There are a few different ways to do this. The best in this case is probably using serversTransport.insecureSkipVerify (see below) unless you can set up trusted, non-self-signed certs for your service using FQDN my-app.my-ns.svc.cluster.local (but this seems a relatively unlikely situation so I did not try this in my testing). So, unless your TLS cert is not self-signed and the FQDN for the cert matches the FQDN for the service, then you will need to use serversTransport.insecureSkipVerify so that traefik will ignore the mismatch in FQDN and/or that the service's internal certificate is self-signed.
Options 1 is adding the serversTransport option to your service (not the Ingress) so that traefik will skip verfication. Here is a snippet that I used for a service called nginx in a namespace called nginx:
---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
name: skipverify
namespace: nginx
spec:
insecureSkipVerify: true
---
apiVersion: v1
kind: Service
metadata:
name: nginx
namespace: nginx
labels:
app: nginx
annotations:
traefik.ingress.kubernetes.io/service.serversscheme: https
traefik.ingress.kubernetes.io/service.serverstransport: nginx-skipverify@kubernetescrd
spec:
selector:
app: nginx
ports:
- protocol: TCP
port: 443
Option 2 is just turning it off verification for your traefik deployment on the whole (not necessarily the best option, but it also worked). I use k3s, so that just required me dropping the following HelmChartConfig into /var/lib/rancher/k3s/server/manifests/traefik-config.yaml but this will depend on how you are setting up traefik:
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
additionalArguments:
- "--serversTransport.insecureSkipVerify=true"
There is more information on how to do this for other deployment methods in the docs: Routing & Load Balancing Overview |Traefik Docs - Traefik