Secure communication between Ingress Controller (Traefik) and backend service on Kubernetes

I had the same problem and could solve it with the insecureSkipVerify flag.
The problem with traefik is, that NiFi gets the request from traefik and sends it's self signed certificate back to traefik for hand shaking. Traefik doesn't accept it, thus the handshake fails, leading to a bad_certificate exception in NiFi (has loglevel DEBUG, so you have to change the logback.xml file).

So one solution could be to add your self signed certificate to traefik, which is not possible at the moment, see this (currently) open issue.

Another solution, without 'insecuring' your existing traefik would be to add an nginx between traefik and NiFi. So traefik talk HTTP with nginx, which talks HTTPS with NiFi (this will be the next thing I'm trying).

Or you can set the insecureSkipVerify flag within traefik like I did in this daemonset.yaml:

apiVersion: extensions/v1beta1kind: DaemonSetmetadata:  creationTimestamp: 2018-06-21T16:18:46Z  generation: 4  labels:    k8s-app: traefik-internal    release: infrastructure  name: traefik-internal  namespace: infrastructure  resourceVersion: "18860064"  selfLink: /apis/extensions/v1beta1/namespaces/infrastructure/daemonsets/traefik-internal  uid: c64a20e1-776e-11f8-be83-42010a9c0ff6spec:  revisionHistoryLimit: 10  selector:    matchLabels:      k8s-app: traefik-internal      name: traefik-internal      release: infrastructure  template:    metadata:      creationTimestamp: null      labels:        k8s-app: traefik-internal        name: traefik-internal        release: infrastructure    spec:      containers:      - args:        - --api        - --ping        - --defaultEntryPoints=http,https        - --logLevel=INFO        - --accessLog        - --kubernetes        - --kubernetes.ingressClass=traefik-internal        - --metrics.prometheus=true        - --entryPoints=Name:https Address::443 TLS:/certs/cert.pem,/certs/cert.key          CA:/certs/clientca.pem        - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https        - --insecureSkipVerify=true        image: traefik:1.6.0-rc6-alpine        imagePullPolicy: IfNotPresent        name: traefik-internal        resources: {}        securityContext:          privileged: true        terminationMessagePath: /dev/termination-log        terminationMessagePolicy: File        volumeMounts:        - mountPath: /certs          name: traefik-internal-certs          readOnly: true      dnsPolicy: ClusterFirst      restartPolicy: Always      schedulerName: default-scheduler      securityContext: {}      serviceAccount: sa-traefik      serviceAccountName: sa-traefik      terminationGracePeriodSeconds: 60      volumes:      - name: traefik-internal-certs        secret:          defaultMode: 420          secretName: traefik-internal  templateGeneration: 4  updateStrategy:    rollingUpdate:      maxUnavailable: 1    type: RollingUpdatestatus:  currentNumberScheduled: 3  desiredNumberScheduled: 3  numberAvailable: 3  numberMisscheduled: 0  numberReady: 3  observedGeneration: 4  updatedNumberScheduled: 3

The insecureSkipVerify flag is changed within spec.containers.args.

Hope that helps!