TCP TLS termination Router

danimurga · October 22, 2019, 12:55pm

Hi all.
I'm trying to configure a TCP router to finish TLS connections based on a self-generated certificate. This is the router spec:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
   name: go-echo-ingress-ssl
   namespace: kube-system
spec:
  entryPoints:
    - tcp-ep
  routes:
  - match: HostSNI(`ssl-telnet.localhost.test`)
    kind: Rule
    services:
    - name: tcp-echo-service
      port: 2701
    tls: {}

My static traefik configuration is:

 # Traefik2 settings
        args:
          - "--entryPoints.{{ .Values.ports.http_entrypoint.name }}.address=:{{ .Values.ports.http_entrypoint.port }}"
          - "--entryPoints.{{ .Values.ports.tcp_entrypoint.name }}.address=:{{ .Values.ports.tcp_entrypoint.port }}"
          - "--api.dashboard=true"
          - "--api.insecure=true"
          - "--ping=true"
          - "--providers.kubernetescrd"
          - "--log.level={{ .Values.logs.logLevel }}"
          - "--api"
          - "--accesslog"

Added my own certificates as secrets:

 volumeMounts:
          - mountPath: "/etc/traefik/certs"
            name: my-ssl
            readOnly: true

volumes:
       - name: myl-ssl
         secret:
           secretName: my-ssl

The thing is that i'm getting this message:

time="2019-10-22T12:47:37Z" level=warning msg="TCP Router ignored, cannot specify a Host rule without TLS" entryPointName=tcp-ep routerName=kube-system-go-echo-ingress-ssl-20b95bd4775357705977@kubernetescrd

Can anyone help¿

dduportal · October 24, 2019, 8:12am

Hi @danimurga, with the configuration you provided, Traefik does not know the existence of the certificates: its only mounted, but never configured in Traefik.

As described in the documentation for TLS in the IngressRoute (ref. https://docs.traefik.io/v2.0/routing/providers/kubernetes-crd/#tls), you must specify a field secretName: for the tls: sections:

Replace, in the IngressRoute,

tls: {}

by

tls:
  secretName: my-ssl

and remove the certificate volume mount from Traefik's pod, as the certificate will be retrieved from the secret dynamically.

Alternatively, you can keep the certificate mounted in Traefik's pod, and specify the certificate by using the file provider of Traefik: https://docs.traefik.io/v2.0/https/tls/#user-defined . This solution is tedious as it requires enabling the file provider + setting a configmap mounted in Traefik with the dynamic configuration for tls.store + setting the file provider to point to this mounted file.

danimurga · October 29, 2019, 8:36am

Hi,
Thanks for your help! I was able to fix our issue!
I've just prepared that workshop for my team mates: https://github.com/danimurga/traefik2_workshop
Hope someone can use it!

Topic		Replies	Views
TCP router with TLS not working Traefik v2 (latest) tcp	1	1226	October 31, 2019
Unable to create TLS cert with IngressRouteTCP Traefik v2 (latest) kubernetes-ingress	2	573	October 10, 2022
Tcp router with tls and default certs Traefik v2 (latest) docker	4	189	March 26, 2024
Terminate TLS and forward new HTTPS request Traefik v2 (latest) kubernetes-ingress , middleware	1	410	November 30, 2020
Dedicated TLS certificate for termination on certain services Traefik v2 (latest) file , kubernetes-crd , kubernetes-ingress	0	463	August 24, 2020

TCP TLS termination Router

Related Topics