Subdomain routing mode does not work properly with TLS certificates #244
Comments
|
On traefik side, we have a matching config in place, traefik-k8s-operator/src/charm.py Lines 1065 to 1071 in 4086e3b but we do not have a matching cert for that, as we always generate a CSR with traefik's external hostname (config option) or IP address (metallb). Yes, the CertHandler approach was designed with only path routing in mind.
Seems like the correct approach, but relation count would have to be artificially limited by the charm because the number of SANs per cert is limited. |
This would only be an issue if we keep appending SANs to the same certificate. If we instead create one CSR per known subdomain so they all have individual certs, it won't be a concern. That approach, however, potentially opens up for rate-limiting issues with some public CAs like Let's Encrypt (50 certs per registered domain per week) |
The rate limit is a similar concern for both approaches:
BTW the max number of SANs per cert depends on the implementation:
|
One cert for all subdomains seems simpler but more restricting:
Thoughts? |
|
Another though: Currently, traefik treats ingress per app and per unit very similarly for subdomain routing: juju run trfk/0 show-proxied-endpoints --format json | jq -r '."trfk/0".results."proxied-endpoints"' | jq{
"prom/0": {
"url": "http://sbds-prom-0.cluster.local/"
},
"am": {
"url": "http://sbds-am.cluster.local/"
}
}If we change things up a bit: {
"prom/0": {
"url": "http://unit-0.prom.sbds.cluster.local/"
},
"am": {
"url": "http://am.sbds.cluster.local/"
}
}Then:
|
|
FYI I'm facing this issue on the IAM bundle deployment, we need a TLS certificate for the ingress publicly exposing hydra, kratos, and login-ui but the CSR only covers the hostname. |
I would be more in favor of different cert per subdomain or wildcard certificate. One cert for all domain can be tricky if the user chooses the "tls-certificates-operator" that allow providing certificates manually. Any relation added/removed will require the re-issue of the certificate manually. |
|
Diagram summary of what's currently under consideration: |
|
Small comment about using wildcard certificates. Wildcard certificates can't be validated using HTTP challenge in ACME protocol. We don't have any provider charm that uses HTTP challenge, but this could have consequences |
|
Per discussion:
|
|
is there any update on this? @sed-i |
Bug Description
When using Traefik in the
subdomainrouting mode, all Ingress will use Traefik's default certificate.CertHandlermanages a single certificate for Traefik, and uses theexternal_hostnameas the subject andsans. New Ingresses generated hostnames will not be represented in the certificate, and the SNI matching will not work, thus serving the default certificate.I see 3 ways of fixing this issue:
CertHandlerto support multiple certificates, and when set to thesubdomainrouting mode, request new certificates for each Ingress.CertHandlerand use the tls library directly to request new certificates for each Ingress when set to thesubdomainrouting mode.CertHandleras is and addf"*.{external_hostname}"to the list of sans to request a wildcard certificate. This would have negative security implications however and I do not think it should be implemented; I am only mentioning it for completeness' sake.To Reproduce
juju deploy traefik-k8s --trust --channel edge --config routing_mode=subdomain --config external_hostname=potato.comjuju deploy zinc-k8s --trust --channel edgejuju deploy self-signed-certificates --trust --channel edgejuju relate self-signed-certificates:certificates traefik-k8s:certificatejuju relate zinc-k8s:ingress traefik-k8s:ingressEnvironment
This was tested with every charm from the edge channel, running locally on MicroK8s v1.27.5 revision 5892 with Juju 3.1.5-genericlinux-amd64.
Relevant log output
Additional context
No response
The text was updated successfully, but these errors were encountered: