Prevent IngressRoutes from sharing/using the same certificate

i have an aks cluster and traefik installed along with cert manager. i have several ingressroutes for services(nginx servers) which are accessible on path prefixes /nginx1, /nginx2 etc.. under the same domain. these ingressroutes are on different namespaces.
basically i strip the pathprefix with a middleware and it all works just fine with websecure entrypoint.
however, the tls certificate secret from letsencrypt(issued with cert manager) exists only in one namespace, yet all the other ingressroutes are sharing this tls certificate even though i dont reference it in the ingressroute spec.. only the ingressroute with the tls secret in its namespace references it, and yet all the other traefik ingressroutes use the cert when i try reaching them with the browser.

i came across this thread Use of a default certificate with SNI enabled
which basically describes my observation. but i cannot find any TLSStore objects in my cluster or any default certificate config.. my traefik deployment file does not have default cert configurarion.. is there a way to disable certificate sharing among the ingressroutes??

Hello pmav,

You are correct that we have faced a similar observation in Traefik. While our original request was resolved, it is still not possible to rely on namespace isolation wrt. certificates in Traefik TLS Stores. Refer to the documentation:

It states that there is only one global TLS Store for the time being, and that all certificates are shared among all Ingress Routes.

There is a tracking issue on GitHub to resolve this. Unfortunately it is many years old and has not seen much traction: GitHub traefik issue 4756 (I am not allowed to post the link?)

If you wish to isolate your certificates already, the only workaround is to use an entire Traefik installation per namespace. Then each installation of Traefik will have its own TLS Store.

Hope this helps :wink:

hi, i am a bit confused. i cannot find any TLSStore in the namespace of my traefik installation. if there is a default one created automatically, where is it?

The TLSStore custom resource is one that you can optionally create yourself in your namespace, and that will be used to configure the default TLS store inside of Traefik. If you configure your certificate via the IngressRoute custom resource, no TLSStore custom resource has been involved, but the default TLS store in Traefik is still configured.

So we need to distinguish between the globally available default TLS store in Trafik, and its CRD equivalent TLSStore in Kubernetes.

so..
"kubectl get tlsstores.traefik.containo.us --all-namespaces"
returns nothing.
how do i check if i have any tlsstores in kubernetes itself? you said that even if i dont configure one, there is one there.. how do i access either?

Checking for resources of kind TLSStore in Kubernetes will only give you a result if you actually created a TLSStore resource yourself - which you did not. That does not prevent Traefik from creating a TLS store (notice TLSStore != TLS store). There will always be exactly one TLS store in traefik (the default one) and to control what goes into that you have a number of options:

  • Configure certificates via the Traefik configuration file
  • Add certificates via IngressRoutes
  • Create a TLSStore custom resource
  • Others?

The TLSStore custom resource in Kubernetes is not the same as the physical TLS store in Traefik. It is merely an abstraction to tell Traefik what to put into its TLS store. Traefik simply looks for resources of kind TLSStore and reads their configuration.

So to summarize:

  • TLSStore: A Kubernetes custom resource that you may optionally use for configuring certificates for Traefik. It only exists if you create it.
  • TLS store: The actual "physical" store inside Traefik that holds your certificates. There will always be exactly one: default.

okay. so in my case, traefik creates its own TLS store since i didnt not specify one, but it is not accessible by me. Is it possible to create a TLS store and put an empty certificate resource in there? that way, traefik will use the TLS secrets(containing the signed tls certificate) in the namespace that my ingressroute lives in. that way, i can have TLS termination in every ingressroute, which is not managed by traefik ?

and one more thing. does traefik use the same certificate for all ingressroutes, only when the hostname is the same? for example if i have another ingressroute where i specify a subdomain, traefik should not use the same cert as the other ingressroute without subdomain, is that so?

You can't have TLS certificates on your IngressRoutes which are not managed by Traefik. You also can't isolate your certificates by namespace without having completely independent Traefik installations.

The way it works is that every configuration point regarding certificates pools the certificates together in the default TLS store. Upon creating an IngressRoute it will use whichever certificate that matches the domain name of that route. So as long as you use different domains or subdomains, your routes will use different certificates. But if two routes have the same domain, they could end up using the same certificate.

There are lots of discussions on this topic in the Traefik GitHub issue tracker. Here is for instance an explanation on how IngressRoutes use certificates, which you may find interesting: Same certificate is used for different IngressRouteTCP objects despite tls.secretName being different · Issue #7985 · traefik/traefik · GitHub

And this is the proposed change I was unable to link earlier: Multiple certificate stores · Issue #4756 · traefik/traefik · GitHub

okay. my setup currently uses 'kubed' to sync the cert-manager TLS certificate to all namespaces that need tls termination, since the secret needs to exist in that namespace and i use the same domain. As long as at least one ingressroute with a tls secret in its namespace exists, all other ingressroutes with the same hostname share this certificate, even if the tls is not referenced/exists in their namespace, which I verified multiple times on my cluster. In order to always have at least one tls secret in the namespace of the tls ingressroute, i use kubed as I said, EVEN if traefik internally uses the same certificate by default for the ingressroutes with same hostname.

Does nginx behave the same way? I might consider trying spinning up a cluster and doing the same thing but with nginx instead of traefik..

Are you certain about this? I'm using cert-manager to provision TLS certs, referencing them in my Traefik 2.10 IngressRoute objects and it seems to work just fine.