Please Help grpc TLS settings

csangh · November 7, 2023, 8:48am

I am deploying Traefik 2.9.1 version in kubernetes environment through helm-chart. I used websecure entrypoint and ingressroute to route to grpc server.

After setting everything up, when I tested the app -> Traefik -> gRPC, I am getting a TLS Handshake error (PEER_DID_NOT_RETURN_A_CERTIFICATE) from the gRPC server.

The TLS communication between the app and the gRPC server is working fine without Traefik in the middle.

Below is an excerpt of my source code

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: 'test-ingressroute'
  namespace: test
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: PathPrefix(`/test`)
      services:
        - name: grpc
          port: 8082
          scheme: https
      middlewares:
        - name: 'test-middleware'
    tls:
      enabled: true
      options:
        name: test-cert
        namespace: test
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: 'test-middleware'
spec:
  stripPrefix:
    prefixes:
      - /test

---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: test-cert
  namespace: test
spec:
  clientAuth:
    secretNames:
      - ca-cert
    clientAuthType: RequireAndVerifyClientCert
  curvePreferences:
    - CurveP521
    - CurveP384
  cipherSuites:
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    - TLS_AES_256_GCM_SHA384
    - TLS_CHACHA20_POLY1305_SHA256
  sniStrict: true

In a architecture like this, is it possible to have the app connect to Traefik and the grpc via mTLS? I'm also wondering if I'm missing any configuration.
( I tried serversTransport.insecureSkipVerify but not worked )

And when configuring the server solely with helm-chart, without using a separate provider, I was wondering if it is possible to handle it with DNS-based communication instead of IP-based communication. (If there is documentation, I would appreciate a link).

csangh · November 7, 2023, 9:02am

Incidentally, server.key, server.crt, client.key, and client.crt generated from the same ca are registered in k8s secret, and gRPC is using server.key, server.crt, and client.crt to process tls communication, and app is using client.key and client.crt to make requests. Traefik has registered TLSOption for ca only.

Add informations) I was informed that additional ServersTransport settings were required, so I set them up, but I'm still experiencing the same issue. I need to do a TLS handshake with Traefik on gRPC, but I've set it to run over mTLS, and Traefik doesn't seem to be able to submit the certificate. What process am I missing?

bluepuma77 · November 9, 2023, 7:03am

You can set a serverTransport globally or create a serverTransport as dynamic config. But then you need to assign it to the service.

csangh · November 12, 2023, 5:03pm

You said to assign it to a Service, is that the same as assigning it to an IngressRoute?

bluepuma77 · November 12, 2023, 5:56pm

Sorry, I am only using Docker, no k8s. I would assume it’s kind of like the middleware you have declared and then assigned to the router.

Topic		Replies	Views
TLSStore not used and no error messages in the logs Traefik v2 (latest) kubernetes-crd	1	202	November 27, 2023
How to pass-through TLS with Traefik Kubernetes Ingress? Traefik v2 (latest) kubernetes-ingress	1	1873	July 17, 2023
Http --> https grpc with insecure error Traefik v2 (latest) tcp , middleware	1	985	April 1, 2020
Setup TLS/SSL, need help Traefik v2 (latest) kubernetes-ingress	3	680	April 16, 2021
mTLS Between Client and Backend Server via Traefik Traefik v2 (latest) kubernetes-ingress	1	1509	June 30, 2020

Please Help grpc TLS settings

Related Topics