I have a K3S cluster using Traefik as the ingress controller I have an ingress deployed that routes correctly to a sample nginx pod I then added a tls secret to the ingress that contains a server certificate that I created with the cluster IP 192 168 1 6 as the CN IP is also in the SAN I also included some dummy domain using <http k3s test 192 168 1 6 nip io|k3s test 192 168 1 6 nip io> in the SAN section of the cert In Chrome when I use <http k3s test 192 168 1 6 nip io|k3s test 192 168 1 6 nip io> I can see that the server certificate is the one I created However when I just use the IP in Chrome 192 168 1 6 the server cert found is TRAEFIK DEFAULT CERT

I needed to explicitly set Traefik s <https doc traefik io traefik v2 3 https tls default certificate|default certificate> with my own server cert I did this by deploying a TLSStore that references my secret as detailed <https doc traefik io traefik v2 3 routing providers kubernetes crd kind tlsstore|here> Full TLSStore ```apiVersion <http traefik containo us v1alpha1|traefik containo us v1alpha1> kind TLSStore metadata name default namespace test spec defaultCertificate secretName manual rsa cert 2048```

I have a K3S cluster using Traefik as the ingress controller rancher-users #k3s

Title

lively-battery-54332

10/26/2022, 10:54 PM

I have a K3S cluster using Traefik as the ingress controller. I have an ingress deployed that routes correctly to a sample nginx pod. I then added a tls secret to the ingress that contains a server certificate that I created with the cluster IP (192.168.1.6) as the CN (IP is also in the SAN). I also included some dummy domain using (k3s.test.192.168.1.6.nip.io) in the SAN section of the cert. In Chrome, when I use k3s.test.192.168.1.6.nip.io I can see that the server certificate is the one I created. However, when I just use the IP in Chrome - 192.168.1.6 - the server cert found is TRAEFIK DEFAULT CERT.

creamy-pencil-82913

10/26/2022, 10:58 PM

sounds like an issue with your ingress resource

How did you tell traefik to use your cert for that ingress?

lively-battery-54332

10/27/2022, 1:42 PM

I referenced the cert with a secret in the tls section of the ingress. Do I need to further configure traefik too..?

# apiVersion: <http://networking.k8s.io/v1beta1|networking.k8s.io/v1beta1> # for k3s < v1.19
apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: Ingress
metadata:
  name: test-ingress
  annotations:
   <http://traefik.ingress.kubernetes.io/router.entrypoints|traefik.ingress.kubernetes.io/router.entrypoints>: websecure    <http://traefik.ingress.kubernetes.io/router.tls|traefik.ingress.kubernetes.io/router.tls>: "true"
spec:
  tls:
    - secretName: manaul-rsa-cert-2048
  rules:
    - http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: nginx
                port:
                  number: 80

Snippet of the server cert that the above manaul-rsa-cert-2048 secret references:

Certificate:
...
        Issuer: CN=Dev Signer
        Validity
            Not Before: Oct 26 21:56:00 2022 GMT
            Not After : Oct 29 21:56:00 2022 GMT
        Subject: CN=192.168.1.6
...
            X509v3 Subject Alternative Name: 
                DNS:<http://www.k3s.test.192.168.1.6.nip.io|www.k3s.test.192.168.1.6.nip.io>, DNS:<http://k3s.test.192.168.1.6.nip.io|k3s.test.192.168.1.6.nip.io>, IP Address:192.168.1.6

I needed to explicitly set Traefik's default certificate with my own server cert. I did this by deploying a TLSStore that references my secret as detailed here. Full TLSStore:

apiVersion: <http://traefik.containo.us/v1alpha1|traefik.containo.us/v1alpha1>
kind: TLSStore
metadata:
  name: default
  namespace: test

spec:
  defaultCertificate:
    secretName: manual-rsa-cert-2048

211 Views

#k3s Join Slack