Using multiple domains and TLS certs on Traefik on Kubernetes
This is a quick articles on what it work for me to register multiple domains and their corresponding TLS certs.
I need to have my website behind Traefik to allow HTTPS access by using both https://domainA.com/ and https://domainB.com and I got TLS certificates for domainA.com and domainB.com respectively (paid already).
The way / solution that work for me
Deployment of certificates with secrets
As I am using Kustomize, this is part of the config they included the creation on secret using secretGenerator (one can use other way to prepare the secret, e.g. like using CLI)
I prefer using secretGenerator in Kustomize as this tie the whole deployment in the kubectl kustomize process without need to worry about not creating the secret ahead of the kubctl apply.
Mount the files as secret
As I am using Helm chart for my Traefik deployment, I use the following config file to mount volumes to those secret as a path later I can refer to with traefik config file.
Duplicate rules for each domain and have the cert apply to different router
(What have not been working / line of thought…skip if you prefer)
Because we are using HTTPS (port 443), which bind to entrypoint websecure, at first it seems like it’s impossible as there is no way to setup entrypoint base on hostname, as entrypoint is distinguished by port.
And then I tried explore if it’s possible to have multiple TLS cert assign to one IngressRoute custom resources, and seems like it cannot, according to Traefik API document.
(Finally this work…)
Finally, what I did, is trying to have the rules that being cloned, but for each set, use the different tls secret, and for the route, make sure to condition on hostname as follow
What I am not sure if needed
I do add the default certificates in traefik config file (deploy as configmap as a file mounted) but not sure if it’s needed.