Please Help grpc TLS settings

csangh · November 7, 2023, 8:48am

I am deploying Traefik 2.9.1 version in kubernetes environment through helm-chart. I used websecure entrypoint and ingressroute to route to grpc server.

After setting everything up, when I tested the app -> Traefik -> gRPC, I am getting a TLS Handshake error (PEER_DID_NOT_RETURN_A_CERTIFICATE) from the gRPC server.

The TLS communication between the app and the gRPC server is working fine without Traefik in the middle.

Below is an excerpt of my source code

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: 'test-ingressroute'
  namespace: test
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: PathPrefix(`/test`)
      services:
        - name: grpc
          port: 8082
          scheme: https
      middlewares:
        - name: 'test-middleware'
    tls:
      enabled: true
      options:
        name: test-cert
        namespace: test
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: 'test-middleware'
spec:
  stripPrefix:
    prefixes:
      - /test

---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: test-cert
  namespace: test
spec:
  clientAuth:
    secretNames:
      - ca-cert
    clientAuthType: RequireAndVerifyClientCert
  curvePreferences:
    - CurveP521
    - CurveP384
  cipherSuites:
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    - TLS_AES_256_GCM_SHA384
    - TLS_CHACHA20_POLY1305_SHA256
  sniStrict: true

In a architecture like this, is it possible to have the app connect to Traefik and the grpc via mTLS? I'm also wondering if I'm missing any configuration.
( I tried serversTransport.insecureSkipVerify but not worked )

And when configuring the server solely with helm-chart, without using a separate provider, I was wondering if it is possible to handle it with DNS-based communication instead of IP-based communication. (If there is documentation, I would appreciate a link).

csangh · November 7, 2023, 9:02am

Incidentally, server.key, server.crt, client.key, and client.crt generated from the same ca are registered in k8s secret, and gRPC is using server.key, server.crt, and client.crt to process tls communication, and app is using client.key and client.crt to make requests. Traefik has registered TLSOption for ca only.

Add informations) I was informed that additional ServersTransport settings were required, so I set them up, but I'm still experiencing the same issue. I need to do a TLS handshake with Traefik on gRPC, but I've set it to run over mTLS, and Traefik doesn't seem to be able to submit the certificate. What process am I missing?

bluepuma77 · November 9, 2023, 7:03am

You can set a serverTransport globally or create a serverTransport as dynamic config. But then you need to assign it to the service.

csangh · November 12, 2023, 5:03pm

You said to assign it to a Service, is that the same as assigning it to an IngressRoute?

bluepuma77 · November 12, 2023, 5:56pm

Sorry, I am only using Docker, no k8s. I would assume it’s kind of like the middleware you have declared and then assigned to the router.

Topic		Replies	Views
End to End TLS in gRPC on Kubernetes Traefik v1 kubernetes-ingress	1	2006	July 26, 2019
[SOLVED] How to using kubernetes traefik proxy grpc Traefik v2 kubernetes-ingress	2	5165	May 10, 2021
GRPC (with TLS) receiving Plain Text response Traefik v2 kubernetes-crd , kubernetes-ingress	13	7444	October 1, 2020
How to implement a gRPC with http and https Traefik v2 kubernetes-ingress	2	1418	January 10, 2024
TLSStore not used and no error messages in the logs Traefik v2 kubernetes-crd	1	275	November 27, 2023

Please Help grpc TLS settings

Related topics