Wildcard cert from Let's Encrypt

Traefik Traefik v2 (latest)
1

I am struggling to find any configuration in the doc for getting wild card certificate for a domain. So far I am able to get the single certificate after following this

IngressRoute

IngressRoute 
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutes.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRoute
    plural: ingressroutes
    singular: ingressroute
  scope: Namespaced

---

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ingressroutetcps.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: IngressRouteTCP
    plural: ingressroutetcps
    singular: ingressroutetcp
  scope: Namespaced

---

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: middlewares.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: Middleware
    plural: middlewares
    singular: middleware
  scope: Namespaced

---

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: tlsoptions.traefik.containo.us
spec:
  group: traefik.containo.us
  version: v1alpha1
  names:
    kind: TLSOption
    plural: tlsoptions
    singular: tlsoption
  scope: Namespaced

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - traefik.containo.us
    resources:
      - ingressroutes
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - traefik.containo.us
    resources:
      - ingressroutetcps
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - traefik.containo.us
    resources:
      - tlsoptions
    verbs:
      - get
      - list
      - watch

---

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
  name: traefik-ingress-controller

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-ingress-controller
subjects:
  - kind: ServiceAccount
    name: traefik-ingress-controller
    namespace: kube-system
traefik.toml: 
 traefik.toml: |
    ## static configuration
    [global]
      checkNewVersion = true

    [entryPoints]
      [entryPoints.web]
        address = ":80"
      [entryPoints.websecure]
        address = ":443"

    [providers]
      [providers.kubernetesCRD]
       [providers.file]
         directory = "/etc/traefik/providers/"
         watch = true

    [log]
      level = "INFO"
      
    [accessLog]

    [api]
      insecure = true
      dashboard = true
      debug = true

    [metrics]
      [metrics.prometheus]
        buckets = [0.1,0.3,1.2,5.0]
        addEntryPointsLabels = true
        addServicesLabels = true
        entryPoint = "web"

    [ping]
      entryPoint = "web"

    [certificatesResolvers]
      [certificatesResolvers.default]
        [certificatesResolvers.default.acme]
          email = "admin@domain.com"
          caServer = "https://acme-v02.api.letsencrypt.org/directory"
          storage = "acme.json"
          [certificatesResolvers.default.acme.dnsChallenge]
            provider = "route53"
            delayBeforeCheck = 0
            resolvers = ["1.1.1.1:53", "8.8.8.8:53"]

  dynamic.toml: |
    ## dynamic configuration (empty)
route.yaml 
---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-admin
  namespace: kube-system
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`traefik.domain.ca`)
    kind: Rule
    services:
    - name: traefik
      port: 8080

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-notls
  namespace: kube-system
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`traefik.domain.ca`) && PathPrefix(`/notls`)
    kind: Rule
    services:
    - name: whoami
      port: 80

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-tls
  namespace: kube-system
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`traefik.domain.ca`) && PathPrefix(`/tls`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    certResolver: default

I have non-prod env (dev, qa, stage) in one Kubernetes cluster & prod in another cluster.

What configuration I need to get one wildcard certificate for entire domain (*.domain.ca) ?

Also is it possible to get individual subdomain wildcard certificate (*.dev.domain.ca, *.qa.domain.ca, *.stage.domain.ca) ?

2

Hello,

I recommend to read: https://docs.traefik.io/v2.0/user-guides/crd-acme/

3

Following this doc I got first setup working, but don't find any reference to wildcard certificate. What I am missing here ?

4

yes something is missing in the doc.

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-tls
  namespace: kube-system
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`traefik.domain.ca`) && PathPrefix(`/tls`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    certResolver: default
    domains:
    - main: domain.com
      sans:
      - *.domain.com
1 Like