I have a K8s cluster working well, with a domain that has a custom SSL Cert, and all other subdomain use a Let's encrypt wildcard.

Now, I want to add another domain that will use custom SSL Cert, but it doesn't seem to work.

First, I create a configMap with .crt and .key files

kubectl create configmap traefik-sge-certificate --from-file=certificate/sge-prod.crt --from-file=certificate/sge-prod.key --dry-run -o yaml | kubectl apply -f -

Then I add my certs in traefik.toml

traefik.toml:
----
# traefik.toml
defaultEntryPoints = ["http","https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "/etc/ene-certificate/api.crt"
      keyFile = "/etc/ene-certificate/api.key"
      [[entryPoints.https.tls.certificates]]
      certFile = "/etc/sge-certificate/sge-prod.crt"
      keyFile = "/etc/sge-certificate/sge-prod.key"

[acme] # Automatically add Let's Encrypt Certificate.
  storage= "/etc/certificate/acme.json"
  email = "julien@company.fr"
   entryPoint = "https"
   onHostRule = true
   caServer = "https://acme-v02.api.letsencrypt.org/directory"
    [acme.dnsChallenge]
    provider = "route53"
    delayBeforeCheck = 0
[[acme.domains]]
  main = "*.company.fr"

And now deployment:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: traefik-deployment
  labels:
    app: traefik
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik-ingress-controller
      terminationGracePeriodSeconds: 60
      volumes:
        - name: traefik-certificate
          persistentVolumeClaim:
            claimName: traefik-certificate
        - name: config
          configMap:
            name: traefik-config
        - name: traefik-ene-certificate
          configMap:
            name: traefik-ene-certificate
        - name: traefik-sge-certificate
          configMap:
            name: traefik-sge-certificate
      containers:
      - name: traefik
        image: "traefik:1.7"
        envFrom:
          - secretRef:
              name: traefik-env
        volumeMounts:
          - mountPath: "/etc/traefik/config"
            name: config
          - mountPath: "/etc/certificate"
            name: traefik-certificate
          - mountPath: "/etc/ene-certificate/api.crt"
            name: traefik-ene-certificate
            subPath: api.crt
          - mountPath: "/etc/ene-certificate/api.key"
            name: traefik-ene-certificate
            subPath: api.key           
          - mountPath: "/etc/sge-certificate/sge-prod.crt"
            name: traefik-sge-certificate
            subPath: sge-prod.crt
          - mountPath: "/etc/sge-certificate/sge-prod.key"
            name: traefik-sge-certificate
            subPath: sge-prod.key           

        args:
        - --configfile=/etc/traefik/config/traefik.toml
        - --api
        - --kubernetes

But when I do that, there is 2 problems:

• My new app: https://sge.company.fr is using wildcard certificates, instead of custom ones ( the purpose of this operation)
• The app that was using the custom certificates api.crt (previously working well with custom SSL cert ) are not using wildcard certs, this is a regression.

I checked the traefik logs, and it doesn't seem to have any issue.

What I also don't understand, is where is linked the custom SSL Cert with domain.

Can anybody tell me why this is happening, and how should I fix it ?

PD: I understand I should use secrets instead of configMaps, but first thing first !