Automate Certificates with Tailscale
Provision TLS certificates for your internal Tailscale services using Traefik Hub API Gateway.
In addition to its VPN role, Tailscale can also provide certificates for machines in your Tailscale network.
Certificate resolvers
To obtain a TLS certificate from the Tailscale daemon, a Tailscale certificate resolver must be configured.
- Static configuration
- IngressRoute with automatic domain
- IngressRoute with provided domain
- Service & Deployment
YAML
certificatesResolvers:
myresolver:
tailscale: {}
YAML
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: whoami
namespace: apps
spec:
entryPoints:
- websecure
routes:
# Generate a certifcate for monitoring.yak-bebop.ts.net
- match: Host(`monitoring.yak-bebop.ts.net`) && Path(`/metrics`)
kind: Rule
services:
- name: whoami
port: 80
tls:
certResolver: myresolver
YAML
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: whoami
namespace: apps
spec:
entryPoints:
- websecure
routes:
- match: Path(`/metrics`)
kind: Rule
services:
- name: whoami
port: 80
tls:
certResolver: myresolver
domains:
- main: monitoring.yak-bebop.ts.net
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoami
namespace: apps
spec:
replicas: 3
selector:
matchLabels:
app: whoami
template:
metadata:
labels:
app: whoami
spec:
containers:
- name: whoami
image: traefik/whoami
---
apiVersion: v1
kind: Service
metadata:
name: whoami
namespace: apps
spec:
ports:
- port: 80
name: whoami
selector:
app: whoami
"Advanced Configuration"
The options to set an advanced configuration are described in the reference page.
Related Content
- See the full options in the dedicated section.
- See how to secure your API generating Let's Encrypt TLS certificates.
- See how to secure your API providing TLS certificates to Hub API Gateway.