KubernetesCRD config for Cert-Manager

Hey,

for plain-old-ingresses there is the possibility to configure the certificate for cert-manager without the need to define a Certificate resource manually:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: traefik
    cert-manager.io/cluster-issuer: letsencrypt-prod-traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
  name: app
  namespace: app
spec:
  rules:
  - host: app.yourdomain.com
    http:
      paths:
      - backend:
          serviceName: app
          servicePort: 80
        path: /
  tls:
  - hosts:
    - app.yourdomain.com
    secretName: app-tls

Is this also possible for IngressRoute resources yet?

I found this in the documentation, but I'm not sure if I understand it correctly:

When using the Traefik Kubernetes CRD Provider, unfortunately Cert-Manager cannot yet interface directly with the CRDs. A workaround is to enable the Kubernetes Ingress provider to allow Cert-Manager to create ingress objects to complete the challenges. Please note that this still requires manual intervention to create the certificates through Cert-Manager, but once the certificates are created, Cert-Manager keeps them renewed.

see: Kubernetes IngressRoute - Traefik

Does this mean this is not possible (yet) and I have to create the Certificate resource manually? Is there a issue in the Traefik or CertManager issue tracker concerning this?

My current working setup looks like this:

apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: app.yourdomain.com-cert
  namespace: app
spec:
  commonName: app.yourdomain.com
  secretName: app.yourdomain.com-cert
  dnsNames:
    - app.yourdomain.com
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-prod-traefik
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app
  namespace: app
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`app.yourdomain.com`)
      kind: Rule
      services:
        - kind: Service
          name: app
          port: 80
  tls:
    secretName: app.yourdomain.com-cert
    domains:
      - main: app.yourdomain.com

But I would really like to use an automatic way here, if possible.

When doing it this way I had the problem, that the certificate could not be issued while the IngressRoute resource existed. Only after I deleted both and recreated the Certificate resource the request was successful and I could create the IngressRoute again and have a working setup. But I'm a bit concerned now, that this will again be an issue once the certificate runs out. Is this an issue? Or should this work (which would mean I did face another issue there)?

Thanks in advance!

Hello @razr

Would you please have a look at the example use case of Traefik Proxy and Cert Manager:

Here is the test repo of my teammate that seems to be helpful. Please let me know if that helps.

Hey @jakubhajek ,

I already had a look at that repo before. This is exactly the setup that I'm using right now.

In the cert-manager folder you see the certificates being created manually. That's basically what I want to get rid of (as it is working with Ingress resources).

Hey @razr,

Thanks for your answer. I will try to test it on my side. I will back to you shortly.

Hi, have you gotten the automatic creation of certificates solved? I'm looking into the same thing.

regards, Felix

hello @fplanjer

Do you use IngressRouteCRD or Kubernetes Ingress?

I use IngressRouteCRD

Hello @fplanjer @razr

Thanks again for using Traefik. Please find the examples presenting how to easily integrate Traefik Proxy with Cert Manager.

  1. Kubernetes IngressRoute

In that case, you have to manually create another CRD resource from Cert Manager Certificate - it will create a secret containing the TLS certificate for the requested domain. Then in the Ingressroute resource you are just referring to the newly created secret.

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: foo
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`foo.domain.com`)
      services:
        - kind: Service
          name: whoamiv1
          port: 80
  tls: 
    secretName: foo
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: foo
spec:
  commonName: foo.domain.com
  secretName: foo
  issuerRef:
    name: cloudflare-issuer
    kind: ClusterIssuer
  dnsNames:
    - "foo.domain.com"  
  1. Kubernetes Ingress

If you are using Ingress, you can use the annotation to indicate the cluster issuer resources and Traefik-specific annotations to configure Ingress resource.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    cert-manager.io/cluster-issuer: cloudflare-issuer
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
  name: bar
spec:
  rules:
  - host: bar.domain.com
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: whoamiv1
            port:
              number: 80
  tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
  - hosts:
    - bar.domain.com
    secretName: bar

Please let me know if you have any other questions concerning that topic.

Thanks!

I was actually looking for a way that traefik will automatically request the certificate from the issuer. Or is that not possible whem using a clusterissuer?

@fplanjer if you use Ingressroute you need to also create certificate resource to create a secret with the valid TLS certificate. There is no automatic integration for Traefik Kubernetes Ingressroute and Cert Manger, yet.