Tailscale Certificates Resolver

Configuration Example

Static configuration

certificatesResolvers:
  my-resolver:
    tailscale: {}

Configuration Options

Field	Description	Default	Required
`tailscale`	Enable tailscale certificates resolver.		False

Domain Definition

A certificate resolver requests certificates for a set of domain names inferred from routers, according to the following:

If the IngressRoute has a tls.domains option set, then the certificate resolver derives this router domain name from the main option of tls.domains.
Otherwise, the certificate resolver derives the domain name from any Host() or HostSNI() matchers in the IngressRoute's rule.

Tailscale Domain Format

The domain is only taken into account if it is a Tailscale-specific one, i.e. of the form machine-name.domains-alias.ts.net.

Certificate Renewal

Traefik Hub API Gateway automatically tracks the expiry date of each Tailscale certificate. It fetches and starts to renew a certificate 14 days before its expiry to match the Tailscale daemon renewal policy.

Not used Certificates

Certificates that are no longer used may still be renewed, as Hub API Gateway does not currently check if the certificate is being used before renewing.

Configuration Example​

Configuration Options​

Domain Definition​

Certificate Renewal​

Configuration Example

Configuration Options

Domain Definition

Certificate Renewal