Automate Certificates with Let's Encrypt

In Traefik Hub API Gateway, Let's Encrypt Certificates are generated using Certificates Resolvers. You can find more information about Certificates Resolvers in the Concepts page.

Configuring Non-Distributed ACME

To configure non-distributed ACME in Hub API Gateway, you need to create an ACME certificate resolver in the static configuration. This involves setting up the email, storage location, and challenge type.

With the following setup, each Hub API Gateway instance will handle its own certificates independently.

Static configuration
Ingress object

YAML
certificatesResolvers:
  my-resolver:
    acme:
      email: "[email protected]"
      storage: "/path/to/acme.json"
      httpChallenge:
        entryPoint: "web"

YAML
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: whoami
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls.certresolver: my-resolver
spec:
  rules:
    - host: my-domain.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name:  whoami
                port:
                  number: 80

Configuring Distributed ACME

For distributed ACME, you need to specify the distributed ACME certificate resolver in the static configuration. It involves setting up the email, storage and challenge type.

The storage defines the backend where certificates and ongoing challenges are persisted.

With the following setup, all Hub API Gateway instances will share the same certificate data stored in Kubernetes.

Static configuration
Ingress object

YAML
certificatesResolvers:
  my-resolver:
    distributedAcme:
      email: "[email protected]"
      storage:
        kubernetes: {}
      httpChallenge:
        entryPoint: "web"

YAML
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: whoami
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls.certresolver: my-resolver
spec:
  rules:
    - host: my-domain.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name:  whoami
                port:
                  number: 80

"Advanced Configuration"

The options to set an advanced configuration are described in the reference page.

Learn more about Certificates Resolvers in dedicated section.
See the full options in the dedicated section.
See how to secure your API generating Tailscale TLS certificates.
See how to secure your API providing TLS certificates to Hub API Gateway.

Configuring Non-Distributed ACME​

Configuring Distributed ACME​

Related Content​

Configuring Non-Distributed ACME

Configuring Distributed ACME

Related Content