How to enable Client Certificate Authentication with Traefik & Kubernetes?
Asked Answered
S

0

9

I've been using Traefik for automated https on Kubernetes cluster and it has been working great! Now, I actually want to disable the termination at the Traefik level and just let my backend handle https as well as client certificate authentication.

Currently, this is my setup

Config.toml

defaultEntryPoints = ["http","https"]

[entryPoints]
  [entryPoints.http]
  address = ":80"
  compress = true
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
  compress = true
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      CertFile = "/ssl/tls.crt"
      KeyFile = "/ssl/tls.key"

And this is my ingress on Kubernetes

apiVersion: v1
kind: Service
metadata:
  name: backend-svc
spec:
  ports:
  - port: 80
    targetPort: 80
  selector:
    app: backend
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: backend-ingress
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  tls:
    - secretName: tls-cert
  rules:
  - host: somewhere.com
    http:
      paths:
        backend:
            serviceName: backend-svc
            servicePort: 80

This has served me well for the past three months, but with this configuration my backend fails to locate client certificate in the incoming requests.

Normally, I'd redirect from port 80 to 443 upgrade. Now, when I try to do the ingress directly to 443 it gives Internal Server Error. And when I try to add this to ingress annotations

traefik.frontend.passTLSCert: true # Gives 404 Error.
traefik.frontend.passTLSCert: "true" # Gives Bad Gateway Error

Any help at all is highly appreciated.

Thank you.

Sontich answered 15/8, 2018 at 2:13 Comment(4)
Your configs which you provided looks fine, could you provide your last modification of configs? It is looks like some miss configuration.Arnitaarno
carefull, the passTLSCert option does not enable some kind of SSL proxy, it'll add the certificate inside the headers, this option wasn't functional until very recently : github.com/containous/traefik/pull/4118Hochman
hello, same issue here; how did you fixed the issue? thanksMetanephros
I ended up using a plain old VM for this. :(Sontich

© 2022 - 2024 — McMap. All rights reserved.