I'm trying to configure an IngressRoute that requires mTLS with Traefik 2.4.8. In the IngressRoute, I reference the following TLSOptions:
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: mtls
namespace: traefik
spec:
minVersion: VersionTLS12
cipherSuites:
- TLS_RSA_WITH_AES_256_GCM_SHA384
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
clientAuth:
# the CA certificate is extracted from key `tls.ca` of the given secrets.
secretNames:
- tls-ca
clientAuthType: RequireAndVerifyClientCert
However, when I test the service using curl, Traefik does not reject the request if a client certificate is not presented. I've used tcpdump and can see that Traefik never requests the client certificate during the TLS handshake.
Any ideas on what could be going wrong or suggestions on how to debug? I wonder if it might be something with the secret used to store the CA cert. The only documentation I could find is the comment in the TLSOptions example that says the CA cert must be in key "tls.ca". I created a generic secret using that key and the public CA cert base64 encoded. Not sure if that's correct.
Ideally I'd like to just use a default TLSOptions for all IngressRoutes and a default TLSStore with a default certificate. I've tried a few different combinations. Below is the IngressRoute I'm testing with:
I opened a feature request for this on GitHub. For anyone reading this and is interested in this feature please go like and comment on the feature request so it gains traction. A dev mentioned this would help them prioritize this feature.