Deploying multiple Traefik Ingresses with LetsEncrypt HTTPS certificates on Kubernetes

Carlos Eduardo
7 min readMay 2, 2018

As detailed on my first article, I’ve set an architecture for Kubernetes to be as similar to “production” as possible even being run on small ARM boards.

Here I will detail the network where I use Weaveworks Net as the overlay and focus on the LoadBalancer and Ingress controllers.

Network Topology

IP Plan

DNS: (running dnsmasq on DD-WRT Router)
Router DHCP range: -
Reserved: -* - Router
* - Managed Switch
* - RPi3 (media server)
Kubernetes Nodes:
- Master1:
- Node1:
- Node2:
- -
Traefik Internal Ingress IP:
Traefik External Ingress IP:

As detailed in the architecture above, I’ve deployed two Traefik instances to the cluster. One instance to serve the local requests in the internal wildcard domain managed in my router and another Traefik instance to serve the external requests coming from the internet thru a wildcard domain configured in my external DNS.

These instances have separate service IP addresses and each instance have it’s own ingress rules.

To allow external access, I’ve configured my external DNS server, managed by my domain registrar, to resolve all calls to the external domain * using a wildcard entry. This “A” entry can be dynamically updated by the DynDNS config in the router and the CNAME points the wildcard to the A record.

Another option in case you use GoDaddy as registrar/DNS is generating their API key and using this project to dynamically update the subdomain used here. I’ve created a deployment and configMap to run a pod updater.

Carlos Eduardo

Writing everything cloud and all the tech behind it. If you like my projects and would like to support me, check my Patreon on