I want to use traefik as a kubernetes ingress controller. What we do is ordering and applying a SSL certificate just in time. That means, that the certificate is integrated, as soon as the website gets calles.
Im creating kubernetes ingress object's and secrets using a dedicated proxy.
After creating the ingress and secret (using k8s go-client) I forward the request to Traefik to terminate SSL. The forwarded msg includes a proxy protocol header and the tls hello client msg containing SNI.
This works fine, if the count of ingress objects is around 1000. As soon as the number of ingresses in the kubernetes cluster grows, traefik serves the default certificate. This behaviour disappears after several minutes of waiting and retrying. I think this is due to the fact, that traefik reloads all configurations on a single watch event. Is there an option to just reload the currently changed configuration?
I tried to debug the kubernetes provider, but was not able to find any option for that.
The provider calls loadConfigurationFromIngresses on every single watch event, which will trigger all ingresses / secrets and services to reload. It would be very useful to add the event from the eventsChan to a configuration map, instead of reloading the hole config.
I also tried updating from 1.7 to 2.0 beta without any changes.
What did you expect to see?
I expected to see the ssl protected page served by a service behind the kubernetes ingress i recently created.
What did you see instead?
I get a "TRAEFIK DEFAULT CERT" for a couple of minutes. After reloading multiple times, traefik serves the correct secret for the requested ingress.
I would love to get some information on the reloading process.