Hi,
I'm trying to set up traefik in my kubernetes cluster using the official Helm charts and want to use Kubernetes Gateway to do this, however, I can't seem to figure out how to make it work with the Lets Encrypt integration.
I've configured it with the following values, and created a fallback self-signed certificate to put in certificateRefs since traefik wouldn't start otherwise, however now that's the only cert being served and no requests to issue certs are happening
gateway:
listeners:
web:
port: 8000
protocol: HTTP
namespacePolicy: All
websecure:
port: 8443
protocol: HTTPS
namespacePolicy: All
certificateRefs:
- name: traefik-tls
namespace: traefik
mode: Terminate
ports:
websecure:
http3:
enabled: true
persistence:
enabled: true
existingClaim: acme-pvc
deployment:
initContainers:
- name: volume-permissions
image: busybox:latest
command: ["sh", "-c", "ls -la /; touch /data/acme.json; chmod -v 600 /data/acme.json"]
volumeMounts:
- mountPath: /data
name: data
podSecurityContext:
fsGroup: 65532
fsGroupChangePolicy: "OnRootMismatch"
providers:
kubernetesGateway:
enabled: true
certificatesResolvers:
letsencrypt:
acme:
email: email@example.com
storage: /data/acme.json
tlsChallenge: {}
keyType: EC384
I get the following logs:
2025-02-06T21:26:08Z INF Traefik version 3.3.2 built on 2025-01-14T15:52:24Z version=3.3.2
2025-02-06T21:26:08Z INF Stats collection is enabled.
2025-02-06T21:26:08Z INF Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.
2025-02-06T21:26:08Z INF Help us improve Traefik by leaving this feature on :)
2025-02-06T21:26:08Z INF More details on: https://doc.traefik.io/traefik/contributing/data-collection/
2025-02-06T21:26:08Z INF Label selector is: "" providerName=kubernetesgateway
2025-02-06T21:26:08Z INF Creating in-cluster Provider client endpoint= providerName=kubernetesgateway
2025-02-06T21:26:08Z INF Starting provider aggregator *aggregator.ProviderAggregator
2025-02-06T21:26:08Z INF Starting provider *traefik.Provider
2025-02-06T21:26:08Z INF Starting provider *acme.ChallengeTLSALPN
2025-02-06T21:26:08Z INF Starting provider *acme.Provider
2025-02-06T21:26:08Z INF Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme
2025-02-06T21:26:08Z INF Starting provider *ingress.Provider
2025-02-06T21:26:08Z INF ingress label selector is: "" providerName=kubernetes
2025-02-06T21:26:08Z INF Creating in-cluster Provider client providerName=kubernetes
2025-02-06T21:26:08Z INF Starting provider *crd.Provider
2025-02-06T21:26:08Z INF label selector is: "" providerName=kubernetescrd
2025-02-06T21:26:08Z INF Creating in-cluster Provider client providerName=kubernetescrd
2025-02-06T21:26:08Z INF Starting provider *gateway.Provider
And have set up a HTTPRoute like this:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: service-https
namespace: default
spec:
parentRefs:
- name: traefik-gateway
sectionName: websecure
kind: Gateway
namespace: traefik
hostnames:
- subdomain.example.com
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: service
port: 80
What am I missing here, or is this approach not possible?