I have my services in various namespaces other than default and want to have my IngressRoutes in the same namespace.
However, I am using the same wildcard certificate for multiple IngressRoutes, while I have to put the secret in a single namespace.
How do I go about managing this, if I don't want to create a secret per namespace?
Hi @MikaelElkiaer, one solution could be to mount the secret containing the wildcard certificate into Traefik's container, and specify it manually (check https://docs.traefik.io/v2.0/https/tls/#user-defined), which implies to enable the file provider in Traefik.
I am not 100 % sure if only enabling tls on the IngressRoute would work for this but it's worth a try as it works with Docker for example.
I guess it's an OK alternative. However, I do feel like there's more control in an approach where I can also specify namespace along with secretName.
As underlined in https://github.com/containous/traefik/issues/5736#issuecomment-546981482 , this is not possible for security reasons (to avoid namespace users to peak on each others).
You can totally control with the proposed solution:
- TLS certs are stored in Kubernetes as secrets, in the same namespace as Traefik:
kubectl create secret tls --namespace=traefik certs --key=./tls.key --cert=./tls.cert
- TLS certs are mounted in Traefik's pod and specified through a ConfigMap,
so as administrator of Traefik, you are in control of what is where, and who has access to it.
Bonus, the certificate is not duplicated so it avoid the pain of iterating on all namespaces:
- name: certs
- name: dynamic
# Dynamic configuration
certFile = "/certs/tls.crt"
keyFile = "/certs/tls.key"
- Then you can create
IngressRoute objects in other namespaces where your web applications resides, enable TLS, and Traefik will match TLS certificates with the
Host directives from the ingressroutes rules:
- match: Host(`mycompany.org`) && PathPrefix(`/a`) # The hostname `mycompany.org` must be on one of the certificates provided to Traefik
- name: webapp-a
This did the trick, thanks!