-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS Mutual Authentication on the backends #4260
Comments
@jbdoumenjou -adriano |
I tried to use the following ---
apiVersion: v1
kind: Service
metadata:
labels:
name: caldera
namespace: cmp-system
spec:
externalName: caldera.example.com
ports:
- name: https
port: 443
type: ExternalName
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: caldera
namespace: cmp-system
labels:
annotations:
kubernetes.io/ingress.class: traefik
traefik.frontend.rule.type: PathPrefixStrip
spec:
rules:
- http:
paths:
- backend:
serviceName: caldera
servicePort: 443
path: /caldera Trying to access with browser the frontend, I get external authentication from traefik (as espected) but I get the following error on the remote APIs server
This make sense because the remote APIs server is especting a mutual TLS authentication but I do not know where to put client certificates As additional question, which certificates are Traefik going to use when proxying to the backend with the configuration above? |
Hello any feedback an this? |
Sorry for the delay. I'll try to take a look before the Xmas Holidays. |
Hello any feedback an this? |
Hi @Kalise, To have a mtls between Traefik and your backend, you have to define the ClientCAFiles and set the passTLSCert option to true. The mtls will use the certificate defined on your entrypoint. But, it will try to do mtls with the EntryPoint too, so you need to specify Because it will use the IP of the backend, you need to add the containers IPs to the SANs of your certificate. A fix (#4438) to apply the global Note that all the global options like If you have any question, I encourage you to join the #support channel on our slack: https://slack.traefik.io/. I’ll close the issue for now. |
Do you want to request a feature or report a bug?
feature/bug (?)
What did you do?
I'm trying to use Traefik as APIs gateway in front of remote multiple APIs servers. Remote APIs servers require mutual TLS authentication with certificates (tls.crt/tls.key) while clients on the frontend use simply external authentication.
Once the client is authenticated by Traefik, the client's request is proxied to the backends using mutual TLS authentication between Treafik (acting as client) and the the remote APIs server.
This the desired layout:
Traefik is running as pod in Kubernetes and I'm using external name k8s services (type: ExternalName) and k8s ingresses to configure Traefik.
Please do not confuse the k8s APIs server with the remote APIs servers in the picture above
This is quite straightforward to achieve with NGINX Ingress controller but struggling to implement with Treafik and the option
traefik.ingress.kubernetes.io/pass-tls-cert
seems useful only to enable mutual TLS between client and remote APIs server.With NGINX Ingress Controller we have:
What did you expect to see?
The use case above implemented with Traefik
What did you see instead?
It looks to me Traefik only configurable for mutual TLS between clients and backends.
Output of
traefik version
:What is your environment & configuration (arguments, toml, provider, platform, ...)?
traefik.toml
If applicable, please paste the log output at DEBUG level (
--logLevel=DEBUG
switch)The text was updated successfully, but these errors were encountered: