In the same Company, how can I expose different DNSs with different CAs for different Projects?

[ivanpasq]

What product are you having troubles with?

Console

What Console version are you using?

v14.1.1

Description

I have a Company in the Console with different Projects inside of it.

I need to setup a way to expose my APIs under different DNSs based on the Project I deploy -> this is easy thanks to the Traefik integration capabilities of the Console, I only need to edit the default.ingressroute.yml file in the Configurations Repo of the Projects and I'm good.

But how can I handle different CAs for this different DNS setup I'm using? Is it automatic? How it is handled by the out-of-the-box capabilities of the Console?

Thank you!

Actual Outcome

No response

Expected Outcome

No response

[ivanpasq]

So the configuration described is feasible and straightforward to implement.

Default behavior

Traefik listens on a single load balancer IP, shared across all projects.
DNS records for the various domains (e.g., app1.com, app2.com) all point to this IP.
Routing to the correct service is handled by IngressRoutes, based on the hostname.

What to change to achieve the settings required

What is needed to manage domain-specific certificates:

• Create a TLS Secret in each project's namespace containing the certificate and private key:

kubectl create secret tls cert-app1 --cert=app1.crt --key=app1.key -n project-a-namespace
kubectl create secret tls cert-app2 --cert=app2.crt --key=app2.key -n project-b-namespace

Add the certificate reference in each application's IngressRoute:

tls:
     secretName: cert-app1

This overrides the default behavior (which would use the wildcard certificate configured in the TLSStore) and associates the specific certificate with that route.

This setup is feasible for On-prem installations of Mia-Platform Console. For the PaaS distribution, it should be better to align with Mia's referent team in order to achieve the perfect setup for the specific use case.