3

I have a Kubernetes (v1.25.2) cluster running with cert-manager 1.11.0 and Traefik 2.9.6. For some services I want Let's Encrypt to auto sign certificates. For some reason, it feels nicer, to use IngressRoute instead of Ingress. I just can't get the IngressRoute to create the certificate.
Now, I have the a ClusterIssuer:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: my@email.com
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
      - http01:
          ingress:
            class: traefik

and, working, corresponding Ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: myapp-name-websecure
  annotations:
   cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  ingressClassName: traefik
  rules:
    - host: my.host.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: linkingservice
                port:
                  number: 80
  tls:
    - hosts:
       - my.host.com
      secretName: some-secret-name-tls

This works, nice. Instead, with IngressRoute the base resource is this:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: myapp-other-name-websecure
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`other.host.com`)
      kind: Rule
      services:
        - name: linkingservice
          port: 80
  tls:
    # certResolver: ??? # resolve what? Doesn't link with the ClusterIssuer
    # issuerRef: ??? # doesn't exist (anymore)

Now, I've tried to:

  • just as for the Ingress to use the annotations: cert-manager.io/cluster-issuer: letsencrypt-prod. Which is being ignored
  • use the tls.certResolver, which doesn't work, because it doesn't exist. Should I create one? I expect The ClusterIssuer to create the certificate and secret, just as it does for Ingress.
  • I also saw the issuerRef as option in the tls section, but that doesn't appear to exist.

I thought I read that the IngressRoute is like a layer on top of the k8s default Ingress, so it should be something logical/similar

FYI: the ClusterIssuer and Ingress will also work for Nginx, when you replace the solvers.http01.ingress.class with nginx, likewise for the Ingress's spec.ingressClassName. (perhaps also without, but I can't test)

Danielson
  • 2,605
  • 2
  • 28
  • 51

1 Answers1

2

Now, I did find a way, but still feels like more work than should be necessary. The thing here is to create the Certificate and link that to the ClusterIssuer, that certificate then creates a Secret. This secret needs to be added to the spec.tls.secretName, like:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my.host.com-cert
spec:
  secretName: my.host.com-secret
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
    - my.host.com
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
spec:
...
  tls:
    secretName: my.host.com-secret

I've also tried for, certResolver. But the CertificateResolver from cert-manager was discontinued in v0.15.0; alternatively the CertificateRequest, but this was also discontinued in cert-manager version 0.9.0. The suggested way seems to be the previous described one.

I revisited the Traefik deployment values.yaml where I found there is a field with certResolvers, from their file:

certResolvers:
  letsencrypt:
    # for challenge options cf. https://doc.traefik.io/traefik/https/acme/
    email: email@example.com
    dnsChallenge:
      # also add the provider's required configuration under env
      # or expand then from secrets/configmaps with envfrom
      # cf. https://doc.traefik.io/traefik/https/acme/#providers
      provider: digitalocean
      # add futher options for the dns challenge as needed
      # cf. https://doc.traefik.io/traefik/https/acme/#dnschallenge
      delayBeforeCheck: 30
      resolvers:
        - 1.1.1.1
        - 8.8.8.8
    tlsChallenge: true
    httpChallenge:
      entryPoint: "web"
    # It has to match the path with a persistent volume
    storage: /data/acme.json

Which makes me wonder. If you set this up, then probably the:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
spec:
  tls:
    certResolver: letsencrypt

can work

Danielson
  • 2,605
  • 2
  • 28
  • 51