traefik-helm-chart icon indicating copy to clipboard operation
traefik-helm-chart copied to clipboard
verified publisher icon traefik

using multiple rootCA

Open soumiksamanta opened this issue 4 years ago • 1 comments

Traefik version : 2.2.11 I want to use two separate rootCA for separate IngressRoute I have created two secrets, web-cert-tls and internal-cert-tls which have tls.crt and tls.key genertaed from two different selfsigned rootCAs

Expectation: https:// <--- use web-cert-tls https://internal <-- use internal-cert-tls

Observed: https:// <--- use internal-cert-tls https://internal <-- use internal-cert-tls

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: internal-tls
spec:
  entrypoints:
    - websecure
  routes:
  - kind: Rule
    match: PathPrefix(`/internal`)
    middlewares:
    - name: internal-middleware
    services:
    - kind: Service
      name: internal-service
      port: 8000
  tls:
    options:
      name: common-tlsoption
    passthrough: true
    secretName: internal-cert-tls
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: internal-middleware
spec:
  stripPrefix:
    prefixes:
    - /internal
 ---
 apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: web-tls
spec:
  entrypoints:
    - websecure
  routes:
  - kind: Rule
    match: PathPrefix(`/`)
    middlewares:
    - name: web-middleware
    services:
    - kind: Service
      name: web-service
      port: 8000
  tls:
    options:
      name: common-tlsoption
    passthrough: true
    secretName: web-cert-tls
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: web-middleware
spec:
  stripPrefix:
    prefixes:
    - /
 ---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: common-tlsoption
spec:
  clientAuth:
    clientAuthType: NoClientCert
  minVersion: VersionTLS13
  sniStrict: false

soumiksamanta avatar Mar 14 '21 18:03 soumiksamanta

I'm not sure this is directly related to Traefik Helm Charts. You probably should ask over there: https://github.com/traefik/traefik/issues

As a general observation, using passthrough routes, Traefik is not in charge of terminating the TLS connection: your backend is. I'm not sure your tls.secretName is even used. Have you tried changing those passthrough to false? Any reason not to re-encrypt the connection? An annotation such as traefik.ingress.kubernetes.io/service.serversscheme: https could do ( https://doc.traefik.io/traefik/routing/providers/kubernetes-ingress/ ), or setting the service scheme in your IngressRoute (https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/#kind-ingressroute ).

Also, I'm wondering how could Traefik rewrite URLs without terminating the TLS connection. AFAIU, using HTTPS, the TLS handshake results in some common secret being negotiated with the backend serving your connection. In passthrough, Traefik only knows of the SNI that was sent by client when initiating its connection, the rest is between the client and whichever backend was identified. Once TLS handshake is completed, HTTP goes into that encrypted channel: URLs would be encrypted. Am I missing something? How would that work? Can Traefik read/rewrite URLs without breaking encryption? Traefik docs doesn't say much about passthrough limitations, though I suspect Middlewares capabilities would be quite limited when used with passthrough. Better ask to the main Traefik repository, you're more likely to get responses from devs that know about that aspect of Traefik.

faust64 avatar Jun 13 '21 08:06 faust64