Traefik+cert-manager+gateway api+k8s

Traefik Traefik v3 (latest)
1

I’m working with Traefik + Gateway API + cert-manager (no wildcard certificates) to expose multiple services, each with its own subdomain and TLS certificate.

Setup:

  • One Gateway with a single HTTPS listener (port 4443) and HTTP listener (port 8000).

  • Multiple certificateRefs on the HTTPS listener (one Secret per subdomain).

  • One HTTPRoute per subdomain with proper hostnames and routing.

  • All TLS Secrets are valid (kubernetes.io/tls, correct SAN, issued by cert-manager), all in the same namespace as the routes (also tested ReferenceGrant).

  • Traefik v3.5 with the kubernetes-gateway provider enabled.

Problem:
Only the first domain in certificateRefs gets the correct TLS certificate, in this case the service is a whoami service, minimal and echo only serving default traefik cert. All other hostnames receive the default Traefik certificate, even though their TLS Secrets are valid and listed in certificateRefs.

Traefik logs:
Serving default certificate for request: "``minimal.example.com``"
remote error: tls: unknown certificate

My Gateway:

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: traefik-gateway
  namespace: whoami
spec:
  gatewayClassName: traefik
  listeners:
  - name: web
    port: 8000
    protocol: HTTP
    allowedRoutes:
      namespaces:
        from: All
  - name: websecure
    port: 4443
    protocol: HTTPS
    allowedRoutes:
      namespaces:
        from: All
    tls:
      certificateRefs:
      - kind: Secret
        name: echo-tls-staging
      - kind: Secret
        name: whoami-tls-staging
      - kind: Secret
        name: minimal-tls-staging

My httpRoute:

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: minimal
  namespace: whoami
spec:
  parentRefs:
  - name: traefik-gateway
    sectionName: websecure
  hostnames:
  - minimal.example.com
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /
    filters:
    - type: ExtensionRef
      extensionRef:
        group: traefik.io
        kind: Middleware
        name: secure-headers
    - type: ExtensionRef
      extensionRef:
        group: traefik.io
        kind: Middleware
        name: ip-allowlist
    backendRefs:
    - name: minimal-service
      port: 80
---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: minimal-redirect
  namespace: whoami
spec:
  parentRefs:
  - name: traefik-gateway
    sectionName: web
  hostnames:
  - minimal.example.com
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /
    filters:
    - type: RequestRedirect
      requestRedirect:
        scheme: https
        port: 443
        statusCode: 301

TLS Secrets:

NAME                  TYPE                DATA   AGE
echo-tls-staging      kubernetes.io/tls   2      90m
minimal-tls-staging   kubernetes.io/tls   2      76m
whoami-tls-staging    kubernetes.io/tls   2      7h52m