1. Answers
  2. Enabling Strict SNI Checking with Traefik TLS Options

How do I enable strict SNI checking with Traefik TLS options?

In this guide, we will enable strict SNI checking with Traefik TLS options on a Kubernetes cluster using Pulumi. Server Name Indication (SNI) is an extension to the TLS protocol that allows the client to specify the hostname it is trying to connect to at the start of the handshake process. Enforcing strict SNI checking ensures that the certificate presented by the server matches the hostname requested by the client.

Steps:

  1. Setup Pulumi and Kubernetes Provider: Ensure you have Pulumi and the Kubernetes provider installed and configured.
  2. Create Traefik TLS Options: Define the TLS options with strict SNI checking enabled.
  3. Deploy Traefik with TLS Options: Deploy the Traefik Ingress Controller with the specified TLS options.
import * as pulumi from "@pulumi/pulumi";
import * as k8s from "@pulumi/kubernetes";

// Define the namespace for Traefik
const traefikNamespace = new k8s.core.v1.Namespace("traefik", {
    metadata: {
        name: "traefik",
    },
});

// Define the Traefik TLS options with strict SNI checking enabled
const traefikTlsOptions = new k8s.apiextensions.CustomResource("traefikTlsOptions", {
    apiVersion: "traefik.containo.us/v1alpha1",
    kind: "TLSOption",
    metadata: {
        name: "default",
        namespace: traefikNamespace.metadata.name,
    },
    spec: {
        sniStrict: true,
        minVersion: "VersionTLS12",
        cipherSuites: [
            "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
            "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
        ],
    },
});

// Deploy Traefik Ingress Controller with the specified TLS options
const traefikHelmChart = new k8s.helm.v3.Chart("traefik", {
    chart: "traefik",
    version: "10.3.0",
    fetchOpts: {
        repo: "https://helm.traefik.io/traefik",
    },
    namespace: traefikNamespace.metadata.name,
    values: {
        additionalArguments: [
            "--providers.kubernetescrd",
            "--entrypoints.websecure.http.tls.options=default@kubernetescrd",
        ],
        deployment: {
            enabled: true,
        },
        service: {
            enabled: true,
        },
    },
});

// Export the Traefik service URL
export const traefikServiceUrl = pulumi.interpolate`http://${traefikHelmChart.getResourceProperty("v1/Service", "traefik", "status").loadBalancer.ingress[0].ip}`;

Key Points:

  • Namespace: We created a namespace for Traefik to isolate its resources.
  • TLS Options: Defined TLS options with sniStrict set to true to enforce strict SNI checking.
  • Traefik Deployment: Used the Helm chart to deploy Traefik with the specified TLS options.
  • Service URL: Exported the Traefik service URL for easy access.

Summary

By following these steps, we successfully enabled strict SNI checking with Traefik TLS options on a Kubernetes cluster using Pulumi. This setup ensures that the server’s certificate matches the hostname requested by the client, enhancing the security of your applications.

Deploy this code

Want to deploy this code? Sign up for a free Pulumi account to deploy in a few clicks.

Sign up

New to Pulumi?

Want to deploy this code? Sign up with Pulumi to deploy in a few clicks.

Sign up