I decided to gather some in-depth community knowledge before eventually filling an issue on this.
We run a Kubernetes cluster with multiple Traefik instances in separate namespaces. All Traefik's serve different domains with TLS supported by either cert-manager or static-based certificates. Recently I've tried to disable TRAEFIK DEFAULT CERT by enabling sniStrict in default TLSOption - but it works only for two instances. Others still serve that default certificate upon connection with an invalid SNI. It seems that only these two instances pick and use the default options, and yes, we have only one default option in the whole cluster. Other TLSOption have different names and are used by name in IngressRoute CR. All Traefik instances are running the latest 2.8.5 version.
What I've tested so far:
- After disabling
sniStrictin default the two properly working instances start serving the default certificate as expected; after enabling strict checking again they stop again; - Restarting non-working instance doesn't fit the issue;
- Some namespace shared error handling routes use
Host(``{host:.+}``)which I thought may cause problems (at least it's logged as a warning during Traefik startup), but one of the working instances also has this kind of route, so this probably isn't that.
Any clues what may cause this issue? What can I check next?
I've also searched through source files, and it seems that an issue (if any) may be related to this function traefik/snicheck.go at a79868fadc9499b849a395aebccb18572152227b · traefik/traefik · GitHub , or the one below