I'm trying to get multiple traefik in different namespaces on Kubernetes, but it seems that allowCrossNamespace=false to isolate them does not work. Is there any recipe that can help us on setting up multiple traefik on the same cluster and completely isolated from each other ?
The issue we're having is the different treafik talking to services in other namespaces.
Thanks for using Traefik and joining the Traefik community!
Yes, this is possible to deploy more Traefik instances on the same Kubernetes cluster.
The following configuration can be set to achieve this:
namespaces - by default Traefik watches all namespaces, on the provider configuration you can list the namespaces which Traefik should watch for configuration changes
labelselector - by default Traefik processes all resources, but if you specify the label on the provider level, then you can use the label on the resources that should be processed by Traefik
ingressClass - you can use the annotation that can be used to select resources that should be processed by Traefik. Again the value of ingressclass kubernetes./ingress.class key can be configured on the provider level.
@jakubhajek I run into some issues running two traefik instances on two namespaces: (traefik-int, traefik-ext)
common config for both instances:
cluster role
two different configs for each instance:
service account in namespace
persistenvolume(claim)
clusterrolebinding
deployment
services
The first issue I run into (on the ext. traefik instance - int works fine):
Some x509 certificate is invalid once traefik pings some external addresses (lets encrypt or collect.traefik)
x509: certificate is valid for xxx.xxx.traefik.default, not collect.traefik.io"
Do I miss something? where does the ...traefik.default comes from?
Second issue: when I want to publish the dashboard of the external traefik instance via the ingress class of the internal traefik instance - it seems not to find the dashboard somehow. Is there a way to proxy the dashboard api service somehow into another ingress class?