Ingress to https backend configuration

[ThaiDangFr]

Hello

I have a cluster with 1 master and 2 nodes.
When my ingress is configured with a http backend, all is working fine.
But now I want to use a https backend to bring more security. I have my own Root CA certificate.

First, I managed to make it work with

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: skipverify
spec:
  insecureSkipVerify: true
---
apiVersion: v1
kind: Service
metadata:
  name: hello-world-svc
  annotations:
    traefik.ingress.kubernetes.io/service.serversscheme: https
    traefik.ingress.kubernetes.io/service.serverstransport: sidecar-tls-httpd-pki-skipverify@kubernetescrd

spec:
  selector:
    app: hello-world
  ports:
    - protocol: TCP
      port: 443
      targetPort: 443
      name: https
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hello-world-ingress
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: default-httpredirect@kubernetescrd
    cert-manager.io/cluster-issuer: intermediate-issuer
    cert-manager.io/common-name: "hello-world.home"
spec:
  rules:
  - host: hello-world.home
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: hello-world-svc
            port:
              number: 443
  tls:
  - hosts:
    - hello-world.home
    secretName: hello-world-secret

But now I would like a solution to remove that :

apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
metadata:
  name: skipverify
spec:
  insecureSkipVerify: true

I guess I need to make traefik trust my Root CA, how to do that ?
I saw we can inject our Root CA into k3s and let it regenerate all certificates : https://docs.k3s.io/cli/certificate#rotating-custom-ca-certificates , but it seems a little brutal just for trusting purpose.

Is it the way to go or is there a solution to add my Root CA to some kind of trustore ?

Many thanks

[brandond]

K3s bundles Traefik, but it is not part of this project. If you have questions that are specific to configuring Traefik, you should take them to https://github.com/traefik/traefik.

Also, the Kubernetes cluster certs have nothing to do with the Traefik ingress certs.

[ThaiDangFr]

I think we can use this : --serversTransport.rootCAs=foo.crt,bar.crt
as described here https://doc.traefik.io/traefik/routing/overview/#http-servers-transports
I'll give a try