When web application security is a top concern then SSL passthrough should be opted at load balancer so that an incoming security sockets layer (SSL) request is not decrypted at the load balancer rather passed along to the server for decryption as is.
CRD implementation of Traefik TCP Router as IngressRouteTCP allows to set SSL passthrough. The yaml with all the required objects for Traefik to allow SSL passthrough is given here-
apiVersion: v1 data: traefik.toml: >- defaultEntryPoints = ["https"] [entryPoints] [entryPoints.http] address = ":80" [entryPoints.https] address = ":443" [api] [providers] [providers.kubernetesCRD] namespaces = ["test"] [providers.file] filename= "/etc/traefik/traefik.toml" watch = true [global] sendAnonymousUsage = false [log] level = "DEBUG" kind: ConfigMap metadata: creationTimestamp: null name: traefik-ingresscontroller-configmap namespace: test --- kind: Deployment apiVersion: apps/v1 metadata: name: traefik-ingresscontroller namespace: test labels: k8s-app: traefik-ingresslb spec: replicas: 1 selector: matchLabels: k8s-app: traefik-ingresslb template: metadata: labels: k8s-app: traefik-ingresslb name: traefik-ingresslb spec: serviceAccountName: traefik-ingresscontroller terminationGracePeriodSeconds: 60 containers: - image: traefik:v2.0.2 name: traefik-ingresslb ports: - name: http containerPort: 80 - name: https containerPort: 443 volumeMounts: - name: traefik-conf-vol mountPath: /etc/traefik - name: traefik-cert-vol mountPath: /etc/traefik/certs - mountPath: /tmp name: tmp-vol volumes: - name: traefik-conf-vol configMap: name: traefik-ingresscontroller-configmap - name: traefik-cert-vol secret: secretName: traefik-cert - emptyDir: medium: Memory name: tmp-vol --- apiVersion: traefik.containo.us/v1alpha1 kind: TLSOption metadata: name: test-tlsoption namespace: test spec: minVersion: VersionTLS12 --- apiVersion: traefik.containo.us/v1alpha1 kind: Middleware metadata: name: replacetest namespace: test spec: replacePathRegex: regex: \/test-([a-zA-Z]+-[a-zA-Z0-9]+|[a-zA-Z0-9]+)\/(.*) replacement: /$2 --- kind: Service apiVersion: v1 metadata: name: traefik-svc namespace: test spec: selector: k8s-app: traefik-ingresslb ports: - protocol: TCP name: http port: 80 nodePort: 30220 - protocol: TCP name: https port: 443 nodePort: 30222 type: NodePort --- apiVersion: v1 kind: ServiceAccount metadata: namespace: test name: traefik-ingresscontroller --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressroutes.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRoute plural: ingressroutes singular: ingressroute scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: ingressroutetcps.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: IngressRouteTCP plural: ingressroutetcps singular: ingressroutetcp scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: middlewares.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: Middleware plural: middlewares singular: middleware scope: Namespaced --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition metadata: name: tlsoptions.traefik.containo.us spec: group: traefik.containo.us version: v1alpha1 names: kind: TLSOption plural: tlsoptions singular: tlsoption scope: Namespaced --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingresscontroller rules: - apiGroups: - "" resources: - services - endpoints - secrets verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses verbs: - get - list - watch - apiGroups: - extensions resources: - ingresses/status verbs: - update - apiGroups: - traefik.containo.us resources: - middlewares - tlsoptions - ingressroutes - ingressroutetcps verbs: - get - list - watch --- kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1beta1 metadata: name: traefik-ingresscontroller roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: traefik-ingresscontroller subjects: - kind: ServiceAccount name: traefik-ingresscontroller namespace: test --- apiVersion: traefik.containo.us/v1alpha1 kind: IngressRouteTCP metadata: namespace: test name: test-app-ir spec: entryPoints: - http - https routes: - match: HostSNI(`myapp.mydomain.com`) kind: Rule priority: 1 services: - name: myapp-service port: 8080 weight: 1 tls: passthrough: true ---
References:
https://doc.traefik.io/traefik/v2.1/routing/providers/kubernetes-crd/#kind-ingressroutetcp
https://doc.traefik.io/traefik/v1.7/user-guide/kubernetes/
https://doc.traefik.io/traefik/reference/dynamic-configuration/kubernetes-crd/