Kubernetes Gateway with Let's Encrypt not working?

Traefik Traefik v3 (latest)
,
1

Hi,

I'm trying to set up traefik in my kubernetes cluster using the official Helm charts and want to use Kubernetes Gateway to do this, however, I can't seem to figure out how to make it work with the Lets Encrypt integration.

I've configured it with the following values, and created a fallback self-signed certificate to put in certificateRefs since traefik wouldn't start otherwise, however now that's the only cert being served and no requests to issue certs are happening

    gateway:
      listeners:
        web:
          port: 8000
          protocol: HTTP
          namespacePolicy: All
        websecure:
          port: 8443
          protocol: HTTPS
          namespacePolicy: All
          certificateRefs:
            - name: traefik-tls
              namespace: traefik
          mode: Terminate
    ports:
      websecure:
        http3:
          enabled: true
    persistence:
      enabled: true
      existingClaim: acme-pvc
    deployment:
      initContainers:
        - name: volume-permissions
          image: busybox:latest
          command: ["sh", "-c", "ls -la /; touch /data/acme.json; chmod -v 600 /data/acme.json"]
          volumeMounts:
          - mountPath: /data
            name: data
    podSecurityContext:
      fsGroup: 65532
      fsGroupChangePolicy: "OnRootMismatch"
    providers:
      kubernetesGateway:
        enabled: true
    certificatesResolvers:
      letsencrypt:
        acme:
          email: email@example.com
          storage: /data/acme.json
          tlsChallenge: {}
          keyType: EC384

I get the following logs:

2025-02-06T21:26:08Z INF Traefik version 3.3.2 built on 2025-01-14T15:52:24Z version=3.3.2
2025-02-06T21:26:08Z INF Stats collection is enabled.
2025-02-06T21:26:08Z INF Many thanks for contributing to Traefik's improvement by allowing us to receive anonymous information from your configuration.
2025-02-06T21:26:08Z INF Help us improve Traefik by leaving this feature on :)
2025-02-06T21:26:08Z INF More details on: https://doc.traefik.io/traefik/contributing/data-collection/
2025-02-06T21:26:08Z INF Label selector is: "" providerName=kubernetesgateway
2025-02-06T21:26:08Z INF Creating in-cluster Provider client endpoint= providerName=kubernetesgateway
2025-02-06T21:26:08Z INF Starting provider aggregator *aggregator.ProviderAggregator
2025-02-06T21:26:08Z INF Starting provider *traefik.Provider
2025-02-06T21:26:08Z INF Starting provider *acme.ChallengeTLSALPN
2025-02-06T21:26:08Z INF Starting provider *acme.Provider
2025-02-06T21:26:08Z INF Testing certificate renew... acmeCA=https://acme-v02.api.letsencrypt.org/directory providerName=letsencrypt.acme
2025-02-06T21:26:08Z INF Starting provider *ingress.Provider
2025-02-06T21:26:08Z INF ingress label selector is: "" providerName=kubernetes
2025-02-06T21:26:08Z INF Creating in-cluster Provider client providerName=kubernetes
2025-02-06T21:26:08Z INF Starting provider *crd.Provider
2025-02-06T21:26:08Z INF label selector is: "" providerName=kubernetescrd
2025-02-06T21:26:08Z INF Creating in-cluster Provider client providerName=kubernetescrd
2025-02-06T21:26:08Z INF Starting provider *gateway.Provider

And have set up a HTTPRoute like this:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: service-https
  namespace: default
spec:
  parentRefs:
    - name: traefik-gateway
      sectionName: websecure
      kind: Gateway
      namespace: traefik
  hostnames:
    - subdomain.example.com
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /
      backendRefs:
          - name: service
            port: 80

What am I missing here, or is this approach not possible?