-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubernetes tls (SSL) support? #378
Comments
We can't make it work also.. is this feature supported? |
Not yet, we have been discussing on that, and for now, we decided that it was not a priority (as traefik can plug to an ACME backend). But it could be implemented in the futur :) |
I can try to add SSL if no one else started work on it when #382 is merged so i can run traefik more easily locally. |
@jonaz are you working on this issue? |
Nope, havent had the time yet. |
so are you guys saying there is no way Kubernetes can listen on port 443 and serve the |
Hi @abourget that is currently the case. TLS could be set up manually if an entrypoint were defined in the Traefik config, or if letsencrypt is used. But we should add full support for doing stuff the k8s way. |
@emilevauge no pressure, but is the current state still not a priority? |
I just spend half a day trying to figure out why ssl throws "error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol" at me on GKE. My issue was that 443 traffic was routed to 80, that's why SSL complained(= no SSL termination). |
What is the status on this? We need Ingress TLS support too. Havent tried it myself yet, but there seems to be a workaround: |
The workaround by Patrick Eastern works like a charm! Still we prefer native support to bypass the extra configuration. Hopefully Traefik will pick this up soon. |
@andrejvanderzee Don't know if it's helpfull to you but i solved my TLS problems with the following scenario: kube-lego & nginx ingress kontroller for any external facing things, autoprovison of SSL certs via LE and for internal traffic ( to be able to separate it at all ) i use traefik with
in the ingress manifest But yes, native TLS support would be very much appreciated |
That's what I did too, pretty solid solution imo. nginx-ingress + kube-lego
and a few annotations. Works magic.
…On Wed, Jan 18, 2017, 5:02 AM Joakim Karlsson ***@***.***> wrote:
@andrejvanderzee <https://github.com/andrejvanderzee> Don't know if it's
helpfull to you but i solved my TLS problems with the following scenario:
kube-lego & nginx ingress kontroller for any external facing things,
autoprovison of SSL certs via LE
and for internal traffic ( to be able to separate it at all ) i use
traefik and tag those rules with ingress.class traefik
But yes, native TLS support would be very much appreciated
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#378 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAFs8Py1JWkEcjQBZGPcRx9zDTPQZmfzks5rTeMugaJpZM4IhWC3>
.
|
Why using nginx for that?? just configure the ssl via configs in the
meanwhile
https://medium.com/@patrickeasters/using-traefik-with-tls-on-kubernetes-cb67fb43a948#.brp81cqz0
nginx is redundant and just another service/app in your ecosystem that
requires more resources
|
@AlmogBaku i use kube-lego for automatic provisioning of Letsencrypt SSL certs. Traefik is still lacking some in the automatization departement there as well as NGINX gives us higher throughput |
@errm Are you still working on this? Is it OK if I pick it up? |
This is a bummer 😢 , any updates? |
I would love for this to be implemented. Could someone familiar with the Traefik code base sketch out what the solution should look like? I might be able to pick it up. |
This could be an amazing two pronged implementation:
This replaces the nginx + kube-lego combination with just traefik, which is nice. As is, I can't actually use the ACME support in traefik in kubernetes, since it doesn't actually have anywhere to store the certificates. If we provision a volume and store it, most likely we can't have multiple copies of traefik running. I'm slowly trying to become more familiar with the traefik code base, and might be able to take some of this on perhaps! |
@yuvipanda Just realized that this feature description is what I was requesting. I have a full description of the use case in the issue I created, but otherwise, maybe we can use this already existing issue. I'm also checking how I could collaborate in developing this, as I'm also quite interested! |
As far as I can see this, this issue is about supporting an easy way to setup a tls ingress in kubernetes. But is acme realy necessary for this as the kubernetes ingress object already provides a way of specifing a tls cert (https://kubernetes.io/docs/api-reference/v1.8/#ingressspec-v1beta1-extensions)? |
Wow, just tried traefik and discovered no TLS support from standard kubernetes ingress objects and secrets. Well, that's gonna prevent any meaningful deployment - so it's back to nginx and its problematic reloading. I can't understand why this wouldn't be a critical missing feature for the traefik devs? |
I had some sparetime and tried a simple implementation. It wouldn't be that complicated but is this the right issue or should this case be handled in another one? |
ACME and LE is only usable if the services are publicly exposed. For any "internal" ingresses where the hostname isn't publicly reachable or even queryable, it would simply not work at all |
For me one thing that is missing for High Availability/Redundancy is ability to store the LE certs into K8S secrets that can be used as shared storage between multiple Traefik instances OR when the node Traefik was running on dies and the pod(s) get(s) created on different node (in even different AZ in AWS for example). For now this is only possible if shared storage is available in the cluster or a backend like consul etc. |
@igoratencompass take a look here https://blog.osones.com/en/kubernetes-traefik-and-lets-encrypt-at-scale.html your comment isn't related to the issue |
It is related to a broader issue when using LE. I want to be able to share the backend certs between Traefik instances in k8s native way without using consul or shared storage. Which also relates to comments regarding nginx+kube-lego made in previous comments but maybe I missed something. It might be a crucial point when deciding between traefik and nginx. |
@igoratencompass its not related the this issue (and impossible) |
@igoratencompass Please see proposal #2542. Give your feedback on the proposal if you think it is an important feature to be implemented. |
@AlmogBaku everything is possible |
#2439 has been merged w00t :) |
Hi, I'm new to traefik/ingress/kubernetes, but I think my issue is relevant to this ticket. I setup traefik with TLS and I have TLS in my ingress. I want to route HTTPs requests coming to traefik to HTTPs backend behind ingress. I used this blog post to set things up. But what I got at the end is HTTPs requests are redirected via HTTP to backend. May be I missed some configuration. Can someone confirm that it is doable and if it is addressed by this issue? |
@vkuznet Thanks for your interest in Traefik ! Come to the Traefik community Slack |
Traefik's kubernetes implementation now fully supports TLS, and secrets. I am closing this issue. If you encounter issues in the future, please open a new ticket. |
Looks like something like this needs to be implemented in the kubernetes provider?
https://github.com/kubernetes/contrib/blob/master/ingress/controllers/nginx/controller.go#L748
The text was updated successfully, but these errors were encountered: