Hi, Im confused by the doc a little bit
So to config the ingress using tls cert, there are mainly to ways.
either through a definition in the dynamic configuration, or through Let's Encrypt (ACME)
I tried ACME first and succeeded
the working config like these:
# traefik flags --certificatesresolvers.le.acme.dnschallenge=true --certificatesresolvers.le.acme.dnschallenge.provider=godaddy --certificatesresolvers.le.acme.dnschallenge.resolvers=22.214.171.124:53,126.96.36.199:53 --certificatesresolvers.le.acme.storage=/data/acme.json # ingressRoute.yaml apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: ... spec: entryPoints: - web - websecure routes: ... tls: certResolver: le domains: - main: "*.mydomain.com"
This set of config will use the
le resolver to perform
DNS01 challenge through
godaddy to obtain
*.mydomain.com cert and save at
/data/acme.json. This works prefectly.
Where do I put the dynamic configuration for tls in Kubernetes?
Then I want to use certs defined in the dynamic configuration in Kubernetes
in Transport Layer Security doc I fount the User defined tls cert as following.
tls: certificates: - certFile: /path/to/domain.cert keyFile: /path/to/domain.key - certFile: /path/to/other-domain.cert keyFile: /path/to/other-domain.key
So my first attempt was simply put that under
ingressRoute.yaml like this which didnt work.
# ingressRoute.yaml apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: ... spec: entryPoints: - web - websecure routes: ... tls: certificates: - certFile: /path/to/mydomain.cert keyFile: /path/to/mydomain.key
Then I check the reference for ingressRoute again and found the tls part like this:
tls: #  secretName: supersecret #  options: #  name: opt #  namespace: default #  certResolver: foo #  domains: #  - main: example.net #  sans: #  - a.example.net - b.example.net
secretName with purpose:
Defines the secret name used to store the certificate (in the
So I'm very confused which describe
A. For ACME only: it's a name that Traefik will use to create an kubernetes Secrect to store the cert files obtained by acmeresolver.
B. For user defined cert only: Traefik will try to load this secret and use the certificate inside it.
IF A then will the resolver save the certs to both
/data/acme.json (mentioned before) and the k8s secret?
IF B then how should the secret be created. What the data structure should be like. How do I assign different route with different certs? There seem to be no example in the doc.
Getting back to my question. I still don't know how to config my traefik with my 2 certs on hand. Assuming I have
mydomainA(/B).cert(/key) files. And I want to add tls for the following
# ingressRoute.yaml apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: ... spec: entryPoints: - web - websecure routes: - kind: Rule match: Host(`mydomainA.com`) ... - kind: Rule match: Host(`mydomainB.com`) ...