for plain-old-ingresses there is the possibility to configure the certificate for cert-manager without the need to define a
Certificate resource manually:
- host: app.yourdomain.com
Is this also possible for IngressRoute resources yet?
I found this in the documentation, but I'm not sure if I understand it correctly:
When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot yet interface directly with the CRDs. A workaround is to enable the Kubernetes Ingress provider to allow Cert-Manager to create ingress objects to complete the challenges. Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once the certificates are created, Cert-Manager keeps them renewed.
see: Kubernetes IngressRoute - Traefik
Does this mean this is not possible (yet) and I have to create the
Certificate resource manually? Is there a issue in the Traefik or CertManager issue tracker concerning this?
My current working setup looks like this:
- match: Host(`app.yourdomain.com`)
- kind: Service
- main: app.yourdomain.com
But I would really like to use an automatic way here, if possible.
When doing it this way I had the problem, that the certificate could not be issued while the IngressRoute resource existed. Only after I deleted both and recreated the
Certificate resource the request was successful and I could create the IngressRoute again and have a working setup. But I'm a bit concerned now, that this will again be an issue once the certificate runs out. Is this an issue? Or should this work (which would mean I did face another issue there)?
Thanks in advance!
Would you please have a look at the example use case of Traefik Proxy and Cert Manager:
Here is the test repo of my teammate that seems to be helpful. Please let me know if that helps.
Hey @jakubhajek ,
I already had a look at that repo before. This is exactly the setup that I'm using right now.
cert-manager folder you see the certificates being created manually. That's basically what I want to get rid of (as it is working with Ingress resources).
Thanks for your answer. I will try to test it on my side. I will back to you shortly.
Hi, have you gotten the automatic creation of certificates solved? I'm looking into the same thing.
Do you use IngressRouteCRD or Kubernetes Ingress?
Hello @fplanjer @razr
Thanks again for using Traefik. Please find the examples presenting how to easily integrate Traefik Proxy with Cert Manager.
- Kubernetes IngressRoute
In that case, you have to manually create another CRD resource from Cert Manager
Certificate - it will create a secret containing the TLS certificate for the requested domain. Then in the Ingressroute resource you are just referring to the newly created secret.
- kind: Rule
- kind: Service
- Kubernetes Ingress
If you are using Ingress, you can use the annotation to indicate the cluster issuer resources and Traefik-specific annotations to configure Ingress resource.
- host: bar.domain.com
- pathType: Prefix
tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
Please let me know if you have any other questions concerning that topic.
I was actually looking for a way that traefik will automatically request the certificate from the issuer. Or is that not possible whem using a clusterissuer?
@fplanjer if you use Ingressroute you need to also create
certificate resource to create a secret with the valid TLS certificate. There is no automatic integration for Traefik Kubernetes Ingressroute and Cert Manger, yet.