Issue passing CA Root certificate to backend service

Traefik Traefik v2 (latest)
1

The following configuration is working properly to establish communication with a web service over HTTP (client -> traefik edge router -> HTTP web service (ExternalName service)) in this scenario I chose the service of type ExternalName as my backend because it was the easiest way to achieve it and it's working really good.

###################################################################################
# MIDDLEWARE
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-core-service-soap-rest-chain
  namespace: devops
spec:
  chain:
    middlewares:
    - name: dev-core-service-soap-rest-replacepathregex
    - name: dev-soap-rest-bodysize
    - name: dev-soap-rest-security-headers
    - name: dev-soap-rest-retry
    - name: dev-soap-rest-cors
--- 
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-core-service-soap-rest-replacepathregex
  namespace: devops
spec:
  replacePathRegex:
    regex: /core-service(/|$)(.*)
    replacement: /$2     
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-soap-rest-bodysize
  namespace: devops
spec:
  buffering:
    maxRequestBodyBytes: 20971520
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-soap-rest-security-headers
  namespace: devops
spec:
  headers:
    frameDeny: true
    sslRedirect: true
    stsSeconds: 31536000
    stsIncludeSubdomains: true
    contentTypeNosniff: true
    browserXssFilter: true
    customResponseHeaders:
      Server: ""
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-soap-rest-retry
  namespace: devops
spec:
  retry:
    attempts: 3
    initialInterval: 1000ms 
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: dev-soap-rest-cors
  namespace: devops  
spec:
  headers:
    accessControlAllowMethods:
      - "PUT"    
      - "GET"
      - "POST"      
      - "OPTIONS"
      - "DELETE"
      - "HEAD"      
      - "TRACE"
      - "PATCH"
    accessControlAllowHeaders:
      - "*"       
    accessControlAllowOriginList:
      - "*"
    accessControlMaxAge: 300
    addVaryHeader: true
---
#################################################################################
# CORE SERVICE EXTERNAL SERVICES
#################################################################################
apiVersion: v1
kind: Service
metadata:
  name: dev-core-service-soap-rest-esvc-1
  namespace: devops
spec:
  externalName: 1.1.1.1
  type: ExternalName
  ports:
    - port: 7801
---
apiVersion: v1
kind: Service
metadata:
  name: dev-core-service-soap-rest-esvc-2
  namespace: devops
spec:
  externalName: 1.1.1.1
  type: ExternalName
  ports:
    - port: 7802
---
#################################################################################
# CORE SERVICE TRAEFIK SERVICE
#################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: dev-core-service-soap-rest-tsvc
  namespace: devops
spec:
  weighted:
    services:
      - name: dev-core-service-soap-rest-esvc-1
        weight: 1
        port: 7801
      - name: dev-core-service-soap-rest-esvc-2
        weight: 1
        port: 7802
---     
#################################################################################
#  CORE SERVICE INGRESS ROUTE
#################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: dev-core-service-soap-rest-ingress-route-tls
  namespace: devops
annotations:
  kubernetes.io/ingress.class: dev-traefik 
spec:
  entryPoints:
    - web
    - websecure
  routes:
  - kind: Rule
    match: Host(`example.com`) && PathPrefix(`/core-service`)
    middlewares:
    - name: dev-core-service-soap-rest-chain    
    services:
    - name: dev-core-service-soap-rest-tsvc
      kind: TraefikService
      namespace: devops
      port: 7801
  tls:
    secretName: dev-traefik-tls

My requirement for the production environment is a little bit different because I need to establish the communication with the web service over HTTPS and for that I need to pass the root CA certificate (client -> traefik edge router -> HTTPS/TLS web service (ExternalName service)) the reason why I chose the Kubernetes service of type ExternalName is because I can map a service to a DNS name, this works great as long as you are using HTTP but when you need it over HTTPS this works differently, as a workaround I found that you can "force HTTPS" using scheme: https and port: 7843 in the TraefikService and IngressRoute resources, in this way I was able to see the ExternalName service as HTTPS in the traefik dashboard, it seems to be the proper workaround to "force HTTPS" in the ExternalName service. This is how these resources looks right now:

###################################################################################
# CORE SERVICE EXTERNAL SERVICES
###################################################################################
apiVersion: v1
kind: Service
metadata:
  name: prod-core-service-soap-rest-esvc
  namespace: devops
spec:
  externalName: example.com
  type: ExternalName
  ports:
    - port: 7843 
---
###################################################################################
#  CORE SERVICE INGRESS ROUTE
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: prod-core-service-soap-rest-ingress-route-tls
  namespace: devops
annotations:
  kubernetes.io/ingress.class: prod-traefik
spec:
  entryPoints:
    - web
    - websecure
  routes:
  - kind: Rule
    match: Host(`example.com`) && PathPrefix(`/core-service`)
    middlewares:
    - name: prod-core-service-soap-rest-chain    
    services:
    - name: prod-core-service-soap-rest-tsvc
      namespace: devops
      kind: TraefikService
      port: 7843
      scheme: https
      serversTransport: bus-server-transport
  tls:
    secretname: prod-traefik-tls 
---

As you can see in the code below I'm trying to pass the certificate to the backend service with a ServersTransport resource which supposed to pass the CA root certificate to the backend service but I'm not sure if I'm using correctly, the documentation says that you can use the file path for the rootCAsSecrets: but not sure about it.

###################################################################################
# CORE SERVICE SERVERS TRANSPORT
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: bus-server-transport
  namespace: devops
spec:
  insecureSkipVerify: true
  rootCAsSecrets:
    - ROOT-CA.crt
  forwardingTimeouts:
    dialTimeout: 30s
    responseHeaderTimeout: 30s
    idleConnTimeout: 30s
---

So far I haven't been able to make it work, I would appreciate any guide that you can provide to make it work.

Here is the whole piece of code that I'm using right now:

###################################################################################
# MIDDLEWARE
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: prod-core-service-soap-rest-chain
  namespace: devops
spec:
  chain:
    middlewares:
    - name: prod-core-service-soap-rest-replacepathregex
    - name: prod-soap-rest-bodysize
    - name: prod-soap-rest-security-headers
    - name: prod-soap-rest-retry
    - name: prod-soap-rest-cors
--- 
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: prod-core-service-soap-rest-replacepathregex
  namespace: devops
spec:
  replacePathRegex:
    regex: /core-service(/|$)(.*)
    replacement: /$2     
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: prod-soap-rest-bodysize
  namespace: devops
spec:
  buffering:
    maxRequestBodyBytes: 20971520
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: prod-soap-rest-security-headers
  namespace: devops
spec:
  headers:
    frameDeny: true
    sslRedirect: true
    stsSeconds: 31536000
    stsIncludeSubdomains: true
    contentTypeNosniff: true
    browserXssFilter: true
    customResponseHeaders:
      Server: ""
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: prod-soap-rest-retry
  namespace: devops
spec:
  retry:
    attempts: 3
    initialInterval: 1000ms 
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: prod-soap-rest-cors
  namespace: devops  
spec:
  headers:
    accessControlAllowMethods:
      - "PUT"    
      - "GET"
      - "POST"      
      - "OPTIONS"
      - "DELETE"
      - "HEAD"      
      - "TRACE"
      - "PATCH"
    accessControlAllowHeaders:
      - "*"       
    accessControlAllowOriginList:
      - "*"
    accessControlMaxAge: 300
    addVaryHeader: true
---   
###################################################################################
# CORE SERVICE EXTERNAL SERVICES
###################################################################################
apiVersion: v1
kind: Service
metadata:
  name: prod-core-service-soap-rest-esvc
  namespace: devops
spec:
  externalName: example.com
  type: ExternalName
  ports:
    - port: 7843 
---
###################################################################################
# CORE SERVICE TRAEFIK SERVICE
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: TraefikService
metadata:
  name: prod-core-service-soap-rest-tsvc
  namespace: devops
spec:
  weighted:
    services:
      - name: prod-core-service-soap-rest-esvc
        weight: 1
        port: 7843
        scheme: https
      - name: prod-core-service-soap-rest-esvc
        weight: 1
        port: 7843
        scheme: https
---
###################################################################################
# CORE SERVICE SERVERS TRANSPORT
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: bus-server-transport
  namespace: devops
spec:
  insecureSkipVerify: true
  rootCAsSecrets:
    - ROOT-CA.crt
  forwardingTimeouts:
    dialTimeout: 30s
    responseHeaderTimeout: 30s
    idleConnTimeout: 30s
---        
###################################################################################
#  CORE SERVICE INGRESS ROUTE
###################################################################################
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: prod-core-service-soap-rest-ingress-route-tls
  namespace: devops
annotations:
  kubernetes.io/ingress.class: prod-traefik
spec:
  entryPoints:
    - web
    - websecure
  routes:
  - kind: Rule
    match: Host(`example.com`) && PathPrefix(`/core-service`)
    middlewares:
    - name: prod-core-service-soap-rest-chain    
    services:
    - name: prod-core-service-soap-rest-tsvc
      namespace: devops
      kind: TraefikService
      port: 7843
      scheme: https
      serversTransport: bus-server-transport
  tls:
    secretname: prod-traefik-tls
2

Hello @lungosta,

rootCAsSecrets is a list of kubernetes secrets in your namespace that hold the certificate files, similar to tls: secrename in the ingressRoute

3

hi @daniel.tomcej thanks you for reply back,
I got your point.. I thought you can pass a file path within rootCAsSecrets like /path/to/your/crt/file, I'm already requesting public and private key so I can create the Kubernetes secret to store the CA root certificate.

so my guess is right in regards to passing the CA root certificate to the backend service using ServersTransport CRD? Have you tried something similar to my configuration before? Do you think it could work? This configuration is working properly over HTTP.

4

Hello @lungosta,

The CA certificate provided in the serversTransport is used to verify and validate certificates provided by the targeted server/service. Therefore the certificates provided by your service will need to be signed by ROOT-CA. You currently have verification disabled due to insecureSkipVerify: true, so verification is currently being skipped.

If your backend service uses a custom root to sign their TLS certificates, then yes, this should work for you.