We Keep Coding

How to configure tls with traefik in kubernetes using yaml?

I am having trouble exposing a service over http and https using traefik 2.9 in Kubernetes.
The http endpoint kinda works, I introduced CORS errors somehow once I tried to add https but that is not my main concern. The https ingress is broken and I cant find any indication of why its not working. The traefik pod doesn't log any errors and the dotnet service isn't receiving the requests. Also both routes show up in the dashboard and websecure is displayed as having TLS enabled.
Excluding ClusterRole, ServiceAccount, and ClusterRoleBinding because I believe that's configured correctly as the http route wouldn't work if it wasnt.
Traefik config:
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-deployment
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-account
containers:
- name: traefik
image: traefik:v2.9
args:
- --api.insecure
- --providers.kubernetesingress
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls
ports:
- name: web
containerPort: 80
- name: dashboard
containerPort: 8080
- name: websecure
containerPort: 443
Traefik services:
apiVersion: v1
kind: Service
metadata:
name: traefik-dashboard-service
spec:
type: LoadBalancer
ports:
- port: 8080
targetPort: dashboard
selector:
app: traefik
---
apiVersion: v1
kind: Service
metadata:
name: traefik-web-service
spec:
type: LoadBalancer
loadBalancerIP: 10.10.1.38
ports:
- targetPort: web
port: 80
name: http
- targetPort: websecure
port: 443
name: https
selector:
app: traefik
Secret for tls:
apiVersion: v1
data:
comptech.pem: <contents of pem file base64 encoded>
comptech.crt: <contents of crt file base64 encoded>
comptech.key: <contents of key file base64 encoded>
kind: Secret
metadata:
name: comptech-cert
namespace: default
type: Opaque
Service for dotnet application:
apiVersion: v1
kind: Service
metadata:
name: control-api-service
spec:
ports:
- name: http
port: 80
targetPort: 5000
protocol: TCP
- name: https
port: 443
targetPort: 5000
protocol: TCP
selector:
app: control-api
Ingresses:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: control-api-ingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
spec:
rules:
- host: sub.domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: control-api-service
port:
name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: control-api-secure-ingress
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
spec:
rules:
- host: sub.domain.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: control-api-service
port:
name: https
tls:
- secretName: comptech-cert
My hope here is that someone with much more experience with traefik/tls will be able to quickly realize what I'm doing incorrectly. Any input is greatly appreciated!
UPDATE:
The firewall was only allowing http traffic, we reconfigured it to support https and it is responding with Traefiks default certs. So i can hit the container but tls is still not configured using my supplied cert.

The pem file is not needed and the crt file was generated incorrectly using openssl the command that worked for me was: openssl crl2pkcs7 -nocrl -certfile comptech.pem | openssl pkcs7 -print_certs -out cert.crt
Pointing to the https port of the control-api-service was not working and needed to be changed to http
A config map needed to be created for the traefik deployment to work correctly:
apiVersion: v1 kind: ConfigMap metadata: name: traefik-config labels:
name: traefik-config namespace: default data: dyn.yaml: |
# https://doc.traefik.io/traefik/https/tls/
tls:
stores:
default:
defaultCertificate:
certFile: '/certs/tls.crt'
keyFile: '/certs/tls.key'
Finally the configmap and secret must be used in the traefik deployment like below:
kind: Deployment
apiVersion: apps/v1
metadata:
name: traefik-deployment
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-account
containers:
- name: traefik
image: traefik:v2.9
args:
- --api.insecure
- --providers.kubernetesingress
- --entrypoints.web.address=:80
- --entrypoints.websecure.address=:443
- --entrypoints.websecure.http.tls
- --providers.file.filename=/config/dyn.yaml
ports:
- name: web
containerPort: 80
- name: dashboard
containerPort: 8080
- name: websecure
containerPort: 443
volumeMounts:
- name: comptech-cert-volume
mountPath: /certs
- name: traefik-config-volume
mountPath: /config
volumes:
- name: comptech-cert-volume
secret:
secretName: comptech-cert
- name: traefik-config-volume
configMap:
name: traefik-config

In my setup, I use the IngressRoute CRD implementation from Traefik.
The CRDs were automatically installed when I setup the Traefik controller using Helm.
Is it a possibility for you to use this in your setup? You can check if the CRDs already exist using below command on your k8s cluster.
kubectl get crd
Below is a snippet from one of my projects where I also use a custom wildcard certificate from a secret using the IngressRoute manifest.
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: blue-api-ingressroute
spec:
entryPoints:
- websecure
routes:
- match: "Host(`blue.domain.com`)" && PathPrefix(`/swagger`)"
kind: Rule
services:
- name: blue-api-svc
port: 80
tls:
secretName: bluecert
You can also include other custom resources that are available from Traefik. The complete set of configuration that is available can be seen here. For example, below is the same snippet with middleware and tlsoptions resources included for improving the security of the endpoint.
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: tlsoptions
spec:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_AES_256_GCM_SHA384
- TLS_AES_128_GCM_SHA256
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV
curvePreferences:
- CurveP521
- CurveP384
sniStrict: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: security
spec:
headers:
frameDeny: true
sslRedirect: true
browserXssFilter: true
contentTypeNosniff: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: blue-api-ingressroute
spec:
entryPoints:
- websecure
routes:
- match: "Host(`blue.domain.com`)" && PathPrefix(`/swagger`)"
kind: Rule
services:
- name: blue-api-svc
port: 80
middlewares:
- name: security
tls:
secretName: bluecert
options:
name: tlsoptions

Route TCP traffic trough Istio egressgateway

I have a deployment running frontier-squid proxy for caching, and I need to route all outbound TCP traffic through an istio-egressgateway in order to exit the mesh always from the same host/ip.
I tried to follow the egress-mongo example but unsuccessfully.
For reference the inbound part is working fine and traffic is also exiting the mesh, from the host where the pod is running (unwanted behavior).
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cvmfs
namespace: lcg
annotations:
co.elastic.logs/enabled: "true"
co.elastic.logs/module: "squid"
labels:
app: cvmfs
spec:
replicas: 1
selector:
matchLabels:
app: cvmfs
template:
metadata:
labels:
app: cvmfs
spec:
containers:
- name: cvmfs
image: opensciencegrid/frontier-squid:stable
env:
## SQUID_IPRANGE: Don't add external ip here. Proxied traffic dosen't have external ip. See below AuthorizationPolicy ingress-policy-cvmfs
- name: "SQUID_IPRANGE"
value: "10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 fc00::/7 fe80::/10 127.0.0.0/24"
- name: "SQUID_CACHE_DISK"
value: "50000"
- name: "SQUID_CACHE_MEM"
value: "16 GB"
ports:
- containerPort: 3128
resources:
requests:
cpu: 4
memory: 20G
limits:
cpu: 8
memory: 32G
---
apiVersion: v1
kind: Service
metadata:
labels:
app: cvmfs
name: cvmfs
spec:
ports:
- port: 3128
selector:
app: cvmfs
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: lcg-cvmfs-gw
namespace: lcg
spec:
selector:
app: clustername-vlan320-gateway-cvmfs1
istio: ingressgateway
servers:
- port:
number: 3128
name: tcp-squid
protocol: TCP
hosts:
- cvmfs1.sub.domain.com
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: lcg-cvmfs-vs
namespace: lcg
spec:
hosts:
- cvmfs1.sub.domain.com
gateways:
- lcg-cvmfs-gw
tcp:
- match:
- port: 3128
route:
- destination:
host: cvmfs
port:
number: 3128
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: ingress-policy-cvmfs
namespace: istio-system
spec:
selector:
matchLabels:
app: clustername-vlan320-gateway-cvmfs1
istio: ingressgateway
action: ALLOW
rules:
- from:
- source:
remoteIpBlocks:
- aa.aa.aa.aa/19
- bb.bb.bb.bb/25
Here my attempt to setup all steps to exit the mesh from the istio-egressgateway:
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: external-stratum-1
namespace: lcg
spec:
hosts:
- external.tcp.svc # Not used in TCP mode
addresses:
- xx.xx.xx.xx/32
- xx.xx.xx.xx/32
ports:
- number: 8000
name: tcp-stratum1
protocol: TCP
location: MESH_EXTERNAL
resolution: STATIC
endpoints:
- address: xx.xx.xx.xx/32
- address: xx.xx.xx.xx/32
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway
namespace: lcg
spec:
selector:
istio: egressgateway
servers:
- port:
number: 55555
name: tcp-exit1
protocol: TCP
hosts:
- external.tcp.svc
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egressgateway-for-cvmfs-stratum1
namespace: lcg
spec:
host: istio-egressgateway.istio-system.svc.clustername.domain.com
subsets:
- name: external-stratum-1
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: external-stratum-1
spec:
host: external.tcp.svc
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: direct-stratum1-through-egress-gateway
namespace: lcg
spec:
hosts:
- external.tcp.svc
gateways:
- mesh
- istio-egressgateway
tcp:
- match:
- gateways:
- mesh
destinationSubnets:
- xx.xx.xx.xx/32
- xx.xx.xx.xx/32
port: 8000
route:
- destination:
host: istio-egressgateway.istio-system.svc.clustername.domain.com
subset: external-stratum-1
port:
number: 55555
- match:
- gateways:
- istio-egressgateway
port: 55555
route:
- destination:
host: external.tcp.svc
port:
number: 8000
weight: 100
I'm running vanilla kubernetes version 1.21 and instio version 1.10
Can someone help me setting up this egressgateway or maybe suggest a better istio example?

Egress gateway does't work correctly when adding multiple external services

I was trying to define multiple external services(redis: AWS ElastiCache) to route through egress gateway. Two gateways were configured with reference to https://github.com/istio/istio/issues/16806#issuecomment-538718737. I applied the following config, but it didn't work correctly and I could find error logs. It seemed that connecting to both of the destinations was forward to only one of them(random?)
Is this a bug or is there any solution?
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway-redis-1
namespace: test
spec:
selector:
istio: egressgateway
servers:
- port:
name: redis
number: 6379
protocol: TCP
hosts:
- "aaa.aaa.ng.0001.apne1.cache.amazonaws.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: egress-redis-1
namespace: test
spec:
hosts:
- aaa.aaa.ng.0001.apne1.cache.amazonaws.com
ports:
- name: egress-redis-1
number: 6379
protocol: TCP
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: egress-redis-1
namespace: test
spec:
hosts:
- aaa.aaa.ng.0001.apne1.cache.amazonaws.com
gateways:
- istio-egressgateway-redis-1
- mesh
tcp:
- match:
- gateways:
- mesh
port: 6379
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: egress-redis-1
port:
number: 6379
- match:
- gateways:
- istio-egressgateway-redis-1
port: 6379
route:
- destination:
host: aaa.aaa.ng.0001.apne1.cache.amazonaws.com
port:
number: 6379
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egress-redis-1
namespace: test
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: egress-redis-1
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway-redis-2
namespace: test
spec:
selector:
istio: egressgateway
servers:
- port:
name: redis
number: 6379
protocol: TCP
hosts:
- "bbb.bbb.clustercfg.apne1.cache.amazonaws.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: ServiceEntry
metadata:
name: egress-redis-2
namespace: test
spec:
hosts:
- bbb.bbb.clustercfg.apne1.cache.amazonaws.com
ports:
- name: egress-redis-2
number: 6379
protocol: TCP
location: MESH_EXTERNAL
resolution: DNS
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: egress-redis-2
namespace: test
spec:
hosts:
- bbb.bbb.clustercfg.apne1.cache.amazonaws.com
gateways:
- istio-egressgateway-redis-2
- mesh
tcp:
- match:
- gateways:
- mesh
port: 6379
route:
- destination:
host: istio-egressgateway.istio-system.svc.cluster.local
subset: egress-redis-2
port:
number: 6379
- match:
- gateways:
- istio-egressgateway-redis-2
port: 6379
route:
- destination:
host: bbb.bbb.clustercfg.apne1.cache.amazonaws.com
port:
number: 6379
weight: 100
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: egress-redis-2
namespace: test
spec:
host: istio-egressgateway.istio-system.svc.cluster.local
subsets:
- name: egress-redis-2
Istio error logs:
2020-07-14T08:24:42.803875Z#011info#011ads#011Push Status: {
"pilot_conflict_outbound_listener_tcp_over_current_tcp": {
"0.0.0.0:6379": {
"proxy": "member-11111-22222.test",
"message": "Listener=0.0.0.0:6379 AcceptedTCP=aaa.aaa.clustercfg.apne1.cache.amazonaws.com RejectedTCP=bbb.bbb.ng.0001.apne1.cache.amazonaws.com TCPServices=1"
}
}
}
Version
Kubernetes: 1.18.5
Istio: 1.6.4
outboundTrafficPolicy
REGISTRY_ONLY
After updated port names of Gateway to unique, it still doesn't work.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway-redis-1
namespace: qa2
spec:
selector:
istio: egressgateway
servers:
- port:
name: egress-redis-1
number: 6379
protocol: TCP
hosts:
- "aaa.aaa.ng.0001.apne1.cache.amazonaws.com"
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: istio-egressgateway-redis-2
namespace: qa2
spec:
selector:
istio: egressgateway
servers:
- port:
name: egress-redis-2
number: 6379
protocol: TCP
hosts:
- "bbb.bbb.clustercfg.apne1.cache.amazonaws.com"

How to create a HTTPS route to a Service that is listening on Https with Traefik, and Kubernetes

I'm a newbie in kubernetes and Traefik.
I follow up that tutorial:
https://docs.traefik.io/user-guides/crd-acme/
And I changed it to use my Service in Scala, that it is under https and 9463 port.
I'm trying to deploy my Scala service with kubernetes and traefik.
When I forward directly to the service :
kubectl port-forward service/core-service 8001:9463
And I perform a curl -k 'https://localhost:8001/health' :
I get the "{Message:Ok}"
But when I perform a port forward to traefik
kubectl port-forward service/traefik 9463:9463 -n default
And perform a curl -k 'https://ejemplo.com:9463/tls/health'
I get an "Internal server error"
I guess the problem is that my "core-service" is listening over HTTPS protocol, that's what I add scheme:https.
I tried to find the solution over the documentation but it is confusing.
Those are my yml files:
Services.yaml
apiVersion: v1
kind: Service
metadata:
name: traefik
spec:
ports:
- protocol: TCP
name: admin
port: 8080
- protocol: TCP
name: websecure
port: 9463
selector:
app: traefik
---
apiVersion: v1
kind: Service
metadata:
name: core-service
spec:
ports:
- protocol: TCP
name: websecure
port: 9463
selector:
app: core-service
Deployment.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: default
name: traefik-ingress-controller
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: traefik
labels:
app: traefik
spec:
replicas: 1
selector:
matchLabels:
app: traefik
template:
metadata:
labels:
app: traefik
spec:
serviceAccountName: traefik-ingress-controller
containers:
- name: traefik
image: traefik:v2.0
args:
- --api.insecure
- --accesslog
- --entrypoints.websecure.Address=:9463
- --providers.kubernetescrd
- --certificatesresolvers.default.acme.tlschallenge
- --certificatesresolvers.default.acme.email=foo#you.com
- --certificatesresolvers.default.acme.storage=acme.json
# Please note that this is the staging Let's Encrypt server.
# Once you get things working, you should remove that whole line altogether.
- --certificatesresolvers.default.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
ports:
- name: websecure
containerPort: 9463
- name: admin
containerPort: 8080
---
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: default
name: core-service
labels:
app: core-service
spec:
replicas: 1
selector:
matchLabels:
app: core-service
template:
metadata:
labels:
app: core-service
spec:
containers:
- name: core-service
image: core-service:0.1.4-SNAPSHOT
ports:
- name: websecure
containerPort: 9463
livenessProbe:
httpGet:
port: 9463
scheme: HTTPS
path: /health
initialDelaySeconds: 10
IngressRoute2.yaml
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutetls
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`ejemplo.com`) && PathPrefix(`/tls`)
kind: Rule
services:
- name: core-service
port: 9463
scheme: https
tls:
certResolver: default

From the docs
A TLS router will terminate the TLS connection by default. However,
the passthrough option can be specified to set whether the requests
should be forwarded "as is", keeping all data encrypted.
In your case SSL Passthrough need to be enabled because the pod is expecting HTTPS traffic.
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: ingressroutetls
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`ejemplo.com`) && PathPrefix(`/tls`)
kind: Rule
services:
- name: core-service
port: 9463
scheme: https
tls:
certResolver: default
passthrough: true

How to write a custom ingressgateway in istio?

I'm new to istio, I have a simple test yaml file which is a little long. What I want to do is to write a custom ingressgateway service for my gateway. And after testing, the incorrect part is the definition of ingressgateway which is at the top. The entire yaml is below:
apiVersion: v1
kind: Service
metadata:
name: batman-ingressgateway
labels:
app: batman-ingressgateway
spec:
type: LoadBalancer
selector:
app: batman-ingressgateway
ports:
- port: 80
targetPort: 80
nodePort: 31389
name: http
---
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: batman-gateway
spec:
selector:
app: batman-ingressgateway
#istio: ingressgateway
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: batman
spec:
hosts:
- "*"
gateways:
- batman-gateway
http:
- match:
route:
- destination:
host: batman
port:
number: 8000
subset: v1
weight: 80
- destination:
host: batman
port:
number: 8000
subset: v2
weight: 20
---
apiVersion: networking.istio.io/v1alpha3
kind: DestinationRule
metadata:
name: batman-destination
spec:
host: batman
subsets:
- name: v1
labels:
version: v1
run: batman
- name: v2
labels:
version: v2
run: batman
I want to access my app from browser with the address like: http://my_host_ip:31389/article. The problem now is the ingressgateway doesn't route traffic to my gateway. Is there any one can help me?
Thanks.

Documentation on istio gateway routing is here https://istio.io/docs/tasks/traffic-management/ingress/ingress-control/.
If you look at gateway spec they have
selector:
istio: ingressgateway # use Istio default gateway implementation
While you have
selector:
app: batman-ingressgateway
#istio: ingressgateway
For VirtualService definition you can look here https://istio.io/docs/reference/config/networking/v1alpha3/virtual-service/
You can try with routing requests to /article to your service
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: article-route
spec:
hosts:
- *
http:
- match:
- uri:
prefix: "/article"
route:
- destination:
host: <name of your service>