Internal default TLS Store

jjsiv · February 14, 2023, 7:26pm

Hi,
I've been experimenting a bit with TLSStore today and now I'd like to ask - do I understand correctly that Traefik keeps its own "internal" default TLSStore by itself, even if I don't explicitly define it?

I have my own local CA and a wildcard cert signed by it and was very confused today when I created a new IngressRoute with this definition:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: restapi-ingress-test
  namespace: jed-test
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  entryPoints:
    - websecure
  routes:
  - kind: Rule
    match: Host(`rest.jed.local`) && (Path(`/ping`) || PathPrefix(`/pong`))
    services:
    - name: restapi
      serversTransport: restapi-tls-test
      port: 8443
      scheme: https
      sticky:
        cookie:
          name: sticky-test
          secure: true
  tls: {}

As you can see here, I have not referenced any secret for TLS and yet Traefik uses a wildcard certificate that I have defined in another namespace for use in another IngressRoute:

curl https://rest.jed.local/ping -v
* Connected to rest.jed.local (192.168.55.20) port 443 (#0)
...
* ALPN: server accepted h2
* Server certificate:
*  subject: C=PL; ST=Lodz; L=Lodz; O=Jed; OU=Jed; CN=jed.local
*  start date: Dec  4 18:10:17 2022 GMT
*  expire date: Mar  8 18:10:17 2025 GMT
*  subjectAltName: host "rest.jed.local" matched cert's "*.jed.local"
*  issuer: C=PL; ST=Lodz; L=Lodz; O=Jed; CN=Jed
*  SSL certificate verify ok.

I can also see in the logs that it does add it to a TLSStore, even though I have not defined it myself:
{"level":"debug","msg":"No store is defined to add the certificate MIIDgzCCAmugAwIBAgIUHGpdE9SJH/MSJBJPSJcakzAlKeAwDQ, it will be added to the default store.","time":"2023-02-14T19:11:08Z"}
{"level":"debug","msg":"Adding certificate for domain(s) *.jed.local,jed.local","time":"2023-02-14T19:11:08Z"}

I have not looked at the source code but am I correct in thinking that Traefik does keep a default TLSStore "internally"?
If so, what is the purpose of actually defining it (other than specifying a default certificate) if it collects the secrets by itself?

Thanks!

Topic		Replies	Views
How can i not specify tls in IngressRoute if with defaultCertificate configured? Traefik v2 kubernetes-crd	1	527	November 1, 2020
Traefik - Custom TLS certificate Traefik v2 kubernetes-ingress	4	459	July 19, 2024
Set default certificate into Kubernetes Traefik v2 kubernetes-crd	2	485	March 16, 2020
SSL configuration without Let's Encrypt Traefik v2 file	0	678	September 21, 2020
TLSStore not used and no error messages in the logs Traefik v2 kubernetes-crd	1	272	November 27, 2023

Internal default TLS Store

Related topics