Here's my setup:
- I have several namespaces, and some of these contain pods that expose RDP ports.
- Port 3389 is block by a firewall, so I have to use another port that maps to port 3389 on the pod.
Since this is a TCP connection, I tried:
---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: rdp-ingress
namespace: ns1
spec:
entryPoints:
- metrics
routes:
- match: HostSNI(`ns1.example.domain.com`)
services:
- name: windows
port: 3389
tls:
secretName: tls-cert
However, it seems that this terminates the TLS connection, so instead, I would need a pass through:
tls:
passthrough: true
So, I configured Windows to use that certificate (no wildcards) for RDP connection, which works (I setup a load balance service to test out RDP, but that requires a separate IP which I need to avoid.)
That didn't work either.
This post seems to suggest that I need to use a certresolver, but I don't have any of that setup.
I'm wondering if there is a way to configure Traefik such that:
- It accepts a TCP connection against
ns1.example.domain.com:9100 - Use a certificate that already exists which contains
san:DNS=ns1.example.domain.com - Connect to the pod on port 3389, also using TLS.
I think that the RDP certificates are a little different? I'm also not sure if that affects SNI. I'm also not sure how a passthrough could work; Traefik needs to know how to direct the incoming TCP connection and does this by looking at the SNI which is contained in the certificate. Based on this post it seems that the handshake also contains the domain, so SNI doesn't just rely on the certificate?
Is there a way to setup this up in Traefik? :)
