TCP TLS termination Router

danimurga · October 22, 2019, 12:55pm

Hi all.
I'm trying to configure a TCP router to finish TLS connections based on a self-generated certificate. This is the router spec:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
   name: go-echo-ingress-ssl
   namespace: kube-system
spec:
  entryPoints:
    - tcp-ep
  routes:
  - match: HostSNI(`ssl-telnet.localhost.test`)
    kind: Rule
    services:
    - name: tcp-echo-service
      port: 2701
    tls: {}

My static traefik configuration is:

 # Traefik2 settings
        args:
          - "--entryPoints.{{ .Values.ports.http_entrypoint.name }}.address=:{{ .Values.ports.http_entrypoint.port }}"
          - "--entryPoints.{{ .Values.ports.tcp_entrypoint.name }}.address=:{{ .Values.ports.tcp_entrypoint.port }}"
          - "--api.dashboard=true"
          - "--api.insecure=true"
          - "--ping=true"
          - "--providers.kubernetescrd"
          - "--log.level={{ .Values.logs.logLevel }}"
          - "--api"
          - "--accesslog"

Added my own certificates as secrets:

 volumeMounts:
          - mountPath: "/etc/traefik/certs"
            name: my-ssl
            readOnly: true

volumes:
       - name: myl-ssl
         secret:
           secretName: my-ssl

The thing is that i'm getting this message:

time="2019-10-22T12:47:37Z" level=warning msg="TCP Router ignored, cannot specify a Host rule without TLS" entryPointName=tcp-ep routerName=kube-system-go-echo-ingress-ssl-20b95bd4775357705977@kubernetescrd

Can anyone help¿

dduportal · October 24, 2019, 8:12am

Hi @danimurga, with the configuration you provided, Traefik does not know the existence of the certificates: its only mounted, but never configured in Traefik.

As described in the documentation for TLS in the IngressRoute (ref. https://docs.traefik.io/v2.0/routing/providers/kubernetes-crd/#tls), you must specify a field secretName: for the tls: sections:

Replace, in the IngressRoute,

tls: {}

by

tls:
  secretName: my-ssl

and remove the certificate volume mount from Traefik's pod, as the certificate will be retrieved from the secret dynamically.

Alternatively, you can keep the certificate mounted in Traefik's pod, and specify the certificate by using the file provider of Traefik: https://docs.traefik.io/v2.0/https/tls/#user-defined . This solution is tedious as it requires enabling the file provider + setting a configmap mounted in Traefik with the dynamic configuration for tls.store + setting the file provider to point to this mounted file.

danimurga · October 29, 2019, 8:36am

Hi,
Thanks for your help! I was able to fix our issue!
I've just prepared that workshop for my team mates: https://github.com/danimurga/traefik2_workshop
Hope someone can use it!

Topic		Replies	Views
IngressrouteTCP TLS Termination - K8s Traefik v2 kubernetes-crd	2	560	June 26, 2022
TCP router with TLS not working Traefik v2 tcp	1	1286	October 31, 2019
Connection errors for tcp endpoint via IngressRouteTCP Traefik v2 kubernetes-crd , tcp	0	1791	December 18, 2019
IngressRouteTCP with TLS backend Traefik v2 kubernetes-crd	0	501	May 17, 2021
Hosting a HTTP-App on a custom TCP-Port with TLS Traefik v2 kubernetes-crd , kubernetes-ingress , tcp	1	1299	March 25, 2022

TCP TLS termination Router

Related topics