Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backend is created as http when kubernetes service type is: ExternalName and TLS is enabled #3806

Closed
bsctl opened this issue Aug 21, 2018 · 4 comments
Closed

Backend is created as http when kubernetes service type is: ExternalName and TLS is enabled #3806

bsctl opened this issue Aug 21, 2018 · 4 comments
Assignees
@dtomcej
Labels
area/documentation area/provider/k8s/ingress kind/enhancement a new or improved feature. status/5-frozen-due-to-age
Milestone
1.7

Comments

@bsctl
Copy link

bsctl commented Aug 21, 2018

Do you want to request a feature or report a bug?

Bug

What did you do?

related to #3803

Configured Traefik as ingress controller for kubernetes.
Enabled forward authentication with annotations in ingress objects.
Ingresses point to external services type: ExternalName.

apiVersion: v1
kind: Service
metadata:
  name: caldera
spec:
  ports:
  - protocol: TCP
    port: 8443
  type: ExternalName
  externalName: remote.clastix.io

and

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: caldera
  annotations:
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/auth-type: basic
    traefik.ingress.kubernetes.io/auth-secret: basic-auth
    traefik.ingress.kubernetes.io/rule-type: "PathPrefixStrip"
spec:
  rules:
  - host: cmp.clastix.io
    http:
      paths:
      - path: /apis 
        backend:
          serviceName: caldera
          servicePort: 8443

What did you expect to see?

Backend created as https://remote.clastix.io:8443 as I'm using TLS annotations into ingress.

What did you see instead?

Backend created as http://remote.clastix.io:8443 unless you specify port 443.

Output of traefik version: (What version of Traefik are you using?)

traefik_linux-amd64.1.7.0rc3

What is your environment & configuration (arguments, toml, provider, platform, ...)?

# (paste your configuration here)

If applicable, please paste the log output in DEBUG level (--logLevel=DEBUG switch)

(paste your output here)
@dtomcej
Copy link
Contributor

dtomcej commented Aug 21, 2018

There is nothing in your ingress or service to suggest that the backend should be https.

If you set the serviceport to be 443, you can still use the targetPort on your service to be 8443.

In 1.7, you can also give your port a name (starting with https) to force the backend request to be https.

Can you give either of those a try and see if they work for you?

@bsctl
Copy link
Author

bsctl commented Aug 21, 2018

@dtomcej Thanks for prompt answer! I set the TLS annotation in the ingress, so this should suggest to be a HTTPS backend. Anyway, I'm better fine with your solution. Is it already documented somewhere? So, just start the port name with https*? :)

@dtomcej
Copy link
Contributor

dtomcej commented Aug 21, 2018

It doesn't seem to be documented, no....I will update that.

Yes, just prefix the name with https. so https-api or just https, something like that.

But yes, just adding TLS to the spec only ensures that the client side communication has TLS enabled, not the backend communication.

@dtomcej dtomcej mentioned this issue Aug 21, 2018
Merged
2 tasks
@traefiker traefiker added this to the 1.7 milestone Aug 23, 2018
@traefiker
Copy link
Contributor

Closed by #3807.

@traefik traefik locked and limited conversation to collaborators Sep 1, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@dtomcej dtomcej

Labels
area/documentation area/provider/k8s/ingress kind/enhancement a new or improved feature. status/5-frozen-due-to-age
Projects
None yet
Milestone
1.7
Development

No branches or pull requests
4 participants
@dduportal @bsctl @dtomcej @traefiker