I've got a service that is NGINX running inside my cluster, which is setup with k3d.io so the Ingress controller is Traefik. For a given Hostname, I want to forward all HTTP/HTTPS traffic as-is (no TLS termination) to my NGINX server.
Can't figure out how to do this. I saw the
traefik.ingress.kubernetes.io/pass-tls-cert annotation, but the docs say that's deprecated. I also tried the
traefik.ingress.kubernetes.io/pass-client-tls-cert annotation, but didn't get anywhere with that either.
I think this is my problem, though I admit I'm still green around the ears when it comes to Kubernetes, especially Ingress Controllers. I've tried cURLing my service from outside my cluster and my NGINX logs report an error about a bad certificate handshake:
2022/01/04 04:20:14 [info] 20#20: *3 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking, client: 10.42.0.8, server: 0.0.0.0:443
The output of my curl command shows this:
... (omitted for brevity) ... * TLSv1.3 (OUT), TLS handshake, Finished (20): * SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 * ALPN, server accepted to use h2 * Server certificate: * subject: CN=TRAEFIK DEFAULT CERT * start date: Jan 4 04:07:39 2022 GMT * expire date: Jan 4 04:07:39 2023 GMT * issuer: CN=TRAEFIK DEFAULT CERT * SSL certificate verify result: self signed certificate (18), continuing anyway. ... (omitted for brevity) ...
TRAEFIK DEFAULT CERT value, which is not what my NGINX instance is configured to use. So I'm guessing the Ingress Controller intercepting something I don't want to be intercepted.
This is for a local cluster, so I'm not terribly concerned with the "proper" way of doing this in prod... just need to get traffic to this NGINX server for a certain Hostname. I freely admit I only have about 35% understanding of the situation, so apologies in advance if I'm barking up the wrong tree... hopefully I provided enough details for a course-correction!
Appreciate the help.