Hello @BernhardBerbuir
Thank you for sharing your configuration.
In order to achieve what you have described rootCA's has to be added in a static configuration, please see the following links:
- rootCa
- here is the full example how to mount secrets with CA's to Traefik deployment
Alternatively you can use insecure mode. By enabling that feature Traefik will trust the server certificate.
I also created the entire configuration so you can test it on your side. In my example Whoami application is acting as Elasticsearch. The application expose port 443 and certificate and key that has been issued by CA added to Traefik deployment.
The deployment for Whoami application, please note the annotation serverscheme that is added to the service.
---
kind: Deployment
apiVersion: apps/v1
metadata:
name: whoami-tls
labels:
app: whoami
task: tls
spec:
replicas: 1
selector:
matchLabels:
app: whoami
task: tls
template:
metadata:
labels:
app: whoami
task: tls
spec:
containers:
- name: whoami
image: traefik/whoami
ports:
- containerPort: 443
volumeMounts:
- name: whoami-cert
mountPath: /var/run/tls
command:
- "/whoami"
- "--cert=/var/run/tls/tls.crt"
- "--key=/var/run/tls/tls.key"
- "--port=443"
volumes:
- name: whoami-cert
secret:
secretName: whoami-cert
---
apiVersion: v1
kind: Service
metadata:
name: whoami-tls
annotations:
traefik.ingress.kubernetes.io/service.serversscheme: https
spec:
ports:
- name: https
port: 443
selector:
app: whoami
task: tls
Here is the Ingress object with added Traefik's annotation. You can use IngressClass to distinguish Traefik instances.
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.entrypoints: websecure
name: elasticsearch-master
spec:
ingressClassName: traefik
rules:
- host: elasticsearch-master.127.0.0.1.nip.io
http:
paths:
- path: /
pathType: Exact
backend:
service:
name: whoami-tls
port:
number: 443
IngressClass:
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/instance: traefik
name: traefik
spec:
controller: traefik.io/ingress-controller
And here is the entire Traefik deployment;
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/instance: traefik
app.kubernetes.io/name: traefik
name: traefik
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: traefik
app.kubernetes.io/name: traefik
template:
metadata:
labels:
app.kubernetes.io/instance: traefik
app.kubernetes.io/name: traefik
spec:
containers:
- args:
- --entryPoints.web.address=:8000/tcp
- --entryPoints.websecure.address=:8443/tcp
- --entryPoints.traefik.address=:9000/tcp
- --api=true
- --api.dashboard=true
- --api.insecure=true
- --ping=true
- --providers.kubernetescrd
- --providers.kubernetescrd.allowCrossNamespace=true
- --providers.kubernetesingress=true
- --providers.kubernetesingress.ingressclass=traefik
- --serversTransport.rootCAs=/certs/tls.ca
- --serversTransport.insecureSkipVerify=true
- --log.level=DEBUG
image: traefik:2.5.4
livenessProbe:
failureThreshold: 3
httpGet:
path: /ping
port: 9000
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 2
name: traefik
ports:
- containerPort: 8000
name: web
protocol: TCP
- containerPort: 8443
name: websecure
protocol: TCP
- containerPort: 9000
name: traefik
protocol: TCP
readinessProbe:
failureThreshold: 1
httpGet:
path: /ping
port: 9000
scheme: HTTP
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 2
resources:
limits:
cpu: "1"
memory: 1000Mi
requests:
cpu: 100m
memory: 50Mi
volumeMounts:
- mountPath: /data
name: storage-volume
- mountPath: /certs
name: ca
readOnly: true
serviceAccount: traefik-ingress-controller
serviceAccountName: traefik-ingress-controller
volumes:
- emptyDir: {}
name: storage-volume
- name: ca
secret:
secretName: ca
I hope that helps.
Regards,