Does someone has working Traefik v2 TCP router with TLS example ?
I have been trying to set up this but no success yet.
You might be interested in the demo of traefik v2 we tend to give:
- Plain TCP with Mongo but no TLS: https://github.com/containous/slides/tree/meetup-louvain-kube-2019/demo/traefik-v2/mongo/01-mongo
- Simple TCP with TLS with Mongo: https://github.com/containous/slides/tree/meetup-louvain-kube-2019/demo/traefik-v2/mongo/02-tls-mongo
- TCP + TLS with passthrough and routing with SNI: https://github.com/containous/slides/tree/meetup-louvain-kube-2019/demo/traefik-v2/mongo/03-sni-routing-mongo
But be careful: not all protocols based on TCP and using TLS supports the SNI routing or the passthrough. It requires the protocol supporting SNI (for instance MySQL doesn't) and doing a TLS handshake (if it is a STARTTLS, then it does not work).
If your protocol does NOT support SNI/TLS handshake, then you should use the "plain TCP" example and let the protocol handles the encryption. The limitations would be:
- Traefik cannot handle TLS certificates for this protocol (but requests are still encrypted)
- You must define one port per backend service, as with any other reverse proxy.
1 Like
Just to keep it simple I tried Plain TCP
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: logstash-external
namespace: kube-system
spec:
entryPoints:
- tcp5050
routes:
- match: HostSNI(`logstash.test.domain.ca`)
services:
- name: logstash
port: 5050
# tls:
# certResolver: logstash
# domains:
# - main: test.domain.ca
# sans:
# - "*.test.domain.ca"
Which gave me
time="2019-10-29T18:40:54Z" level=warning msg="TCP Router ignored, cannot specify a Host rule without TLS" routerName=kube-system-logstash-external-0dea3e4c220f584e50e3@kubernetescrd entryPointName=tcp5050
time="2019-10-29T18:40:59Z" level=warning msg="TCP Router ignored, cannot specify a Host rule without TLS" entryPointName=tcp5050 routerName=kube-system-logstash-external-0dea3e4c220f584e50e3@kubernetescrd
From the logs it looks Traefik v2 doesn't support Plain TCP, it needs TLS is this correct ?
Hi,
I think that because you're using a sni rule traefik wants to find a suitable certificate to be able ti match the url. If no TLS certificate you should use:
HostSNI(*)
I created a workshop for my team mates where you can find some examples on how to do that:
Hope it helps!
4 Likes
@dduportal If I do similar in kubernetes as mongo1
can I use same entry point mongo for multiple env instance of mongo like this ?
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: mongo-external
namespace: dev
spec:
entryPoints:
- mongo
routes:
- match: HostSNI(`mongo.dev.domain.com`)
kind: Rule
services:
- name: mongo
port: 27017
tls:
certResolver: mongo-dev
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
name: mongo-external
namespace: qa
spec:
entryPoints:
- mongo
routes:
- match: HostSNI(`mongo.qa.domain.com`)
kind: Rule
services:
- name: mongo
port: 27017
tls:
certResolver: mongo-qa