Unable to access automatically generated certificates from deployment/pod

Traefik Traefik v2
,
1

Hi traefik engineers,

I'm using traefik in a kubernetes environment and am trying to pass automatically generated certificates (through let's encrypt and are stored as json in the acme.json file) to a deployment or pod as certification files.
As an example have a look at the kubernetes dashboard application: https://github.com/kubernetes/dashboard/blob/master/docs/user/installation.md#recommended-setup
It's one of the use cases where such a scenario is highly recommended in comparison to transferring the data within the cluster unencrypted. Because it's a security vulnerability once a pod in the cluster has gained access to the network traffic.

I'm not a Kubernetes expert, but in case there's no solution for this purpose yet, maybe a volume type CRD which would provide the mounting of certificates in pods from a specified certResolvers and domain.

That's how a simplified pseudo deployment (from the example above) could look like:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: kubernetes-dashboard
spec:
  template:
    spec:
      volumes:
        - name: kubernetes-dashboard-certs
          certResolver:
            - name: letsencrypt
              domains:
                - main: "example.com"
      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.0.4
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --tls-cert-file=/tls.crt
            - --tls-key-file=/tls.key
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs

Thanks for your help.

Awesome proxy BTW!

2

It is not clear to me what you are trying to achieve. If your goal is to re-use certificate that traefik requested from LE and stored in acme.json you can use a script simialr to this one to get the certificates in pem format.

If your goal is to have tls encryption between traefik and a pod, then:

  • It's up to you to manage applications within pods with appropriate certificates. If an app within pod answers on http, then there is not much you can do apart from using something like istio or consul connect or maesh. If an app within pod answer on https then it's app specific how the certificate gets installed, so traefik cannot know that
  • Currently with kubernetes you have to use insecureSkipVerify when using TLS between traefik and a pod. This is because traefik currently calls pods by IP address, and thus certificate checking is not possible. There is a fix for that but we will not see it until traefik v2.4.