Forwarding to https backend fails with ingress

Traefik Traefik v1
,
1

I am trying to setting traefik to forward request to backend using https protocol.
I am using traefik, cert-manager with lets encrypt for using certificates in my application.

But now the issue is that I am not able to forward request to https backend.For forwarding request to http backend I am using following code:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: prod-ingress
  namespace: my-ns
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.tls: "true"
spec:
  tls:
  - hosts:
    - "my-dns.com"
    secretName: prod-cert
  rules:
  - host: "my-dns.com"
    http:
      paths:
      - path: /app1
        pathType: Prefix
        backend:
          service:
            name: my-app1
            port:
              number: 16686

So my issue is similar like this but I want to use only Ingress resource for forwarding request to https backend.

2

There are a few different ways to do this. The best in this case is probably using serversTransport.insecureSkipVerify (see below) unless you can set up trusted, non-self-signed certs for your service using FQDN my-app.my-ns.svc.cluster.local (but this seems a relatively unlikely situation so I did not try this in my testing). So, unless your TLS cert is not self-signed and the FQDN for the cert matches the FQDN for the service, then you will need to use serversTransport.insecureSkipVerify so that traefik will ignore the mismatch in FQDN and/or that the service's internal certificate is self-signed.

Options 1 is adding the serversTransport option to your service (not the Ingress) so that traefik will skip verfication. Here is a snippet that I used for a service called nginx in a namespace called nginx:

---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: skipverify
  namespace: nginx
spec:
  insecureSkipVerify: true
---
apiVersion: v1
kind: Service
metadata:
  name: nginx
  namespace: nginx
  labels:
    app: nginx
  annotations:
    traefik.ingress.kubernetes.io/service.serversscheme: https
    traefik.ingress.kubernetes.io/service.serverstransport: nginx-skipverify@kubernetescrd
spec:
  selector:
    app: nginx
  ports:
    - protocol: TCP
      port: 443

Option 2 is just turning it off verification for your traefik deployment on the whole (not necessarily the best option, but it also worked). I use k3s, so that just required me dropping the following HelmChartConfig into /var/lib/rancher/k3s/server/manifests/traefik-config.yaml but this will depend on how you are setting up traefik:

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    additionalArguments:                                                                                                                                       
    - "--serversTransport.insecureSkipVerify=true"

There is more information on how to do this for other deployment methods in the docs: Routing & Load Balancing Overview |Traefik Docs - Traefik

3

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.