Kubernetes IngressRoute with TLS secret

So this ingress configuration fails and I get a certificate with a Traefik Default as a CN in the frontend despite providing the TLS data in a secret.

apiVersion: v1
kind: Secret
metadata:
  name: minio-tls
  namespace: velero
data:
  tls.crt: MIID+zCCAuOgAwIBAgIUL2FfnXXqODsV5ndzb4E9Up8uh1EwDQYJKoZIhvcNAQELBQAwgYwxCzAJBgNVBAYTAlROMQ4wDAYDVQQIDAVUdW5pczEOMAwGA1UEBwwFVHVuaXMxDTALBgNVBAoMBEhvbWUxDzANBgNVBAsMBkRldm9wczEXMBUGA1UEAwwObWluaW8ua3ViZS50bGQxJDAiBgkqhkiG9w0BCQEWFXlhc3NpbmUubGF6QGdtYWlsLmNvbTAeFw0xOTExMTIxNzEzNThaFw0yOTExMDkxNzEzNThaMIGMMQswCQYDVQQGEwJUTjEOMAwGA1UECAwFVHVuaXMxDjAMBgNVBAcMBVR1bmlzMQ0wCwYDVQQKDARIb21lMQ8wDQYDVQQLDAZEZXZvcHMxFzAVBgNVBAMMDm1pbmlvLmt1YmUudGxkMSQwIgYJKoZIhvcNAQkBFhV5YXNzaW5lLmxhekBnbWFpbC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC/jQMmHSOzYen8DfMT9DL3eyJQBcal1bHXeOBy6pjfLS62WlP3aIwgSotBCDJMgvuAJboA46oZIPdP7LOME2NSG5aAhIkHTcNbWz9370wv0EijxDvhdNN3gkrN7zY6wx5GAiZoKi2uJgMnlHkHeHbp/Zop0Ni/b5TLEmfojUAgl8A3J/tjNiV342rHRrm+ApSiOnYiN2lKKmC9A0hOcwdDblwvFaJHTMqfjHH7vnTVcfhP4GWlQ4IXBEuwt1N31U8u27VETF0wuAs2fc7B+hdu6sAULtKL+cSNQiAzsMwH87KYY0d/V3p9zaukfCyDCfOFslsGPQinXe9Rydu/y9VHAgMBAAGjUzBRMB0GA1UdDgQWBBTXOPDNZVUipgCWwQ+/EhOMs6maEDAfBgNVHSMEGDAWgBTXOPDNZVUipgCWwQ+/EhOMs6maEDAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQCw4LZ2dGaHUc8xW1sk7eYHGJ01T6BDQ9Jw7RfYb8RhtTCyMvcsu3TNZK549UaysblW/ZPS/xhrdDr435lPkeK8qSmMpIIMFFqJ+rrIE5cxvOLxXZUWmnQqYZ8Iw+RyEkt1629buHv+zZQgM80QK6MqS+NUsBls9cJ6vChb1rRpWDlsgEcavogvq5oKsGuyhg6hjadFM4QeH99OoscNZTiS2U+hiHCTV0HCeS+vdK9ItZ6+0n8DdLeZNIMVy/WBUE45DZSb6JJ/kn+z2eDujpG9hwi/4FTyaOhzgUlS9JQEqOaVgKvbLWzH24vR1xyocInDTs4U+vQHQjPQq1LgTkJ8
  tls.key: MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC/jQMmHSOzYen8DfMT9DL3eyJQBcal1bHXeOBy6pjfLS62WlP3aIwgSotBCDJMgvuAJboA46oZIPdP7LOME2NSG5aAhIkHTcNbWz9370wv0EijxDvhdNN3gkrN7zY6wx5GAiZoKi2uJgMnlHkHeHbp/Zop0Ni/b5TLEmfojUAgl8A3J/tjNiV342rHRrm+ApSiOnYiN2lKKmC9A0hOcwdDblwvFaJHTMqfjHH7vnTVcfhP4GWlQ4IXBEuwt1N31U8u27VETF0wuAs2fc7B+hdu6sAULtKL+cSNQiAzsMwH87KYY0d/V3p9zaukfCyDCfOFslsGPQinXe9Rydu/y9VHAgMBAAECggEAHPq9fjesXggzOSH3I46vY0eqwkaNbittU3cDJf+eDy2rwoTZ7TVQ9dWxSa5uxaqPWCzc/iNzaYfWQq5B37BTN2nbFCh4/rTiGGEusftvIFC3nKcklBBzqcH5hTxqjOtWGitbGik/bfhsQ8GvqdSs0OvANhFVqWi9LxfixokQKZ3ogzLz7v27xsxfnYmT7zz2ENxDgOSBV/2u8RFMAwziM9tfainAz5MbYW5ugT3Y2CoHZwFsp3Wlc662vj7zqLNaml4N+1oQrpBkv2oqJekGVk62zPBYWEpwzsVhj3R3M6gUSMdyzFLFdPGOHyzahzFJ2pq3wnwJFMG7OQg/owHxcQKBgQDxTW8+qYZQoS5jNcxbToqQOXGewTYueD3DECno9rr7NlrK2T8GUx6gLGz1OtYUEDzrGzLpvIY8ASaagCQsvfFyzvBirZAnX9MbWygXRjhJpP/nH8Vmp/7njDT1Q/3/KIUiFL5tb0/dHp6n4qy4yaxwkmw2YewLakAYMHJXBWvxHwKBgQDLN9BBXINTG6QopTL3Q/3U5/Z0deR8kcMgMvMCVPwZxJYamoOF2AoLqLQHQfG/jaWiubQ7T9Qm8EtcvD18GCF765yDOOFWdhxw1HgX/qGm+TehvGE6tr/w0/c9Cj18SX2yPPUIO9SnHPTXe9B+E5VOYnazPM+47QDsTu1HqItO2QKBgQDVyZVWHzwxE5zVqUR1YRDC1yIjVWt7oGyX9iorjO38xBuMvQ1pvRrVLocafhZNkFVot6BUFgOYBiz9lap3OZJB9bZktwGQ4QVYp1rNxBj6poVTcIKkgRMGcuI4qxTOjEfn+hj9PDG15vsKI3qD/aoZ0qCtTfSj6G8A/2tOTi9kYQKBgQCTQfSVCHbZSFRiZ6NQ7mIHX7eFmNBjPDTLJmBVtkOgYIXs7T6VRIGzBSK/h5eomPoHus3RlP1E4ieaIYXkYJAS/h7CL/uJ7biaQjxsFsYI+trHRnymUTsxRkgIYV1ArPh6qhVdTA3CswbxBvWEBqjQziT5qP1VIdjjZCYpIQchsQKBgQDHAlsq5wz6Cp9L7GlHdHXg+0/+B2YrqWt4rXjgHsQwiRxY8KqU+Mia9U35dSnp47MTEgC87kmLpqOgEv8uTwPmy+yY9oK6zJcPRk8usgK7uyAnFPj7K6Ao56ZpcoUW3o+TEo5sBWma0lGKMkrSWxQX/95P0a8J9kR3C1/nOlOjeg==

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: minio-ir-tls
  namespace: velero
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`minio.kube.tld`)
    kind: Rule
    services:
    - name: minio
      port: 9000
  tls:
    secretName: minio-tls

The cert and key were generated using openssl and the data copied from there:

openssl req -newkey rsa:2048 -nodes -keyout tls.key -x509 -days 3650 -out tls.crt

The route is reachable but not with the provided certificate. I suspect because Traefik has this error and then uses the default cert:

Unable to append certificate <cert-data> to store: unable to generate TLS certificate : tls: failed to find any PEM data in certificate input" tlsStoreName=default  

Perhaps I'm missing or misunderstanding something.

Hello @yassine.laz,

When you created the certificate tls.key and tls.crt files on your local machine, you stated that you used:

can you confirm that you did this by creating the secret from the files using the following command?

kubectl -n velero create secret tls minio-tls --key=tls.key --cert=tls.crt

1 Like

That solves it, Not sure why setting the data directly in secret's yaml wont.
NVM...base64