Traefik v2.0 self signed certificate on Kubernetes

Question

I am running Traefik (v2.0) as ingress gateway for my EKS cluster. Traefik ingress is working fine.
Now, I need to add https support for my ingress using self signed certificate. For this, I have:

• Created a IngressRoute from http to https redirectio -> This works fine
• Created a secret having the key and cert of my self-signed certificate

kubectl create secret tls tlssecret --key="eks.tls.key" --cert="eks.tls.crt"

• Added tls secret to my IngressRoute deployment:
• apiVersion: traefik.containo.us/v1alpha1 kind: IngressRoute metadata: name: pulseingressroutetls namespace: pulse spec: entryPoints: - websecure tls: secretName: pulsetlssecret
  routes: - match: PathPrefix(/auth) ...

After this deployment, when I browse ingress url, it still presents me the TRAEFIK DEFAULT CERT, not my self-signed certificate.

Please let me know what I am doing wrong here? Is there any other way of doing it?

Answer 1

The accepted solution from NumeroUno actually works, but I have a couple of minor remarks:

• certFile: /ssl/tls.pem should be certFile: /ssl/tls.crt
• according to the initial secret creation the secret name is tlssecret, no traefik-cert.

Answer 2

Finally it worked out as below:

traefik-conf.yml:

apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik-conf
  namespace: pulse
data:
  traefik.yml: |
    api:
      dashboard: true
      insecure: true
    global:
      checkNewVersion: false
      sendAnonymousUsage: false
    ping: {}
    entryPoints:
      websecure:
        address: ":443"
      web:
        address: ":80"
    providers:
      kubernetesCRD: {}
      file:
        filename: /etc/traefik/traefik.yml
        watch: true
    tls:
      stores:
        default:
          defaultCertificate:
            certFile: /ssl/tls.pem
            keyFile: /ssl/tls.key
      options:
        default:
          minVersion: VersionTLS12
          sniStrict: false
      certificates:
        - certFile: /ssl/tls.pem
          keyFile: /ssl/tls.key

I changed ingress controller as below:

spec:
      serviceAccountName: traefik-ingress-controller
      containers:
        - name: traefik
          image: traefik:v2.0
          volumeMounts:
            - name: config
              mountPath: /etc/traefik/traefik.yml
              subPath: traefik.yml
            - name: ssl
              mountPath: /ssl           
          ports:
            - name: web
              containerPort: 80
            - name: websecure
              containerPort: 443
            - name: admin
              containerPort: 8080
      volumes:
      - name: ssl
        secret:
          secretName: traefik-cert
      - name: config
        configMap:
          name: traefik-conf

Ingress routes:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: pulseingressroutetls
  namespace: pulse
spec:
  entryPoints:
    - websecure 
  tls:
    secretname: traefik-cert
  routes:
...

Answer 3

Try mounting the secret on your container for it to be identified by the traefik service. Additionally, configure the IngressRoute with below config.

tls:
  certificates:
    - certFile: /path/to/domain.cert
      keyFile: /path/to/domain.key

Hope this helps.