Secure communication between Ingress Controller (Traefik) and backend service on Kubernetes
I had the same problem and could solve it with the insecureSkipVerify
flag.
The problem with traefik is, that NiFi gets the request from traefik and sends it's self signed certificate back to traefik for hand shaking. Traefik doesn't accept it, thus the handshake fails, leading to a bad_certificate
exception in NiFi (has loglevel DEBUG
, so you have to change the logback.xml
file).
So one solution could be to add your self signed certificate to traefik, which is not possible at the moment, see this (currently) open issue.
Another solution, without 'insecuring' your existing traefik would be to add an nginx
between traefik and NiFi. So traefik talk HTTP
with nginx, which talks HTTPS
with NiFi (this will be the next thing I'm trying).
Or you can set the insecureSkipVerify
flag within traefik like I did in this daemonset.yaml
:
apiVersion: extensions/v1beta1kind: DaemonSetmetadata: creationTimestamp: 2018-06-21T16:18:46Z generation: 4 labels: k8s-app: traefik-internal release: infrastructure name: traefik-internal namespace: infrastructure resourceVersion: "18860064" selfLink: /apis/extensions/v1beta1/namespaces/infrastructure/daemonsets/traefik-internal uid: c64a20e1-776e-11f8-be83-42010a9c0ff6spec: revisionHistoryLimit: 10 selector: matchLabels: k8s-app: traefik-internal name: traefik-internal release: infrastructure template: metadata: creationTimestamp: null labels: k8s-app: traefik-internal name: traefik-internal release: infrastructure spec: containers: - args: - --api - --ping - --defaultEntryPoints=http,https - --logLevel=INFO - --accessLog - --kubernetes - --kubernetes.ingressClass=traefik-internal - --metrics.prometheus=true - --entryPoints=Name:https Address::443 TLS:/certs/cert.pem,/certs/cert.key CA:/certs/clientca.pem - --entryPoints=Name:http Address::80 Redirect.EntryPoint:https - --insecureSkipVerify=true image: traefik:1.6.0-rc6-alpine imagePullPolicy: IfNotPresent name: traefik-internal resources: {} securityContext: privileged: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File volumeMounts: - mountPath: /certs name: traefik-internal-certs readOnly: true dnsPolicy: ClusterFirst restartPolicy: Always schedulerName: default-scheduler securityContext: {} serviceAccount: sa-traefik serviceAccountName: sa-traefik terminationGracePeriodSeconds: 60 volumes: - name: traefik-internal-certs secret: defaultMode: 420 secretName: traefik-internal templateGeneration: 4 updateStrategy: rollingUpdate: maxUnavailable: 1 type: RollingUpdatestatus: currentNumberScheduled: 3 desiredNumberScheduled: 3 numberAvailable: 3 numberMisscheduled: 0 numberReady: 3 observedGeneration: 4 updatedNumberScheduled: 3
The insecureSkipVerify
flag is changed within spec.containers.args
.
Hope that helps!