Error logged for non-existent tls certResolver across namespaces

welsh · January 28, 2021, 6:34pm

Hi,

I have traefik (v2.3.5) deployed into its own Kubernetes using helm and have a TLSStore defined within the same ingress-traefik namespace:

---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
  name: default
  namespace: ingress-traefik
spec:
  defaultCertificate:
    secretName: default-certs

And then I have the dashboard exposed successfully on the websecure endpoint to an internal domain within that same namespace:

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: dashboard-traefik
  namespace: ingress-traefik
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`traefik.internal.mydomain.com`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
      middlewares:
        - name: dashboard-auth
        - name: traefik-redirect
  tls:
    certResolver: default

And this loads fine and presents the right certificate provided by the default certResolver without any errors in the traefik logs.

However when I define a new IngressRoute that is in a different name space and reference that same certResolver like so:

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: my-service
  namespace: common
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`apps.internal.mydomain.com`) && PathPrefix(`/common/server`)
      kind: Rule
      services:
        - name: my-service
          kind: Service
          port: 80
          namespace: common
      middlewares:
        - name: app-path-strip
          namespace: ingress-traefik
  tls:
    certResolver: default

It still loads fine in the browser, the expected cert provided by the default certResolver is being presented properly however I get the following error in the traefik logs:

time="2021-01-28T18:12:00Z" level=error msg="the router common-my-service-71a719041a1b93f3d869@kubernetescrd uses a non-existent resolver: default"

I assume this is because my default certResolver is in the ingress-traefik namespace, should I be replicating that Secret and TLSStore into the common namespace?

It feels odd that it is giving me an error but still working.

Thanks

rtribotte · January 29, 2021, 1:14pm

Hello @welsh,

Thanks for your interest in Traefik!

From reading your post, you are probably mixing things up between the TLS Store and the Certificate Resolver.
The TLS Store, is the place where to store/find a certificate, while the Certificate Resolver defines how Let's Encrypt challenges should be made to acquire certificates.

The Certificate Resolver definitions are made through the static configuration, while the TLS Stores are defined in the dynamic configuration.

Thus, the error log you are getting should also be printed for the dashboard router.

welsh · January 29, 2021, 7:52pm

Hi @rtribotte,

Thanks for getting back to me, you are correct and I am indeed getting those mixed up however do you have an explanation for the behaviour I am seeing?

By having this section on the ingress routes:

tls:
  certResolver: default

It generates that error message but everything works properly with that default certificate in the ingress-traefik namespace for both the traefik dashboard and my-service IngressRoute's being applied.

If I remove that section, then it doesn't load at all for either of them as the traefik dashboard shows no TLS is configured in the Dashboard.

I can add in the following:

tls:
  secretName: default-certs

And then the traefik dashboard works again, but adding that to the my-service IngressRoute results in the traefik log indicating it cannot find that secret. That makes sense as secrets are not cross namespace.

Now I can create that same secret in each namespace, but is there a way to configure the TLS to get the same behaviour?

Ideally I was thinking of something like:

 tls:
    enabled: true

But the documentation doesn't list such a thing, but maybe perhaps defining a default TLSOption would result in the same behaviour since that can be cross namespace.

If that would work, do you know where I could find what values Traefik uses as defaults when a user provided TLSOption is not defined? This would give me a good starting point I could then adjust.

welsh · February 8, 2021, 8:04pm

Can confirm after testing that adding the following TLSOption with a bare minimum:

---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: default-tls
  namespace: ingress-traefik

spec:
  minVersion: VersionTLS12

And then referencing it works as intended:

  tls:
    options: 
      name: default-tls
      namespace: ingress-traefik

Topic		Replies	Views
Prevent IngressRoutes from sharing/using the same certificate Traefik v2 kubernetes-crd , kubernetes-ingress	9	1303	April 27, 2023
Traefik configuration issue with TLS certificates Traefik v3 (latest) kubernetes-crd , kubernetes-ingress	0	81	October 13, 2024
TLSStore not used and no error messages in the logs Traefik v2 kubernetes-crd	1	268	November 27, 2023
"tls: failed to find any PEM data in certificate input" when using TLSStore CRD Traefik v2 kubernetes-crd	6	17787	January 25, 2021
Help Needed: Unexpected Cross-Namespace TLS Secret Behavior in Traefik 2.1.4 on Kubernetes 1.20.1 Traefik v2 kubernetes-crd	2	179	November 27, 2023

Error logged for non-existent tls certResolver across namespaces

Related topics