I am trying to setting traefik to forward request to backend using https protocol.
I am using traefik, cert-manager with lets encrypt for using certificates in my application.
But now the issue is that I am not able to forward request to https backend.For forwarding request to http backend I am using following code:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: prod-ingress
namespace: my-ns
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
tls:
- hosts:
- "my-dns.com"
secretName: prod-cert
rules:
- host: "my-dns.com"
http:
paths:
- path: /app1
pathType: Prefix
backend:
service:
name: my-app1
port:
number: 16686
So my issue is similar like this but I want to use only Ingress resource for forwarding request to https backend.
There are a few different ways to do this. The best in this case is probably using serversTransport.insecureSkipVerify (see below) unless you can set up trusted, non-self-signed certs for your service using FQDN my-app.my-ns.svc.cluster.local (but this seems a relatively unlikely situation so I did not try this in my testing). So, unless your TLS cert is not self-signed and the FQDN for the cert matches the FQDN for the service, then you will need to use serversTransport.insecureSkipVerify so that traefik will ignore the mismatch in FQDN and/or that the service's internal certificate is self-signed.
Options 1 is adding the serversTransport option to your service (not the Ingress) so that traefik will skip verfication. Here is a snippet that I used for a service called nginx in a namespace called nginx:
---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: skipverify
namespace: nginx
spec:
insecureSkipVerify: true
---
apiVersion: v1
kind: Service
metadata:
name: nginx
namespace: nginx
labels:
app: nginx
annotations:
traefik.ingress.kubernetes.io/service.serversscheme: https
traefik.ingress.kubernetes.io/service.serverstransport: nginx-skipverify@kubernetescrd
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 443
Option 2 is just turning it off verification for your traefik deployment on the whole (not necessarily the best option, but it also worked). I use k3s, so that just required me dropping the following HelmChartConfig into /var/lib/rancher/k3s/server/manifests/traefik-config.yaml but this will depend on how you are setting up traefik:
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
additionalArguments:
- "--serversTransport.insecureSkipVerify=true"
There is more information on how to do this for other deployment methods in the docs: Routing & Load Balancing Overview |Traefik Docs - Traefik