I'm trying to configure an IngressRoute that requires mTLS with Traefik 2.4.8. In the IngressRoute, I reference the following TLSOptions:
apiVersion: traefik.containo.us/v1alpha1 kind: TLSOption metadata: name: mtls namespace: traefik spec: minVersion: VersionTLS12 cipherSuites: - TLS_RSA_WITH_AES_256_GCM_SHA384 - TLS_RSA_WITH_AES_128_GCM_SHA256 - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 clientAuth: # the CA certificate is extracted from key `tls.ca` of the given secrets. secretNames: - tls-ca clientAuthType: RequireAndVerifyClientCert
However, when I test the service using curl, Traefik does not reject the request if a client certificate is not presented. I've used tcpdump and can see that Traefik never requests the client certificate during the TLS handshake.
Any ideas on what could be going wrong or suggestions on how to debug? I wonder if it might be something with the secret used to store the CA cert. The only documentation I could find is the comment in the TLSOptions example that says the CA cert must be in key "tls.ca". I created a generic secret using that key and the public CA cert base64 encoded. Not sure if that's correct.