Using gateway and different TLSOptions per hostname

Traefik Traefik v3 (latest)
1

Hi,

I’ve been trying to setup traefik through helm charts + gateway api + tls options (mTLS).

So far I’ve succeeded in doing so if I name the TLSOptions “default”, adding specific tls options name-wise seems to fail.

My traefik helm-chart values:

ports:
  web:
    port: 80

  websecure:
    port: 443

# We will route with Gateway API instead.
ingressClass:
  enabled: false


providers:
  kubernetesIngress:
    enabled: false
  kubernetesGateway:
    enabled: true
    experimentalChannel: true
  kubernetesCRD:
    enabled: true
    allowCrossNamespace: true

## Gateway Listeners
gateway:
  listeners:
    web:           # HTTP listener that matches entryPoint `web`
      port: 80
      protocol: HTTP
      namespacePolicy:
        from: All
    websecure:         # HTTPS listener that matches entryPoint `websecure`
      port: 443
      protocol: HTTPS  # TLS terminates inside Traefik
      namespacePolicy:
        from: All
      mode: Terminate
      certificateRefs:
        - kind: Secret
          name: default-tls
          group: ""

I provide a specific gateway outside of the traefik namespace (onboarding) + TLSOption:

apiVersion: traefik.io/v1alpha1
kind: TLSOption
metadata:
  name: onboarding-mtls-policy
  namespace: onboarding
spec:
  clientAuth:
    secretNames:
      - ca
    clientAuthType: RequireAndVerifyClientCert
---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: onboarding-gateway
  namespace: onboarding
  annotations:
    traefik.io/gateway-entrypoints: web,websecure
spec:
  gatewayClassName: traefik
  listeners:
    - name: http
      protocol: HTTP
      port: 80
      hostname: "example.tld"
      allowedRoutes:
        namespaces:
          from: Same
    - name: https
      protocol: HTTPS
      port: 443
      hostname: "example.tld"
      tls:
        mode: Terminate
        certificateRefs:
          - name: server-tls
        options:
          group: traefik.io
          kind: TLSOption
          name: onboarding-mtls-policy
      allowedRoutes:
        namespaces:
          from: Same

This seems to fail, unless I rename the TLSOption to “default”, that way it’s picked up. My problem is that I need a specific set of HTTPRoutes to be mTLS, whilst the other can simply use TLS. I believe using 2 hostnames / sub-domains will work out this way, as long as I can specifically target TLSOptions.

My question in tl;dr form: how do I target specific TLSOptions from a gateway?

I’ve tried traefik.io/gateway-listeners-options: |
https:
tlsOptions: onboarding-api-mtls-policy@kubernetescrd

This sadly didn’t work either