Hi Traefik team,
I’m looking for full SPIFFE support (inbound + outbound). Currently, Traefik handles outbound mTLS but cannot serve x509-SVID obtained from SPIRE agent for incoming connections.
It seems like there is existing discussion that was forgotten.
opened 09:12AM - 18 Oct 22 UTC
kind/enhancement
area/tls
contributor/wanted
### Welcome!
- [X] Yes, I've searched similar issues on [GitHub](https://github… .com/traefik/traefik/issues) and didn't find any.
- [X] Yes, I've searched similar issues on the [Traefik community forum](https://community.traefik.io) and didn't find any.
### What did you expect to see?
## Context and Feature Description
This is a follow up of #9376 (SPIFFE between backend servers and Traefik). I would like to propose to allow Traefik to serve its x509-SVID server side.
The use case I have in mind for this is with [SPIRE federation](https://spiffe.io/docs/latest/architecture/federation/readme/) in a multi-cluster setup over a public network. This would allow having a workload running in the first cluster establishing a secure mTLS connection with a Traefik instance running in the other cluster seamlessly, but I believe there could be many more usages to this, maybe also Maesh could benefit from something like this?
The alternative would be to either bypass Traefik or do a TLS passthrough to establish the mTLS connection with a spiffe aware backend server, which could also work.
## How to implement this Feature
We could imagine three use cases here:
- Traefik serving its x509-SVID but not requiring any client cert.
- Traefik serving a non SPIFFE certificate, but requiring a valid x509-SVID from the client
- Traefik serving its x509-SVID and requiring an x509-SVID from the client (mTLS)
I would tend to think that the latter case (mTLS) should be the default case, but still maintain the possibility of turning off either serving Traefik SVID or validating a client SVID.
Also, this certificate setup should be scoped per Router, so I would go for adding a `spiffe` section under the TLSOptions struct.
```yaml
tls:
options:
someOption:
spiffe:
servesSVID: true # Tells traefik to serve its x509-SVID (default true)
validateClientCert: true # Tells traefik to validate the client cert using the SPIFFE CA (default true).
ids: # List of allowed client SPIFFE IDs (optional)
- spiffe://trustdomain.com/some/spiffeid
trustDomain: trustdomain.com # Trusted domain (optional)
```
The configuration could look like this in a k8s CRD, where I want to enable SPIFFE mTLS on a router for a single caller.
```yaml
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: echo-gateway-internal
namespace: echo-gateway
spec:
spiffe: # Turns on SPIFFE for this router, by default is is mTLS.
ids: # List of allowed client SPIFFE IDs
- "spiffe://demo.voiapp.io/ns/traefik-external/sa/traefik-external"
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: echo-gateway-internal
namespace: echo-gateway
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: spiffe
traefik.ingress.kubernetes.io/router.tls.options: echo-gateway-echo-gateway-internal@kubernetescrd
spec:
ingressClassName: traefik-internal
rules:
- host: echo-internal.localhost
http:
paths:
- backend:
service:
name: echo-gateway
port:
name: https
path: /echo
pathType: Prefix
```
### Proof of concept and code changes
I've extended my previous PoC to test this case, it sets up a Traefik instance behind a Traefik instance and have them establish a mTLS connection between them using SPIFFE. This use case doesn't make any sense in real life.
- [PoC runtime](https://github.com/jlevesy/spire-testbed#traefik-external---traefik-internal---echo-gateway) where you can find all the configuration.
- [Code Changes](https://github.com/traefik/traefik/compare/master...jlevesy:traefik:jl/spiffe-server-side)
Let me know what do you think about this.
… there’s a PoC/code patch proposing how to implement it. Is there any plan to introduce this feature?