Traefik V2 获取通配符证书

Traefik V2 get wildcard certificate

按照这个 tutorial

之后,我有了基本设置 运行

但正在努力从 Let's Encrypt 获取域的通配符证书。

traefik 配置:

traefik.toml: |
  ## static configuration
  [global]
    checkNewVersion = true

  [entryPoints]
    [entryPoints.web]
      address = ":80"
    [entryPoints.websecure]
      address = ":443"

  [providers]
    [providers.kubernetesCRD]
    [providers.file]
      directory = "/etc/traefik/providers/"
      watch = true

  [log]
    level = "INFO"

  [accessLog]

  [api]
    insecure = true
    dashboard = true
    debug = true

  [metrics]
    [metrics.prometheus]
      buckets = [0.1,0.3,1.2,5.0]
      addEntryPointsLabels = true
      addServicesLabels = true
      entryPoint = "web"

  [ping]
    entryPoint = "web"

  [certificatesResolvers]
    [certificatesResolvers.default]
      [certificatesResolvers.default.acme]
        email = "admin@domain.com"
        caServer = "https://acme-v02.api.letsencrypt.org/directory"
        storage = "acme.json"
        [certificatesResolvers.default.acme.dnsChallenge]
          provider = "route53"
          delayBeforeCheck = 0
          resolvers = ["1.1.1.1:53", "8.8.8.8:53"]

dynamic.toml: |
  ## dynamic configuration
  (Empty)

和路由配置:

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-admin
  namespace: kube-system
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`traefik.domain.ca`)
    kind: Rule
    services:
    - name: traefik
      port: 8080

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-notls
  namespace: kube-system
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`traefik.domain.ca`) && PathPrefix(`/notls`)
    kind: Rule
    services:
    - name: whoami
      port: 80

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami-tls
  namespace: kube-system
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`traefik.domain.ca`) && PathPrefix(`/tls`)
    kind: Rule
    services:
    - name: whoami
      port: 80
  tls:
    certResolver: default

我能够获得 traefik.domain.ca 的证书,但需要获得整个域 (*.domain.ca) 的通配符证书。我无法为此找到任何直接参考配置。

我在这里缺少什么?

更新 tls 区块有效。

tls:
  certResolver: default
  domains:
    - main: dev.domain.ca
      sans:
        - "dev.domain.ca"
        - "*.dev.domain.ca"