Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Ingress and SSL Passthrough

Tags:

kubernetes

I have recently been using the nginxdemo/nginx-ingress controller.

As I understand it this controller cannot do SSL Passthrough (by that I mean pass the client certificate all the way through to the backend service for authentication), so instead I have been passing the clients subject DN through a header.

Ultimately I would prefer SSL-Passthrough and have been looking at the kubernetes/ingress-nginx project which apparently supports SSL passthrough.

Does anyone have an experience with this controller and SSL Passthrough.

The few Ingress examples showing passthrough that I have found leave the path setting blank.

Is this because passthrough has to take place at the TCP level (4) rather then at HTTP (7)?

Right now, I have a single host rule that services mutiple paths.

like image 510
user2581751 Avatar asked Oct 28 '22 21:10

user2581751

2 Answers

completing on lch answer I would like to add that I had the same problem recently and I sorted it out modifiying the ingress-service deployment (I know, it should be a DaemonSet but that's a different story)

The change was adding the parameter to spec.containers.args:

  --enable-ssl-passthrough

Then I've added the following annotations to my ingress:

kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"

The important one are secure-backends and ssl-passthrough but I think the rest are a good idea, provided you're not expecting http traffic there

like image 133
Javier PR Avatar answered Nov 02 '22 22:11

Javier PR

SSH-Passthrough is working fine for me. Here is the Official Documentation

And here is an example usage:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-service-ingress
  namespace: my-service
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/secure-backends: "true"
spec:
  rules:
    - host: my.example.com
      http:
        paths:
          - backend:
              serviceName: my-service
like image 31
Ich Avatar answered Nov 02 '22 23:11

Ich
Sign in to Comment

Related questions

Trouble accessing Kubernetes endpoints
daemonset doesn't create any pods
Wait for job/pod completion in Kubernetes or Google Container Engine
installing kubernetes on coreos with kubeconfig (instead of deprecated --api-server)
How do I set up a Tensorflow cluster using Google Compute Engine Instances to train a model?
"x509: certificate signed by unknown authority" when running kubelet
How to access services through kubernetes cluster ip?
DigitalOcean blockstorage using for Kubernetes Volume
Java - Kubernetes find services by label
How to show custom application metrics in Prometheus captured using the golang client library from all pods running in Kubernetes
Communicating with Redis server from a container behind Envoy
How to copy directory out of Kubernetes job right when the job completes?
Minikube not starting on Ubuntu, throwing errors
How application folder should be properly shared between nginx and php-fpm containers in kubernetes?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!