Ingressroutetcp TLS termination

schizoid90 · August 17, 2021, 10:52am

We have a mongodb instance running in Kubernetes. We route traffic for connections from outside the cluster via HAProxy and into Traefik on a dedicated entrypoint and the through the IngressRouteTCP listening on that entrypoint. We have configured TLS termination as per the docs but what we're seeing is that Traefik is forwarding on TLS.

This was working in v2.2.x but since upgrading to 2.4.11 it's stopped.

Some config:

The ingressroutetcp

  spec:
    entryPoints:
    - generictcp
    routes:
    - match: HostSNI(`testing-mongodb.domain.co.uk`)
      services:
      - kind: Service
        name: mongodb-testing
        port: 27017
        proxyProtocol:
          version: 2
        terminationDelay: 100
        weight: 10
    tls:
      domains:
      - main: testing-mongodb.domain.co.uk
      secretName: domain-co-uk-wcard

Values for Traefik helm chart

deployment:
  replicas: 3
podDisruptionBudget:
  maxUnavailable: 1
  minAvailable: 1
service:
  type: NodePort
additionalArguments:
- "--api.insecure=true"
- "--accesslog"
- "--entrypoints.websecure.http.tls"
- "--metrics.prometheus"
- "--providers.kubernetescrd.allowcrossnamespace=true"
autoscaling:
  enabled: false
persistence:
  enabled: false
ports:
  web:
    exposedPort: 8000
    nodePort: 30940
  generictcp:
    port: 8081
    exposedPort: 8081
    nodePort: 30941
    expose: true
    protocol: TCP
    tls:
      enabled: false
  websecure:
    exposedPort: 8443
    nodePort: 31283
rbac:
  enabled: false
env:
- name: GODEBUG
  value: x509ignoreCN=0
resources:
  requests:
    cpu: "50m"
    memory: "50Mi"
  limits:
   cpu: "300m"
   memory: "300Mi"
affinity:
  podAntiAffinity:
    preferredDuringSchedulingIgnoredDuringExecution:
    - weight: 100
      podAffinityTerm:
        labelSelector:
          matchExpressions:
          - key: app.kubernetes.io/name
            operator: In
            values:
            - traefik
        topologyKey: kubernetes.io/hostname

Error from MongoDB suggests it is receiving a SSL connection.

{"t":{"$date":"2021-08-11T14:40:03.694+00:00"},"s":"I",  "c":"NETWORK",  "id":22988,   "ctx":"conn20783","msg":"Error receiving request from client. Ending connection from remote","attr":{"error":{"code":141,"codeName":"SSLHandshakeFailed","errmsg":"SSL handshake received but server is started without SSL support"},"remote":"10.244.2.209:34070","connectionId":20783}}

schizoid90 · August 25, 2021, 3:27pm

I have resolved the issue for me. I removed the proxyProtocol section from the ingressroutetcp spec

proxyProtocol:
          version: 2

With this set to anything, the connection fails. Which is odd as examples all show using this setting

Topic		Replies	Views
IngressrouteTCP TLS Termination - K8s Traefik v2 kubernetes-crd	2	561	June 26, 2022
TCP TLS termination Router Traefik v2 kubernetes-crd	2	2539	October 29, 2019
Connection errors for tcp endpoint via IngressRouteTCP Traefik v2 kubernetes-crd , tcp	0	1791	December 18, 2019
IngressRouteTCP with TLS backend Traefik v2 kubernetes-crd	0	502	May 17, 2021
Hosting a HTTP-App on a custom TCP-Port with TLS Traefik v2 kubernetes-crd , kubernetes-ingress , tcp	1	1299	March 25, 2022

Ingressroutetcp TLS termination

Related topics