Bear with me as I am trying to configure a slightly unusual setup. I am not routing to Docker containers or a k8s cluster. This configuration is defined 'statically' via files and loadbalancers to instances.
I have a wildcard self-signed certificate (eg *.example.com) that I make use of via the file provider sitting within the default TLS store. I can reference this certificate implicitly from my configuration and it is correctly applied to all my router/Host definitions.
[tls.stores] [tls.stores.default] [tls.stores.default.defaultCertificate] certFile = "./example.crt" certKey = "./example.key"
With this in place I have no other TLS configuration around my routers/middleware/services
Now I have a requirement that one of my routers (ie with a rule specific to one host, eg test3.example.com) needs to use a wildcard certificate for the same domain, but signed by an external CA, so a different cert/key pair but issued to *.example.com and signed externally and paid for.
I've gone through the TLS documentation and I can't figure out if it is possible to configure for this situation or if so how to do it. I had thought that setting up two TLS stores and making the specific router reference the TLS cert from that store would work, but it seems that actually there is only a single global store? From the docs:
"Any store definition other than the default one (named
default ) will be ignored, and there is therefore only one globally available TLS store."
Can anyone suggest an approach that might work to cover this situation.