Wrong certificate

carles · March 10, 2020, 7:42pm

We have one fronted configured by a Kubernetes IngressRoute:

kind: Middleware
metadata:
  name: mymiddleware
spec:
  headers:
    customRequestHeaders:
      l5d-dst-override: myapp.example.com:80
    customResponseHeaders:
      l5d-remote-ip: ""
      l5d-server-id: ""
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
  name: his-flex-web-dev
spec:
  routes:
  - kind: Rule
    match: Host(`myapp.example.com``)
    middlewares:
    - name: mymiddleware
    services:
    - kind: Service
      name: myapp
      port: 80
  - kind: Rule
    match: HostRegexp(`{regexpmatch:.*}.myapp.example.com`)
    middlewares:
    - name: mymiddleware
    services:
    - kind: Service
      name: myapp
      port: 80
  tls:
    secretName: mycert

When we use the first rule, we get the certificate saved on the kubernetes secret mycert, but when we use the other endpoint, traefik produces a self-signed certificate, which shouldn't even be possible as we set a cert on the default certstore (which also happens to be mycert)

curl -vk https://myapp.example.com/health 2>/dev/stdout | grep subject.*CN
*  subject: C=US; ST=AA; L=MyCity; O=My Company; OU=My Department; CN=*.example.com

curl -vk https://appmodifier.myapp.example.com/health 2>/dev/stdout | grep subject.*CN
*  subject: CN=TRAEFIK DEFAULT CERT

default cert config:

data:
  config.toml: |-
    [[tls.certificates]]
        certFile = "/certs/tls.crt"
        keyFile = "/certs/tls.key"