How should I do to access a service exposed on 443 (https) who has is own CA
I think I should add this CA inside each pods traefik-ingress-controller by using volume and Kubernetes Secret.
Is it correct?
Hi @obeyler,
You should be able to create a secret like that:
kubectl create secret tls supersecret --key /path/to/tls.key --cert /path/to/tls.crt
And create an IngressRoute like that:
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`foo.com`) && PathPrefix(`/bar`)
kind: Rule
services:
- name: s1
port: 80
tls:
secretName: supersecret
options:
name: default
namespace: default
And add option:
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: default
spec:
clientAuth:
secretNames:
- secretCA
clientAuthType: RequireAndVerifyClientCert
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroute
namespace: kube-system
spec:
entryPoints:
- web
routes:
- match: Host(`dashboard.foo.com`) && PathPrefix(`/`)
kind: Rule
services:
- name: k8sdashboard
port: 443
tls:
secretName: supersecret
options:
name: tlsOptionK8S
namespace: kube-system
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: tlsOptionK8S
namespace: kube-system
spec:
clientAuth:
secretNames:
- secretCA
clientAuthType: RequireAndVerifyClientCert
Is it correct secretCA is the CA that should validate the certificate exposed by k8sdashboard service?
No you have to use https://docs.traefik.io/routing/overview/#rootcas to be able to validate the certificate exposed by k8sdashboard service.