https://rancher.com/ logo
Title
l

lively-battery-54332

10/26/2022, 10:54 PM
I have a K3S cluster using Traefik as the ingress controller. I have an ingress deployed that routes correctly to a sample nginx pod. I then added a tls secret to the ingress that contains a server certificate that I created with the cluster IP (192.168.1.6) as the CN (IP is also in the SAN). I also included some dummy domain using (k3s.test.192.168.1.6.nip.io) in the SAN section of the cert. In Chrome, when I use k3s.test.192.168.1.6.nip.io I can see that the server certificate is the one I created. However, when I just use the IP in Chrome - 192.168.1.6 - the server cert found is TRAEFIK DEFAULT CERT.
c

creamy-pencil-82913

10/26/2022, 10:58 PM
sounds like an issue with your ingress resource
How did you tell traefik to use your cert for that ingress?
l

lively-battery-54332

10/27/2022, 1:42 PM
I referenced the cert with a secret in the tls section of the ingress. Do I need to further configure traefik too..?
# apiVersion: <http://networking.k8s.io/v1beta1|networking.k8s.io/v1beta1> # for k3s < v1.19
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: Ingress
metadata:
  name: test-ingress
  annotations:
   <http://traefik.ingress.kubernetes.io/router.entrypoints|traefik.ingress.kubernetes.io/router.entrypoints>: websecure    <http://traefik.ingress.kubernetes.io/router.tls|traefik.ingress.kubernetes.io/router.tls>: "true"
spec:
  tls:
    - secretName: manaul-rsa-cert-2048
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: nginx
                port:
                  number: 80
Snippet of the server cert that the above manaul-rsa-cert-2048 secret references:
Certificate:
...
        Issuer: CN=Dev Signer
        Validity
            Not Before: Oct 26 21:56:00 2022 GMT
            Not After : Oct 29 21:56:00 2022 GMT
        Subject: CN=192.168.1.6
...
            X509v3 Subject Alternative Name: 
                DNS:<http://www.k3s.test.192.168.1.6.nip.io|www.k3s.test.192.168.1.6.nip.io>, DNS:<http://k3s.test.192.168.1.6.nip.io|k3s.test.192.168.1.6.nip.io>, IP Address:192.168.1.6
I needed to explicitly set Traefik's default certificate with my own server cert. I did this by deploying a TLSStore that references my secret as detailed here. Full TLSStore:
apiVersion: <http://traefik.containo.us/v1alpha1|traefik.containo.us/v1alpha1>
kind: TLSStore
metadata:
  name: default
  namespace: test

spec:
  defaultCertificate:
    secretName: manual-rsa-cert-2048