K8s Readiness Probes with HTTPS and Certificates

Question

I have a spring boot application hosted on k8s and enforced mTLS on the App itself. I am able to do the mTLS on the connectivity by doing a SSL termination on the Ingress level and then again forwarding the certificates to the springboot pod as well.

Problem is, Liveness and Readiness probes as currently not sure how to send the certificates in the readiness/liveness probes?

Any help would be appreciated.

Answer 1

From the official documentation configuring probes:

If scheme field is set to HTTPS, the kubelet sends an HTTPS request skipping the certificate verification.

This is what the manifest would look like:

apiVersion: v1
kind: Pod
metadata:
  labels:
    run: nginx
  name: alive-n-ready-https
spec:
  containers:
  - name: nginx
    image: viejo/nginx-mockit
    livenessProbe:
      httpGet:
        path: /
        port: 443
        scheme: HTTPS
    readinessProbe:
      httpGet:
        path: /
        port: 443
        scheme: HTTPS

And while without scheme, the probes would fail with 400 (bad request), as you are sending a http packet to an endpoint that expects https:

10.132.15.199 - - [27/May/2020:18:10:36 +0000] "GET / HTTP/1.1" 400 271 "-" "kube-probe/1.17"

With scheme: HTTPS, it would succeed:

10.132.15.199 - - [27/May/2020:18:26:28 +0000] "GET / HTTP/2.0" 200 370 "-" "kube-probe/1.17"