Can I set namespace for TLS secretName in IngressRoute?

I have my services in various namespaces other than default and want to have my IngressRoutes in the same namespace.
However, I am using the same wildcard certificate for multiple IngressRoutes, while I have to put the secret in a single namespace.

How do I go about managing this, if I don't want to create a secret per namespace?

Hi @MikaelElkiaer, one solution could be to mount the secret containing the wildcard certificate into Traefik's container, and specify it manually (check, which implies to enable the file provider in Traefik.

I am not 100 % sure if only enabling tls on the IngressRoute would work for this but it's worth a try as it works with Docker for example.

I guess it's an OK alternative. However, I do feel like there's more control in an approach where I can also specify namespace along with secretName.

As underlined in , this is not possible for security reasons (to avoid namespace users to peak on each others).

You can totally control with the proposed solution:

  • TLS certs are stored in Kubernetes as secrets, in the same namespace as Traefik:
kubectl create secret tls --namespace=traefik certs --key=./tls.key --cert=./tls.cert
  • TLS certs are mounted in Traefik's pod and specified through a ConfigMap,
    so as administrator of Traefik, you are in control of what is where, and who has access to it.
    Bonus, the certificate is not duplicated so it avoid the pain of iterating on all namespaces:
apiVersion: apps/v1
kind: Deployment
  name: traefik-ingress
  namespace: traefik
  replicas: 1
# ...
          # ...
          - "--providers.kubernetescrd"
          - "--providers.file.filename=/config/dynamic.toml"
          - name: certs
            mountPath: "/certs"
            readOnly: true
          - name: dynamic
            mountPath: "/config"
            readOnly: true
apiVersion: v1
kind: ConfigMap
  name: dynamic
  namespace: traefik
  dynamic.toml: |
    # Dynamic configuration
    certFile = "/certs/tls.crt"
    keyFile = "/certs/tls.key"
  • Then you can create IngressRoute objects in other namespaces where your web applications resides, enable TLS, and Traefik will match TLS certificates with the Host directives from the ingressroutes rules:
kind: IngressRoute
  name: webapp-a
  namespace: webapp-a
    - web
    - websecure
  - match: Host(``) && PathPrefix(`/a`) # The hostname `` must be on one of the certificates provided to Traefik
    kind: Rule
    - name: webapp-a
      port: 80
  tls: {}

This did the trick, thanks!