Explanation of consul catalog endpoint TLS configuration

Traefik Traefik v2
1

Hello,
I'm struggling in understanding the consul catalog endpoint TLS configuration.

From the official documentation I don't understand how the provided files for ca, cert and key are used for.

Do I have to configure in cert really the certificate which consul is using on it's https-API? And if so, I also have to own it's private key and configure it under key?

And for CA - I guess it's the certificate of the root authority which created the certificate configured under "cert". What if it's a certificate chain - must this then be a file containing the whole chain?

Thanks in advance, I really would like to understand this configuration in detail.

2

No experience with consul.

With Traefik dynamic config in general you can either reference a file (doc):

# Dynamic configuration

tls:
  certificates:
    - certFile: /path/to/domain.cert
      keyFile: /path/to/domain.key
    - certFile: /path/to/other-domain.cert
      keyFile: /path/to/other-domain.key

or inline the cert (discussion):

tls:
  certificates:
    # CERT FILE /etc/letsencrypt/live/example.com
    - certFile: |-
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
        -----BEGIN CERTIFICATE-----
        ...
        -----END CERTIFICATE-----
      keyFile: |-
        -----BEGIN PRIVATE KEY-----
        ...
        -----END PRIVATE KEY-----

Usually the certFile includes the intermediate and CA cert.

Note that you still need to enable TLS on the entrypoint or router.

3

for the router configuration I've found it in the documentation. I'm targeting the consulCatalog TLS configuration specifically.

4

Maybe it’s not supported, see this reference. I know from providers.docker that not everything from plain providers.file is supported.

5

It is, see the following options:
https://doc.traefik.io/traefik/providers/consul-catalog/#tls

But I don't get from the configuration in which way the configured cert and CA is used.

6

Sorry, I thought you wanted to load certs for entrypoint, but you want to use a TLS cert to connect to consul.

I assume the ca just takes the public cert of a custom created one for internal use.

You could check and try to understand the source code.

7

I already tried to check the source code, everything I found out is, that the configured certificates are used in a ClientConfig, but not what's going on then.

As there is documentation for this part of the configuration, I'm wondering how other people use it or if I'm the only one struggling in understanding the meaning of it.

8

From what I have seen on this forum, very few use consul and very few of those use a custom cert.

Maybe try www.reddit.com/r/Traefik/.