Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Traefik appends a tls route even when tls routes are explicitly provided #430

Open
IbraAoad opened this issue Dec 2, 2024 · 4 comments
Open

Comments

@IbraAoad
Copy link
Contributor

IbraAoad commented Dec 2, 2024

          Summarizing my understanding of what's going on here... please correct any mistakes

For every route, the previous code created a duplicate route ROUTENAME-tls for the same rule and service but with additional TLS configuration. Both applied to the same rule and thus conflict, and the new ROUTENAME-tls route takes precedence over the original ROUTENAME because its name is longer. Prior to #425 this worked fine because we wanted to use ROUTENAME-tls in all cases.

The updated code here avoids making the second -tls route in the specific case where the route includes tls: passthrough: true.

Have we really solved the broader problem here, or narrowly fixed #425? Two questions come to mind:

  1. are there other TLS configurations that someone might pass to traefik via submit_to_traefik? If so, the same issue as Skip tls config when passthrough is enabled #425 will occur
  2. Should the charm be creating these duplicate routes that mask the original routes in the first place? That might be out of scope for the fix here, but we should at least document it as an issue if it is actually an issue.

Originally posted by @ca-scribner in #429 (comment)

@IbraAoad
Copy link
Contributor Author

IbraAoad commented Dec 2, 2024

This was first introduced as part of #100, Trying on grafana which passes tls configs on its own gives the below results,

  routers:
    juju-trfk-test-grafana-k8s-router:
      entryPoints:
      - web
      middlewares:
      - juju-sidecar-noprefix-trfk-test-grafana-k8s
      - juju-sidecar-redir-https-trfk-test-grafana-k8s
      rule: PathPrefix(`/trfk-test-grafana-k8s`)
      service: juju-trfk-test-grafana-k8s-service
    juju-trfk-test-grafana-k8s-router-tls:
      entryPoints:
      - websecure
      rule: PathPrefix(`/trfk-test-grafana-k8s`)
      service: juju-trfk-test-grafana-k8s-service
      tls:
        domains:
        - main: foo.bar
          sans:
          - '*.foo.bar'
    juju-trfk-test-grafana-k8s-router-tls-tls:
      entryPoints:
      - websecure
      rule: PathPrefix(`/trfk-test-grafana-k8s`)
      service: juju-trfk-test-grafana-k8s-service
      tls:
        domains:
        - main: foo.bar
          sans:
          - '*.foo.bar'

the duplicate tls route is redundant in this case, yet we need to investigate if anything breaks on plaintext communication if the added tls route isn't there.

@weiiwang01
Copy link
Contributor

We are experiencing a similar issue. The fix provided in #425 resolves the problem for Wazuh enrollment connections, but the Wazuh agent connection wire protocol is not based on TLS. The addition of the ROUTENAME-tls router interferes with the Wazuh agent connection relay.

What we want is a way to configure Traefik so that the configuration places in traefik_route integration been put exactly as-is into the Traefik configuration file, without any modifications.

@gregory-schiano
Copy link

@IbraAoad The issue mentioned by Weii in his comment is currently blocking us for Wazuh deployment as it avoid Wazuh information to get from the agent to the server.
We could contribute to a fix here if you don't have time, but we should discuss on how to approach this issue.

@ca-scribner
Copy link
Contributor

We're prioritizing this issue, but wont have it done before christmas breaks. ETA is to pick it up at the start of January, but it might take a few days of thinking to figure out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants