Yes, it's a feature of Traefik to route requests by server name. You can use Traefik's CRDs or their implementation of Gateway API. Here's an example of each.
This branch introduces a new template in the controller chart implementing Traefik's CRDs, e.g., IngressRouteTCP: helm-charts/charts/ziti-controller/templates/traefik-ingressroutetcp.yaml at upgrade-cert-manager · openziti/helm-charts · GitHub
That branch's controller chart is the v2 (breaking changes) where I'll also introduce clustered mode, so it's just one example how you can link Traefik's CRDs to the controller pod with SNI routing on an "entrypoint" and TLS passthrough.
Here's one more example (from our prior conversation, incidentally) that is using Traefik's CRDs, this time without all the Helm templating noise, but with Ansible noise in its place: vagrant/kubernetes/k3s/playbook.yaml at 33ad7d8d95e00860db950f0df3f70d8953b0d4f5 · openziti-test-kitchen/vagrant · GitHub
Finally, if your case tolerates v1alpha2 APIs, it may not be too soon to adopt Gateway API, and Traefik makes it easy! Here's another example of using Gateway API's CRDs, e.g., TLSRoute, to accomplish the same goal, i.e., SNI routing w/ TLS passthrough: vagrant/kubernetes/k3s/playbook.yaml at deb269775b9464bdc60a691c3298d6e437732367 · openziti-test-kitchen/vagrant · GitHub
apiVersion: gateway.networking.k8s.io/v1alpha2
kind: TLSRoute
metadata:
name: ziti-controller-client-api
namespace: ziti
spec:
parentRefs:
- name: traefik-gateway
namespace: kube-system
kind: Gateway
sectionName: ziti
hostnames:
- ctrl1.ziti.example.com
rules:
- backendRefs:
- name: ziti-controller-client
namespace: ziti
port: 443