https://rancher.com/ logo
Title
a

average-arm-20932

07/15/2022, 5:23 PM
Hello Team,

I'm using K3s version(v1.22.4+k3s1), I need to send the SSL connections directly to the backend, not decrypt at my Traefik. The backend needs to receive https requests.
The below annotations is not working, could anyone help me here, any help appreciated.

apiVersion: <http://networking.k8s.io/v1|networking.k8s.io/v1>
kind: Ingress
metadata:
  name: cp-certissuer-ing
  namespace: cp-certissuer
  annotations:
    <http://traefik.ingress.kubernetes.io/ssl.passthrough|traefik.ingress.kubernetes.io/ssl.passthrough>: "True"
spec:
  rules:
  - host: <http://server.example.com|server.example.com>
    http:
      paths:
      - backend:
          service:
            name: cp-certissuer
            port:
              number: 8080
        path: /cert/actuator/info
        pathType: Prefix

  tls:
  - hosts:
    - <http://server.example.com|server.example.com>
    secretName: cp-certissuer-ssl-secret
w

worried-businessperson-13284

07/16/2022, 5:44 PM
I used
metadata:
  annotations:
    <http://traefik.ingress.kubernetes.io/service.serversscheme|traefik.ingress.kubernetes.io/service.serversscheme>: https
a

average-arm-20932

07/18/2022, 7:22 PM
Thank you! for the reply, 

Do you mean I should use '<http://traefik.ingress.kubernetes.io/service.serversscheme|traefik.ingress.kubernetes.io/service.serversscheme>: https' rather '<http://traefik.ingress.kubernetes.io/ssl.passthrough|traefik.ingress.kubernetes.io/ssl.passthrough>: "True"' for SSL-PASSTHROUGH?

Though I have tired your options, but it is still not working, could you please reconfirm it.
w

worried-businessperson-13284

07/18/2022, 7:34 PM
most important thing to do is enable logging on Traefik then watch it to see what's happening
there are so many variables between setups
a

average-arm-20932

07/18/2022, 7:49 PM
Okay, let me try to enable the logging and see it, meantime I found an Traefik blog where they are talking about how to configure the Pass-through(IngressRouteTCP) in Kubernetes, but the configure is different in K3S. https://doc.traefik.io/traefik/v2.1/routing/providers/kubernetes-crd/#kind-ingressroutetcp
w

worried-businessperson-13284

07/18/2022, 8:02 PM
oooh, you want full pass thru! yeah, that's different to what I'm using. AIUI you'll need to use a Traefik IngressRoute, rather than an Ingress
a

average-arm-20932

07/18/2022, 8:08 PM
I'm glad you understood what I meant. I have noticed CRD (ingressroutetcps.traefik.containo.us), is already enabled and IngressRoute is a possible configuration, however do you have any sample settings which can be configured in K3S?
their example is for TLS termination but there's a note on the pass thru option that sounds like what you want
a

average-arm-20932

07/21/2022, 2:42 PM
I tried that option also, but no luck ­čś× .