Posted Updated 3 minutes read (About 422 words)

RKE2 Traefik 为多个泛域名配置默认证书

场景说明

在实际环境中,集群可能同时使用多个泛域名,例如:

  • *.warnerchen.com
  • *.avatar-poc.k8s.warnerchen.com

不同泛域名需要绑定不同的 TLS 证书。基于 RKE2 默认集成的 Traefik,并启用 Kubernetes Gateway API,可以通过配置多个 listener 来实现按域名匹配证书。

创建 TLS Secret

在启用了 rke2-traefik 的 RKE2 集群中,分别为两个泛域名创建证书 Secret:

1
2
3
4
5
6
7
kubectl -n kube-system create secret tls warnerchen-com-tls \
  --cert=tls.crt \
  --key=tls.key

kubectl -n kube-system create secret tls ext-warnerchen-com-tls \
  --cert=tls.crt \
  --key=tls.key

配置 RKE2 Traefik(HelmChartConfig)

通过 HelmChartConfig 为 RKE2 Traefik 配置多个 HTTPS listener,并分别绑定不同的证书。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
cat <<EOF | kubectl apply -f -
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-traefik
  namespace: kube-system
spec:
  valuesContent: |-
    providers:
      kubernetesGateway:
        enabled: true
    gateway:
      listeners:
        web:
          port: 8000
          protocol: HTTP
          namespacePolicy:
            from: All
        websecure:
          port: 8443
          protocol: HTTPS
          hostname: "*.warnerchen.com"
          namespacePolicy:
            from: All
          mode: Terminate
          certificateRefs:
            - kind: Secret
              name: warnerchen-com-tls
              group: ""
        websecure-ext:
          port: 8443
          protocol: HTTPS
          hostname: "*.avatar-poc.k8s.warnerchen.com"
          namespacePolicy:
            from: All
          mode: Terminate
          certificateRefs:
            - kind: Secret
              name: ext-warnerchen-com-tls
              group: ""
EOF

也可以直接写入 Control Plane 节点的 /var/lib/rancher/rke2/server/manifests/rke2-traefik-config.yaml

验证 Gateway 配置

确认 Traefik Gateway 已正确加载配置:

1
kubectl -n kube-system get gateway traefik-gateway -oyaml

创建测试 Workload

1
2
3
4
5
6
7
8
kubectl create deployment nginx \
  --image harbor.warnerchen.com/library/nginx:mainline

kubectl create deployment nginx-ext \
  --image harbor.warnerchen.com/library/nginx:mainline

kubectl expose deployment nginx --port 80
kubectl expose deployment nginx-ext --port 80

创建 HTTPRoute

分别为两个域名创建 HTTPRoute,并绑定到不同的 listener:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
cat <<EOF | kubectl apply -f -
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: nginx
  namespace: default
spec:
  parentRefs:
  - name: traefik-gateway
    namespace: kube-system
    sectionName: websecure
  hostnames:
  - nginx.warnerchen.com
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /
    backendRefs:
    - name: nginx
      port: 80

---
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: nginx-ext
  namespace: default
spec:
  parentRefs:
  - name: traefik-gateway
    namespace: kube-system
    sectionName: websecure-ext
  hostnames:
  - nginx.avatar-poc.k8s.warnerchen.com
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /
    backendRefs:
    - name: nginx-ext
      port: 80
EOF

验证结果

访问两个域名,验证是否分别使用对应证书:

RKE2 Traefik 为多个泛域名配置默认证书

https://warnerchen.github.io/2026/04/20/RKE2-Traefik-为多个泛域名配置默认证书/

Author

Warner Chen

Posted on

2026-04-20

Updated on

2026-04-20

Licensed under

#
You need to set install_url to use ShareThis. Please set it in _config.yml.

Like this article? Support the author with

You forgot to set the business or currency_code for Paypal. Please set it in _config.yml.

Comments

You forgot to set the shortname for Disqus. Please set it in _config.yml.
Follow

Links

Recents

Archives

Tags

ai6
cloud native41
coding1
google1
linux12
network1
others2
redhat1
suse55
面试1
首页1

Subscribe for updates

You need to set client_id and slot_id to show this AD unit. Please set it in _config.yml.

follow.it

×