Can I set namespace for TLS secretName in IngressRoute?

Traefik Traefik v2
1

I have my services in various namespaces other than default and want to have my IngressRoutes in the same namespace.
However, I am using the same wildcard certificate for multiple IngressRoutes, while I have to put the secret in a single namespace.

How do I go about managing this, if I don't want to create a secret per namespace?

2

Hi @MikaelElkiaer, one solution could be to mount the secret containing the wildcard certificate into Traefik's container, and specify it manually (check https://docs.traefik.io/v2.0/https/tls/#user-defined), which implies to enable the file provider in Traefik.

I am not 100 % sure if only enabling tls on the IngressRoute would work for this but it's worth a try as it works with Docker for example.

3

I guess it's an OK alternative. However, I do feel like there's more control in an approach where I can also specify namespace along with secretName.

4

As underlined in https://github.com/containous/traefik/issues/5736#issuecomment-546981482 , this is not possible for security reasons (to avoid namespace users to peak on each others).

You can totally control with the proposed solution:

  • TLS certs are stored in Kubernetes as secrets, in the same namespace as Traefik:
kubectl create secret tls --namespace=traefik certs --key=./tls.key --cert=./tls.cert
  • TLS certs are mounted in Traefik's pod and specified through a ConfigMap,
    so as administrator of Traefik, you are in control of what is where, and who has access to it.
    Bonus, the certificate is not duplicated so it avoid the pain of iterating on all namespaces:
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik-ingress
  namespace: traefik
spec:
  replicas: 1
# ...
        args:
          # ...
          - "--providers.kubernetescrd"
          - "--providers.file.filename=/config/dynamic.toml"
        volumeMounts:
          - name: certs
            mountPath: "/certs"
            readOnly: true
          - name: dynamic
            mountPath: "/config"
            readOnly: true
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: dynamic
  namespace: traefik
data:
  dynamic.toml: |
    # Dynamic configuration
    [[tls.certificates]]
    certFile = "/certs/tls.crt"
    keyFile = "/certs/tls.key"
  • Then you can create IngressRoute objects in other namespaces where your web applications resides, enable TLS, and Traefik will match TLS certificates with the Host directives from the ingressroutes rules:
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: webapp-a
  namespace: webapp-a
spec:
  entryPoints:
    - web
    - websecure
  routes:
  - match: Host(`mycompany.org`) && PathPrefix(`/a`) # The hostname `mycompany.org` must be on one of the certificates provided to Traefik
    kind: Rule
    services:
    - name: webapp-a
      port: 80
  tls: {}
5

This did the trick, thanks!