I have following Traefik configuration
traefik.toml: |
## static configuration
[global]
checkNewVersion = true
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[entryPoints.internal]
address = ":4080"
[entryPoints.internalsecure]
address = ":4043"
[providers]
[providers.kubernetesCRD]
[providers.file]
directory = "/etc/traefik/providers/"
watch = true
[providers.kubernetesIngress]
ingressClass = "traefik-cert-manager"
[log]
level = "INFO"
[accessLog]
[api]
insecure = true
dashboard = true
debug = true
[metrics]
[metrics.prometheus]
buckets = [0.1,0.3,1.2,5.0]
addEntryPointsLabels = true
addServicesLabels = true
[ping]
[certificatesResolvers]
[certificatesResolvers.default]
[certificatesResolvers.default.acme]
email = "admin@domain.com"
caServer = "https://acme-v02.api.letsencrypt.org/directory"
storage = "/etc/traefik/storage/acme.json"
[certificatesResolvers.default.acme.dnsChallenge]
provider = "route53"
delayBeforeCheck = 0
resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
dynamic.toml: |
## dynamic configuration
[[tls.certificates]]
certFile = "/certs/tls.crt"
keyFile = "/certs/tls.key"
stores = ["default"]
[tls.stores]
[tls.stores.default]
[tls.stores.default.defaultCertificate]
certFile = "/certs/tls.crt"
keyFile = "/certs/tls.key"
Then I have cert-manager to get sub domain specific certificates such as
*.dev.domain.com
*.qa.domain.com
*.staging.domain.com
All host with *.dev.domain.com (including dev.domain.com) able to use Lets Encrypt Certificate without any issue. But qa.domain.com & staging.domain.com is not using Lets Encrypt Certificate but uses default certificate mentioned in dynamic.toml
To further debug this I created dummy.qa.domain.com and this was able to use Lets Encrypt Certificate, but qa.domain.com was using default cert.
If I remove default cert, qa.domain.com & staging.domain.com fails to load and give certificate error.
What is wrong in my setup ?
DaemonSet
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: traefik
namespace: kube-system
labels:
app: traefik
annotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8080"
spec:
selector:
matchLabels:
app: traefik
minReadySeconds: 5
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 30
hostNetwork: true
containers:
- name: traefik
image: traefik:2.4.14
ports:
- name: web
containerPort: 80
- name: websecure
containerPort: 443
- name: internal
containerPort: 4080
- name: internalsecure
containerPort: 4043
- name: admin
containerPort: 8080
readinessProbe:
failureThreshold: 1
httpGet:
path: /ping
port: 8080
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
securityContext:
privileged: true
env:
- name: AWS_REGION
valueFrom:
configMapKeyRef:
name: aws-config
key: aws_region
- name: AWS_HOSTED_ZONE_ID
valueFrom:
configMapKeyRef:
name: aws-config
key: aws_hosted_zone_id
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: aws-secret
key: access_key
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: aws-secret
key: secret_key
volumeMounts:
- name: traefik-config
mountPath: /etc/traefik/traefik.toml
subPath: traefik.toml
- name: traefik-config
mountPath: /etc/traefik/providers/dynamic.toml
subPath: dynamic.toml
- name: traefik-storage
mountPath: /etc/traefik/storage/
- name: cert
readOnly: true
mountPath: /certs/
volumes:
- name: traefik-config
configMap:
name: traefik-conf
- name: traefik-storage
hostPath:
path: /tmp/traefik
type: DirectoryOrCreate
- name: cert
secret:
secretName: star-domain-com