Helm Chart for Multi Domain Tls Cert
I’m running a service on Kubernetes that hosts multiple websites via different domains.
I had followed the default Helm Chart pattern and ended up with one TLS cert for all the sites.
This worked OK - except that I kept getting downtime when I needed to add a new domain.
So I refactored to have a different certificate for each site.
Default - one site one cert
The default values.yaml for my charts looked like
ingress:
enabled: true
className: ""
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-production
hosts:
- host: mysite
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: mysite-tls
hosts:
- mysite
Multi sites - one cert
and when I added a new site like this - it worked too
ingress:
enabled: true
className: ""
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-production
hosts:
- host: mysite.example.com
paths:
- path: /
pathType: ImplementationSpecific
hosts:
- host: mysite2.example2.com
paths:
- path: /
pathType: ImplementationSpecific
tls:
- secretName: mysite-tls
hosts:
- mysite.example.com
- mysite2.example2.com
This resulted in both sites working - via a shared multi-site certificate
Which was OK - the main downside was that in order to add a new site - I had to create a new cert and that led to a short downtime.
Multi sites - multi certs
Instead I realised I could have multiple hosts blocks in the tls block and get a cert per host.
This way adding (or changing) one host doesn’t affect the others.,
replicaCount: 2
ingress:
enabled: true
className: ""
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: letsencrypt-production
hosts:
- host: mysite.example.com
paths:
- path: /
pathType: ImplementationSpecific
- host: mysite2.example2.com
paths:
- path: /
pathType: ImplementationSpecific
tls:
- hosts:
- mysite.example.com
secretName: mysite-secret
- hosts:
- mysite2.example2.com
secretName: mysite2-secret