Search code examples
kubernetesssltraefik

kubernetes traefik ssl passthrough

kubernetes: 1.25

traefik: 2.8.7

domain: gitlab.mydomain-prod.dk (I have already certificates for this domain)

kubectl get svc gitlab-ce -n gitlab -o yaml

apiVersion: v1
kind: Service
metadata:
  labels:
    app: gitlab-ce
  name: gitlab-ce
  namespace: gitlab
spec:
  clusterIP: 10.98.93.9
  clusterIPs:
  - 10.98.93.9
  internalTrafficPolicy: Cluster
  ipFamilies:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: port-1
    port: 80
    protocol: TCP
    targetPort: 80
  - name: port-2
    port: 443
    protocol: TCP
    targetPort: 443
  selector:
    app: gitlab-ce
  sessionAffinity: None
  type: ClusterIP

so, I have a gitlab pod configured with both http:

gitlab.rb I have external_url 'http://gitlab.mydomain-prod.dk'

here is the ingressroute

kubectl get ingressroute -n gitlab -o yaml

apiVersion: v1
items:
- apiVersion: traefik.containo.us/v1alpha1
  kind: IngressRoute
  metadata:
    name: gitlab-ingress
    namespace: gitlab
  spec:
    entryPoints:
    - websecure
    routes:
    - kind: Rule
      match: Host(`gitlab.mydomain-prod.dk`) && PathPrefix(`/`)
      priority: 1
      services:
      - name: gitlab-ce
        port: 80
    tls:
      secretName: gitlab-test-cert

With actual config, I can access the https://gitlab.mydomain-prod.dk

But, if I enable also https inside gitlab pod (gitlab will listen both 80 and 443)

external_url 'https://gitlab.mydomain-prod.dk'

With the same ingressroute I get bad gateway...

So, my question is, once I have configured gitlab for both http/https how do I define traefik for ssl passthrough ?

Something similar to  openshift:

oc create route passthrough route-passthrough-secured --service=frontend --port=80
Solution

  • To define the traefik for ssl passthrough , the gitlab should listen to the HTTP and HTTPs Ports. As per the question seems to be getting a bad gateway when you are running the same ingress route on HTTPS. Refer to this HTTPS on Kubernetes Using Traefik Proxy by Rahul Sharma and Traefik Proxy 2.x and TLS 101 by Gerald Croes .

    To configure this SSL passthrough, you need to configure a TCP router by following this traefik SSL termination doc by oracle fusion middleware and modify your IngressRoute configuration so that Traefik can pass through SSL traffic to the backend GitLab service. Make sure tls.passthrough is true, this delegates the SSL termination to the backend and verifies the application whether you are able to access or not.