search

canonical / traefik-k8s-operator

This charmed operator automates the operational procedures of running Traefik, an open-source application proxy.
https://charmhub.io/traefik-k8s
Apache License 2.0
11 stars 22 forks source link

Traefik's server_cert_sans_dns has unexpected contents #347

Open PietroPasotti opened 2 months ago

PietroPasotti commented 2 months ago

Bug Description

TLDR: "It works on my virtual machine"

Traefik issues a CSR for "Creating CSR for darkstar.kpn with DNS ['darkstar.kpn'] and IPs []" because Traefik.server_cert_sans_dns is returning ['darkstar.kpn'] i.e.

Supposing the app IP is "10.64.140.43"

import socket
socket.gethostbyaddr("10.64.140.43")   
('darkstar.kpn', [], ['10.64.140.43'])

Note that darkstar is the name of my machine.

In a VM, you get

>>> socket.gethostbyaddr("10.233.117.142")
('10-233-117-142.kubernetes.default.svc.cluster.local', [], ['10.233.117.142'])

Traefik doesn't expect 'darkstar.kpn' and therefore we have a mismatch between the SANs in the certs issued to traefik by self-signed-certificates.

Note: in another case, (the VM's network was bridged to the host with e.g. --network enp1s0) we got:

>>> socket.gethostbyaddr("192.168.1.250")
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
socket.herror: [Errno 1] Unknown host

image

To Reproduce

n/a

Environment

n/a

Relevant log output

n/a

Additional context

No response

mmkay commented 1 week ago

We could try setting traefik's external hostname to darkstar.kpn to see if that helps. If this is the issue, we could try to document it or detect this scenario and change the logic around it.