[stable/traefik] adding support for traefik wildcard certificates

stable/traefik/Chart.yaml

@@ -1,6 +1,6 @@
 apiVersion: v1
 name: traefik
-version: 1.34.0
+version: 1.35.0
 appVersion: 1.6.2
 description: A Traefik based Kubernetes ingress controller with Let's Encrypt support
 keywords:

stable/traefik/README.md

@@ -121,6 +121,10 @@ The following table lists the configurable parameters of the Traefik chart and t
 | `acme.email`                    | Email address to be used in certificates obtained from Let's Encrypt | `admin@example.com`                       |
 | `acme.staging`                  | Whether to get certs from Let's Encrypt's staging environment        | `true`                                    |
 | `acme.logging`                  | Display debug log messages from the ACME client library              | `false`                                   |
+| `acme.domains.enabled`          | Enable certificate creation by default for specific domain           | `false`                                   |
+| `acme.domains.domainList`       | List of domains & (optional) subject names                           | `[]`                                      |
+| `acme.domains.domainList.main`  | Main domain name of the generated certificate                        | *.example.com                             |
+| `acme.domains.domainList.sans`  | optional list of alternative subject names to give to the certificate | `[]`                                     |
 | `acme.persistence.enabled`      | Create a volume to store ACME certs (if ACME is enabled)             | `true`                                    |
 | `acme.persistence.annotations`  | PVC annotations                                                      | `{}`                                      |
 | `acme.persistence.storageClass` | Type of `StorageClass` to request-- will be cluster-specific         | `nil` (uses alpha storage class annotation) |
@@ -222,6 +226,28 @@ acme:
       # variables that the specific dns provider requires
 ```
 
+### Let's Encrypt wildcard certificate
+
+To obtain an ACME (Let's Encrypt) wildcard certificate you must use a DNS challenge as explained above.
+Then you need to specify the wildcard domain name in the `acme.domains` section like this :
+
+```yaml
+acme:
+  enabled: true
+  challengeType: "dns-01"
+  dnsProvider:
+    name:  # name of the dns provider to use
+    $name: # the configuration of the dns provider. See the following section for an example
+      # variables that the specific dns provider requires
+  domains:
+    enabled: true
+    domainsList:
+      - main: "*.example.com" # name of the wildcard domain name for the certificate
+      - sans:
+        - "example.com" # OPTIONAL: Alternative name(s) for the certificate, if you want the same certificate for the root of the domain name for example
+      - main: "*.example2.com" # name of the wildcard domain name for the certificate
+```
+
 #### Example: AWS Route 53
 
 Route 53 requires the [following configuration variables to be set](values.yaml#L98-L101):

stable/traefik/templates/_helpers.tpl

@@ -49,3 +49,23 @@ Create the block for whiteListSourceRange.
 	   {{- end -}}
          ]
 {{- end -}}
+
+{{/*
+Create the block for acme.domains.
+*/}}
+{{- define "traefik.acme.domains" -}}
+{{- range $idx, $value := .Values.acme.domains.domainsList }}
+    {{- if $value.main }}
+    [[acme.domains]]
+       main = {{- range $mainIdx, $mainValue := $value }} {{ $mainValue | quote }}{{- end -}}
+    {{- end -}}
+{{- if $value.sans }}
+       sans = [
+  {{- range $sansIdx, $domains := $value.sans }}
+			 {{- if $sansIdx }}, {{ end }}
+	     {{- $domains | quote }}
+  {{- end -}}
+	     ]
+	{{- end -}}
+{{- end -}}
+{{- end -}}

stable/traefik/templates/configmap.yaml

@@ -111,6 +111,9 @@ data:
       [acme.httpChallenge]
       entryPoint = "http"
     {{- end }}
+    {{- if .Values.acme.domains.enabled }}
+    {{- if .Values.acme.domains.domainsList }}{{ template "traefik.acme.domains" . }}{{- end }}
+    {{- end }}
     {{- end }}
     {{- if or .Values.dashboard.enabled .Values.metrics.prometheus.enabled .Values.metrics.statsd.enabled .Values.metrics.datadog.enabled }}
     [web]

stable/traefik/values.yaml

@@ -59,6 +59,20 @@ acme:
   email: admin@example.com
   staging: true
   logging: false
+  # Configure a Let's Encrypt certificate to be managed by default.
+  # This is the only way to request wildcard certificates (works only with dns challenge).
+  domains:
+    enabled: false
+    # List of sets of main and (optional) SANs to generate for
+    # for wildcard certificates see https://docs.traefik.io/configuration/acme/#wildcard-domains
+    domainsList:
+      - main: "*.example.com"
+      - sans:
+        - "example.com"
+      - main: "*.example2.com"
+      - sans:
+        - "test1.example2.com"
+        - "test2.example2.com"
   ## ACME challenge type: "tls-sni-01", "http-01" or "dns-01"
   ## Note the chart's default of tls-sni-01 has been DEPRECATED and (except in
   ## certain circumstances) DISABLED by Let's Encrypt. It remains as a default