateways?

(When i add the HTTPRouter to the sectionName: web, thus non-tls, i can access it just fine)

Edit:

• assuming my question / concept issue very much relates to Reddit - The heart of the internet

Thanks for any help!

While i know understood, that it is by design, that certificates for a HTTPRoute have to be added via an entry in hostname (which yet is a scalar in traefiks values.yaml not even an array) in the gateway definition, including a secret where the certificate is stored. One can also let the cert-manager create the certificate via the issue/cluster-issuer annotations, but when has to explicitly reconfigure the Gateway-Listener.

Thus i assume the current “idea” with the gatway-api when deployed via helm chart is, to adjust the gateway.listeners every time ones adds an app with a different domain in addition to add the HTTPRoute ( i assume this maybe will be slightly different in the future with ListenerSets)

I understand this is how the gateway-api has been designed and is not a Traefik limitation. Though this means, it seems it does not fit my needs. I rather stay with traffics CRD Middlewares + Ingress api, which lets me define the hostname within the IngressRoute and at the same time cares about getting the certificates.

I understand the ingress-api is now frozen after the sunset of nginx-ingress, but with the current API (and it is GA) and Traeffics middleware support i think one is set for a long long time without the need of any further implementation.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.