I have a k8s cluster with Consul service mesh and Traefik as Loadbalancer. Traefik has a sidecar proxy attached to its container. I want to run Redis in the cluster and expose it through Traefik to WAN.
My Redis instance does not use TLS by itself, but Consul uses mTLS to encrypt traffic between the sidecar proxies. Because of that, the connection traffic between Traefik's sidecar proxy and Redis' sidecar proxy is TLS encrypted.
Now the issue that I have is that I don't know how to make Traefik not to expose this mTLS certificate to the WAN. If I try to connect from WAN to
openssl -showcerts it will show me a CN similar to
redismaster.svc.default.e5833990.consul. However if I shell into Traefik container and try to do the same on
redis-master.default.svc.cluster.local:6379 then I won't be served with this certificate.
Below my lousy attempt to visualise the issue and my understanding on how this works