In Kubernetes, how to setup multiple hosts in one ingress with let's encrypt certificates

Question

I have setup a backend and frontend service running on Kubernetes. Frontend would be www.<myDomain>.com and backend would be api.<myDomain>.com

I need to expose and secure both services. I wish to use one ingress. I want to use free certificates from let's encrypt + cert manager. I guess a certificate for <myDomain>.com should cover both www. and api..

Pretty normal use case, right? But when these normal stuff comes together, I couldn't figure out the combined yaml. I was able to get single service, the www.<myDomain>.com working with https. Things doesn't work when I tried to add the api.<myDomain>.com

I'm using GKE, but this doesn't seem to be a platform related question. Now creating ingress takes forever. This following events has been tried again and again

Error syncing to GCP: error running load balancer syncing routine: loadbalancer <some id here> does not exist: googleapi: Error 404: The resource 'projects/<project>/global/sslCertificates/<some id here>' was not found, notFound

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: web-ingress
  annotations:
    kubernetes.io/ingress.class: gce
    kubernetes.io/ingress.allow-http: "true"
    cert-manager.io/issuer: letsencrypt-staging
spec:
  tls:
    - secretName: web-ssl
      hosts:
        - <myDomain>.com
  rules:
    - host: "www.<myDomain>.com"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: angular-service
                port:
                  number: 80
    - host: "api.<myDomain>.com"
      http:
        paths:
          - pathType: Prefix
            path: "/"
            backend:
              service:
                name: spring-boot-service
                port:
                  number: 8080

Answer 1

I faced the same requirement as you. from

  tls:
- secretName: web-ssl
  hosts:
    - <myDomain>.com

change to

      tls:
        - hosts:
          - www.<myDomain>.com
          secretName: web-ssl
        - hosts:
          - api.<myDomain>.com
          secretName: web-ssl

Help me to solve the issue!

Answer 2

@Jun's answer worked mostly for me, but the secretName values have to be different. Otherwise, you'll get this error:

Warning BadConfig 12m cert-manager-ingress-shim spec.tls[0].secretName: Invalid value: "api-ingress-cert": this secret name must only appear in a single TLS entry but is also used in spec.tls[1].secretName

After fixing the secretName values, cert-manager generated everything as expected.