How to use TLS in k8s IngressRoute

Traefik Traefik v2
,
1

Hi, Im confused by the doc a little bit

So to config the ingress using tls cert, there are mainly to ways.

either through a definition in the dynamic configuration, or through Let's Encrypt (ACME)

I tried ACME first and succeeded

the working config like these:

# traefik flags
--certificatesresolvers.le.acme.dnschallenge=true
--certificatesresolvers.le.acme.dnschallenge.provider=godaddy
--certificatesresolvers.le.acme.dnschallenge.resolvers=1.1.1.1:53,208.67.222.222:53
--certificatesresolvers.le.acme.storage=/data/acme.json
# ingressRoute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  ...
spec:
  entryPoints: 
    - web
    - websecure
  routes:
    ...
  tls:
    certResolver: le
    domains:
    - main: "*.mydomain.com"

This set of config will use the le resolver to perform DNS01 challenge through godaddy to obtain *.mydomain.com cert and save at /data/acme.json. This works prefectly.

Where do I put the dynamic configuration for tls in Kubernetes?

Then I want to use certs defined in the dynamic configuration in Kubernetes
in Transport Layer Security doc I fount the User defined tls cert as following.

tls:
  certificates:
    - certFile: /path/to/domain.cert
      keyFile: /path/to/domain.key
    - certFile: /path/to/other-domain.cert
      keyFile: /path/to/other-domain.key

So my first attempt was simply put that under ingressRoute.yaml like this which didnt work.

# ingressRoute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  ...
spec:
  entryPoints: 
    - web
    - websecure
  routes:
    ...
  tls:
    certificates:
    - certFile: /path/to/mydomain.cert
      keyFile: /path/to/mydomain.key

What is secretName actually?

Then I check the reference for ingressRoute again and found the tls part like this:

tls:                              # [9]
    secretName: supersecret         # [10]
    options:                        # [11]
      name: opt                     # [12]
      namespace: default            # [13]
    certResolver: foo               # [14]
    domains:                        # [15]
    - main: example.net             # [16]
      sans:                         # [17]
      - a.example.net
      - b.example.net

found the secretName with purpose:

Defines the secret name used to store the certificate (in the IngressRoute namespace)

So I'm very confused which describe secretName better?
A. For ACME only: it's a name that Traefik will use to create an kubernetes Secrect to store the cert files obtained by acmeresolver.
B. For user defined cert only: Traefik will try to load this secret and use the certificate inside it.

:question: IF A then will the resolver save the certs to both /data/acme.json (mentioned before) and the k8s secret?
:question: IF B then how should the secret be created. What the data structure should be like. How do I assign different route with different certs? There seem to be no example in the doc.

Getting back to my question. I still don't know how to config my traefik with my 2 certs on hand. Assuming I have mydomainA(/B).cert(/key) files. And I want to add tls for the following ingressRoute:

# ingressRoute.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  ...
spec:
  entryPoints: 
    - web
    - websecure
  routes:
      - kind: Rule
        match: Host(`mydomainA.com`)
        ...
      - kind: Rule
        match: Host(`mydomainB.com`)
        ...
2

After some digging in the source code I think i understand secretName better. So it should be the case B:

it's for user defined cert only: Traefik will try to load this secret and use the certificate inside it.

And I found the data structure also, it should be like

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
type: Opaque
data:
  tls.crt: ... ...
  tls.key: ... ...

But I still don't know how to use different certs for different routes since this seem to load only one cert for the ingressRoute