Hello,
I'm trying to achieve this configuration in a kubernetes cluster: have Traefik v2.1 performing TLS passthrough to
- Harbor (https://harbor.admin...)
- Notary(https://notary.admin...)
- Kubernetes dashboard (https://k8s-dashboard.admin....)
I'm using one IngressRouteTCP with TraefikService per application/domain (pointing to Kubernetes services) and the Traefik dashboard shows that everything seems configured correctly (in TCP routes and Services tabs)
Harbor and notary have 2 separate kubernetes services which point to the same nginx pod, while kubernets dashboard has its own service pointing to its pod.
My problem is that If I request harbor/notary, the requests are routed correctly, but as soon as I perform a request to the kubernetes dashboard, all subsequent requests are wrongly routed to the kubernetes dashboard domain.
For all domains I'm using a self-signed star certificate: *.admin.... The CA has been imported on the machines and the certificate is correctly trusted.
If I use an IngressRoutes and use https scheme and use the same kubernetes sevices configuration, all requests are routed correctly (with Traefik effectively behavig as TLS passthrough) but I've to set --serversTransport.insecureSkipVerify=true as parameter in Traefik.
My questions are: does Traefik support my desired configuration (TCP routes + TLS passthrough for multiple domains, served by different pods)? Where can I find more examples regarding TLS passthrough? Or is my configuration wrong (very likely)?
Here is my configuraiton:
kind: IngressRouteTCP
apiVersion: traefik.containo.us/v1alpha1
metadata:
name: harbor-tcp
namespace: harbor
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: HostSNI(`harbor.admin.company.com`)
services:
- kind: TraefikService
name: harbor
namespace: harbor
port: 8443
tls:
passthrough: true
secretName: admin-tls
domains:
- main: "harbor.admin.company.com"
---
kind: IngressRouteTCP
apiVersion: traefik.containo.us/v1alpha1
metadata:
name: notary-tcp
namespace: harbor
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: HostSNI(`notary.admin.company.com`)
services:
- kind: TraefikService
name: harbor
namespace: harbor
port: 4443
tls:
passthrough: true
secretName: admin-tls
domains:
- main: "notary.admin.company.com"
---
kind: IngressRouteTCP
apiVersion: traefik.containo.us/v1alpha1
metadata:
name: kubernetes-dashboard-tcp
namespace: kubernetes-dashboard
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: HostSNI(`k8s-dashboard.admin.company.com`)
services:
- kind: TraefikService
name: kubernetes-dashboard
namespace: kubernetes-dashboard
port: 443
tls:
passthrough: true
secretName: admin-tls
domains:
- main: "k8s-dashboard.admin.company.com"
---
The relevant configuration for the services:
apiVersion: v1
kind: Service
metadata:
name: harbor
namespace: harbor
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: 8080
- name: https
port: 8443
targetPort: 8443
- name: notary
port: 4443
targetPort: 4443
selector:
component: nginx
---
kind: Service
apiVersion: v1
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
spec:
ports:
- name: https
protocol: TCP
port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
type: ClusterIP
Thanks for your help.