Reputation: 131
Kubernetes ingress: How to enable HTTPS to backend service
A typical ingress with TLS configuration is like below:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: no-rules-map
spec:
tls:
- secretName: testsecret
backend:
serviceName: s1
servicePort: 80
By default, the load balancer will talk to backend service in HTTP. Can I configure Ingress so that the communication between load balancer and the backend service is also HTTPS?
Update:
Found GLBC talking about enabling HTTPS backend for GCE Ingress. Excerpt from the document:
"Backend HTTPS
For encrypted communication between the load balancer and your Kubernetes service, you need to decorate the service's port as expecting HTTPS. There's an alpha Service annotation for specifying the expected protocol per service port. Upon seeing the protocol as HTTPS, the ingress controller will assemble a GCP L7 load balancer with an HTTPS backend-service with a HTTPS health check."
It is not clear if the load balancer accepts 3rd party signed server certificate, self-signed, or both. How CA cert should be configured on load balancer to do backend server authentication. Or it will bypass authentication check.
Upvotes: 10
Views: 7847
Answers (3)
Reputation: 769
You should enable SSL-Passthrough config for the ingress or load balancer. I suggest you using nginx ingress and kube-lego for SSL.
with this combination, you can use the ssl-passthrough config.
kube-lego for generating SSL certificate on the fly
Guidance for enable ssl-passthrough config
Upvotes: 1
Reputation: 2786
On ingress-nginx you can use the nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" annotation and point it to the HTTPS port on the service.
This is ingress controller specific and other ingress controllers might not provide the option (or provide an option that works differently)
With this setup, the ingress controller decrypts the traffic. (This allows the ingress controller to control things like ciphers and the certificate presented to the user and do path-based routing, which SSL passthrough does not allow)
It is possible to configure certificate validation with serveral other (ingress-nginx-specific) annotations:
Docs
- nginx.ingress.kubernetes.io/proxy-ssl-verify (it defaults to "off")
- nginx.ingress.kubernetes.io/proxy-ssl-verify-depth
- nginx.ingress.kubernetes.io/proxy-ssl-ciphers (ciphers, not validation related)
- nginx.ingress.kubernetes.io/proxy-ssl-name (Override the name that the cert is checked against)
- nginx.ingress.kubernetes.io/proxy-ssl-protocols (SSL / TLS versions)
- nginx.ingress.kubernetes.io/proxy-ssl-server-name (SNI passthrough)
Upvotes: 6
Reputation: 131
Follow the instructions in "Backend HTTPS" section of GLBC, GCP HTTP(S) load balancer will build a HTTPS connection with the backend, traffic will be encrypted. There is no need to configure CA certificate on LB side (Actually you can't). This implies the load balancer will skip server certificate authentication.
Upvotes: 2
Related Questions
- how to configure ingress to direct traffic to an https backend using https
- How to force SSL for Kubernetes Ingress on GKE
- Kubernetes HTTPS Ingress in Google Container Engine
- GKE Ingress configuration for HTTPS-enabled Applications leads to failed_to_connect_to_backend
- How do I use HTTPS between a GKE Ingress and the Service it forwards to?
- SSL certificate for Kubernetes Ingress
- How to set HTTPS as default on GKE Ingress-gce
- Kubernetes enable service for HTTPS
- How to force https on ingress?
- How to disable http traffic and force https with kubernetes ingress on gcloud