Routing Issue (Subdomain)

I have a similar setup used for Traefiks' Service (LB) definition for v2 as I did for v1.7. There seem to be some notable differences -- specifically WRT routing to a service. Looks like I need to use traefik.domain.com/<service> in order to access the resource. Is it possible to omit traefik as part of the subdomain?

This assumption (if it is one) to route traffic under traefik subdomain seems to affect my SSL setup which isn't taking that subdomain into account when the cert was generated. I would like to just access my services as domain.com/svc or subdomain.domain.com/svc. As is, I am using traefik.subdomain.domain.com.

Service:

apiVersion: v1
kind: Service
metadata:
  name: traefik
  namespace: <namespace>
  labels:
    app: traefik
  annotations:
    external-dns.alpha.kubernetes.io/hostname: "*.<subdomain>.<hostname>.io"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: TCP
    service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <arn..>
    service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS-1-1-2017-01
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
spec:
  type: LoadBalancer
  selector:
    app: traefik
    release: traefik
  ports:
    - port: 80
      name: web
      targetPort: "web"
    - port: 443
      name: websecure
      targetPort: "websecure"

Deployment Manifest

apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik
  namespace: <namespace>
  labels:
    app: traefik
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik
      terminationGracePeriodSeconds: 60
      containers:
        - image: traefik:2.1.3
          name: traefik
          resources:
            limits:
              cpu: 250m
              memory: 200Mi
            requests:
              cpu: 200m
              memory: 100Mi
          readinessProbe:
            httpGet:
              path: /ping
              port: 9000
            failureThreshold: 1
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
          livenessProbe:
            httpGet:
              path: /ping
              port: 9000
            failureThreshold: 3
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 2
          ports:
            - name: "traefik"
              containerPort: 9000
              protocol: TCP
            - name: "web"
              containerPort: 8000
              protocol: TCP
            - name: "websecure"
              containerPort: 8443
              protocol: TCP
          args:
            - "--global.checknewversion=true"
            - "--global.sendanonymoususage=true"
            - "--entryPoints.traefik.address=:9000"
            - "--entryPoints.web.address=:8000"
            - "--entryPoints.websecure.address=:8443"
            - "--api.dashboard=true"
            - "--api.insecure=false"
            - "--ping=true"
            - "--providers.kubernetescrd"

Hello @krg7880,

Traefik allows a large variety of routing options:

https://docs.traefik.io/v2.1/routing/routers/#rule

You are correct, SSL certificates are explicit about domains, so a certificate for example.com is not valid for www.example.com, unless it has a wildcard SAN: *.example.com

Can you elaborate a bit more on your subdomain issue you are encountering?

I have SSL certs generated to work with *.example.com. I would like to create the AWS LB to use *.example.com for the external-dns.alpha.kubernetes.io/hostname attribute, however, it seems that I cannot do that as I need to use traefik as part of the DNS. This forced me to use the value *.subdomain.example.com.

That translates to traefik.subdomain.example.com. As a result of the extra-subdomain (traefik), my SSL setup is broken. Not sure if all of that makes sense, but the short version is that I'd like to access my service without having to specify traefik as a subdomain.

Here's my Dashboard Router for example. In order to access the dashboard (given the above manifest), I need to specify traefik.subdomain.example.com/dashboard/ instead of just subdomain.example.com/dashboard.

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: <namespace>
  labels:
    app: traefik
spec:
  routes:
    - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
      middlewares:
        - name: auth

@daniel.tomcej Looks like I got this to work as expected. It seems that having a wildcard in my hostname for the external-dns.alpha.kubernetes.io/hostname annotation was causing this issue. Note that this wasn't an issue with Traefik v1.7 BTW.

Additionally, I thought that the subdomain was restricted to traefik, however, that was a mistake. Any prefix seems to work ie: <subdomain>.<hostname>.io instead of *.<subdomain>.<hostname>.io