TLS passthrough with SNI and K3S

Hiya,

I have a service in kubernetes (k3s) that terminates it's own HTTPS connection and I'm running a recent k3s installation that has traefik installed as an ingress provider.

Are there any examples of configuring a kubernetes ingress to do TLS passthrough using SNI rather than termination+re-encrypt.

I am seeing that I can set various annotations in the kubernetes Ingress so I'm guessing I need some traefik specific annotations?

Many thanks

Ian

Hi @inorton, the default traefik installation in k3s is using v1.7: https://github.com/rancher/k3s/blob/master/manifests/traefik.yaml#L7 -> https://github.com/helm/charts/blob/master/stable/traefik/values.yaml#L3.

Enabling TLS passthrough (without decryption by Traefik) requires to use Traefik v2.0 which support TCP routing (with SNI), which v1.7 does not.

How to make it work in k3s?

• Use the argument --no-deploy traefik when starting the k3s master(s) as specified in https://rancher.com/docs/k3s/latest/en/networking/#traefik-ingress-controller, so default Traefik v1.7 is not installed
• Install Traefik v2.0 using the beta helm chart (we are working actively on it) from https://github.com/containous/traefik-helm-chart . Automating this should be easy with https://rancher.com/docs/k3s/latest/en/configuration/#using-the-helm-crd .

You might find useful examples here: https://github.com/containous/slides/tree/meetup-sf-devops-2019/demo/traefik-v2/canary/k8s (a demo of one of our talks: context is different than yours, but demonstrate Traefik v2.0 with k3s).

Regarding the TLS passtrough, you'll have to:

• Check what changed from Traefik v1.7 to v2.0 by checking the migration guide at https://docs.traefik.io/v2.0/migration/v1-to-v2/
• Define an "IngressRouteTCP" object (check https://docs.traefik.io/v2.0/routing/providers/kubernetes-crd/ for more informations), specifying the tls passthrough option