Unable to get passTLSClientCert to work on simple https whoami container for mtls

tlann · October 2, 2023, 11:53pm

I'm having a rough time getting passTLSClientCert in k3s to pass a client cert for mtls to a backend service. I have created a simple example and uploaded it to github
In this example, I don't need Traefik to do tls termination. I just need it to pass the certificate and traffic as is.
After deploying, the whoami pod responds with the typical information besides the user certificate.
I use the curl command to test it which is also included as a script in the github repo.
curl -kvvv https://${HOST}/who --cacert rootCA.crt --cert genCerts/fredFlintstone.crt --key certs/fredFlintstone.key
and the whoami container responds with

*   Trying 172.18.32.231...
* Connected to vdi-rh-21 (172.18.32.231) port 443 (#0)
* Initializing NSS with certpath: sql:/etc/pki/nssdb
* skipping SSL peer certificate verification
* SSL connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate:
*       subject: CN=TRAEFIK DEFAULT CERT
*       start date: Oct 02 23:20:05 2023 GMT
*       expire date: Oct 01 23:20:05 2024 GMT
*       common name: TRAEFIK DEFAULT CERT
*       issuer: CN=TRAEFIK DEFAULT CERT
> GET /who HTTP/1.1
> User-Agent: curl/7.29.0
> Host: vdi-rh-21
> Accept: */*
>
< HTTP/1.1 200 OK
< Content-Length: 399
< Content-Type: text/plain; charset=utf-8
< Date: Mon, 02 Oct 2023 23:43:52 GMT
<
Hostname: whoami-deployment-6dd5579bf5-ts76t
IP: 127.0.0.1
IP: 10.42.0.81
RemoteAddr: 10.42.0.43:50638
GET / HTTP/1.1
Host: vdi-rh-21
User-Agent: curl/7.29.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 10.42.0.1
X-Forwarded-Host: vdi-rh-21
X-Forwarded-Port: 443
X-Forwarded-Prefix: /who
X-Forwarded-Proto: https
X-Forwarded-Server: traefik-589f957974-5sdzw
X-Real-Ip: 10.42.0.1

* Connection #0 to host vdi-rh-21 left intact

My ingressroute and middleware look like the following. The rest of the details are in the github repo mentioned in the beginning.

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ingressroutetls
  namespace: who
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`vdi-rh-21`) && PathPrefix(`/who`)
    kind: Rule
    middlewares:
    - name: pass-client-cert
      namespace: who
    - name: stripprefix
      namespace: who
    services:
    - name: whoami-service
      port: 443
#  tls: # This route uses TLS
 #   certResolver: myresolver
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: pass-client-cert
  namespace: who
spec:
  passTLSClientCert:
    pem: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: stripprefix
  namespace: who

spec:
  stripPrefix:
    prefixes:
      - /who

I'm assuming I'm missing some sort of fundamental part of why traefik isn't behaving as expected. But I'm out of ideas on why. Any hints or suggestions are appreciated.

Topic		Replies	Views
Self-signed certs (mkcert) with traefik + whoami in docker example - 502 Bad Gateway error Traefik v2 docker	5	772	October 25, 2024
Deployed whoami service, but cant get response Traefik v2 dashboard-api	1	591	December 9, 2020
PassTLSClientCert not populating X-Forwarded-Tls-Client-Cert Traefik v2 docker , middleware	0	1034	March 27, 2022
Client with no certs still has access to Traefik in RequireAndVerifyClientCert Traefik v2 docker , file	4	477	January 11, 2024
PassTLSClientCert issue into kubernetes Traefik v2 kubernetes-crd , middleware	1	1118	April 28, 2022

Unable to get passTLSClientCert to work on simple https whoami container for mtls

Related topics