TLS via secretName Kubernetes

wattymelon · October 7, 2019, 3:41pm

Hi

Running into an issue whereby Traefik can't seem to see/find a secret which contains TLS certs.

Secret

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
  namespace: my-namespace
data:
  tls.crt: base 64 encoded crt file LS0tLS1CRUd....
  tls.key: base 64 encoded key file LS0tLS1CRUd....

Ingress route

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: my-app
  namespace: my-namespace
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`my-app.domain`)
    kind: Rule
    services:
    - name: my-app
      port: 1234
    middlewares:
    - name: ipwhitelist
  tls:
    secretName: mysecret

Error I'm getting from Traefik

Error configuring TLS: secret my-namespace/mysecret does not exist" ingress=my-app namespace=my-namespace providerName=kubernetescrd

Anyone else running into issues like this? Any ideas?

Thanks!

lakano · October 22, 2019, 3:20pm

Hello @wattymelon

Could you explain how do you have created your Secret yaml file please?
Is it a self-signed certs ?

Thanks

wattymelon · October 22, 2019, 3:23pm

Sure! I used the below YAML as per the docs

wattymelon:

Secret

apiVersion: v1
kind: Secret
metadata:
  name: mysecret
  namespace: my-namespace
data:
  tls.crt: base 64 encoded crt file LS0tLS1CRUd....
  tls.key: base 64 encoded key file LS0tLS1CRUd....

And nope! Not self signed.

Thanks!

lakano · October 22, 2019, 3:25pm

So, you're in the same situation as me, you need to replace the tls.crt / tls.key data with real keys/crt, and base64 encoded. The documentation doesn't explain how.

wattymelon · October 22, 2019, 3:50pm

Just to confirm..

I didn't use the defaults from the documentation. I did replace tls.crt and tls.key with the real certificate.
I quoted them as below to keep the crt and key private.

lakano · October 22, 2019, 3:51pm

Oh ok, could you please tell me how did you do that please? I've believed you was in the same situation as me.

wattymelon · October 22, 2019, 3:53pm

Sure! You can use something like the below..

kubectl create secret tls CERT_NAME --key KEY_FILE --cert CERT_FILE

Replacing CERT_NAME for what you want the secret to be called. KEY_FILE with the cert .key file. Finally CERT_FILE with the cert .crt file

You can also add -n namespace to place it in a certain namespace.

Hope your's work!

lakano · October 22, 2019, 3:57pm

Thanks a lots, but I would mean, how to generate the .crt / .key file, because I've believed openssl tool was requirede only for self-signed TLS, and I've believed Traefik could request TLS automaticaly.
To not continue to hijack your initial post, you may be prefer to answer on this thread: Question about kubernetes secret for TLS on v2 CRD

Topic		Replies	Views
Kubernetes TLS unsupported versions Traefik v2 kubernetes-crd , kubernetes-ingress , tcp	11	3117	July 22, 2020
Can I set namespace for TLS secretName in IngressRoute? Traefik v2 kubernetes-crd	4	7658	October 29, 2019
IngressRoute with "secretName" field still serves with default certificate Traefik v2 kubernetes-crd	18	4782	January 9, 2020
TLS secret associated with Ingress resource in K8s isn't used Traefik v2 kubernetes-ingress	1	442	October 14, 2022
Kubernetes IngressRoute with TLS secret Traefik v2 kubernetes-ingress	2	3593	November 12, 2019

TLS via secretName Kubernetes

Related topics