k3s is striping a webclient x.509 certificate before it reaches a microservice

[tlann]

I have been troubleshooting an issue where k3s seems to be stripping a web client's x.509 certificate headed to a Keycloak deployment. I assume this because Keycloak gets the error message "x509 client certificate is not available for mutual SSL". But when I open a nodeport to Keycloak, it works as expected.
So far, I have tried turning tls.options.passthrough to true in IngressRouteTCP for Keycloak hoping that was causing the issue. Is there any paths I should take to better investigate this? I'm rereading the documentation.

[brandond]

If you're using the Traefik Ingress to expose it, then it is expected that TLS will be offloaded to the ingress. You should either set up a dedicated TCP router in traefik, or expose the Service directly without going through the ingress.

[tlann]

@brandond Thanks for your quick answer.
I thought deploying an IngressRouteTCP would do that. What I attempted is below. Would the following be sufficient?

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
metadata:
  name: keycloak-passthrough
  namespace: dev
spec:
  entryPoints:
    - websecure
  routes:
  - match: HostSNI(`*`)
    services:
    - name: keycloak
      namespace: dev
      port: 8443
  tls:
    passthrough: true

[brandond]

This is really a traefik question, not a K3s question. You might check the Traefik community forums?
https://community.traefik.io/t/tls-passthrough-for-http-router/18474/2