I'm new to Kubernetes and I'm encountering some issues with Traefik and OpenBao UI. I've set up self-signed certificates using cert-manager and distributed them via trust-manager. All OpenBao nodes communicate using TLS without any issues, but I'm getting a certificate error when trying to access OpenBao UI through Traefik. Interestingly, when I can access the shell inside the Traefik node, I can successfully wget the service domain. I suspect that the issue arises because Traefik, acting as a reverse proxy, accesses the IPs of the pods which aren't included in the certificate. I'm unsure how to add these IPs to the certificate that cert-manager generates. While I could disable SSL verification, I prefer finding a proper way to resolve this issue—ideally without using a service mesh.
2 Answers
We need some more details to help out. What versions are you running for Kubernetes and Traefik? Also, how are you generating your certificates? What kind of error are you seeing in Traefik? Are you trying to access OpenBao UI via a web browser or only through the command line?
Typically, you should access the service through Ingress. I had a similar issue with a local Minio setup. What worked for me was ensuring every possible internal DNS name for your OpenBao pods is included in the SANs of the certificate. Check out how the Minio tool generates self-signed certs; it may help you troubleshoot your setup!
You shouldn't have the pod IP in your certificate because it can change. Instead, make sure the service hostname is included in your self-signed certificates. Have you checked Traefik's logs to see why it can't connect to OpenBao? A suggestion would be to use TLS Passthrough with Traefik to avoid interrupting the TLS traffic, especially given the importance of secrets management in your setup.
Oh, and just to clarify what I meant about service hostnames, instead of pod hostnames!
Thanks for the tips! Here’s what I’m using: Kubernetes 1.35.0, Traefik 3.6.4, and OpenBao 2.4.4... I’ll look into the DNS names you mentioned!