Reputation: 9028
Kubernetes service - Loadbalancer with HTTPS
I am using Kubernetes with service as ClusterIP and placing ingress in front of the service to expose this to outside the Kubernetes cluster.
Running ingress with https and to make it https, I created the secret and using the same in ingress.
kubectl create secret tls test-secret --key key --cert cert
Using netscalar in our Kubernetes cluster and hence, I am able to use X-Forward-For, Session affinity, Load balancing algorithms along with ingress.
Now, trying to make the service type as LoadBalancer so that I don't have to have ingress. I know, service type loadbalancer provides L4-loadbalancer and hence there won't be session affinity feature in the load balancer. Since it is okay for few services, I am trying to use this.
I would like to make the service HTTPS and I came across:
Here, we create TLS secret and using the reference in the deployment section and not in the service section. I am not sure how it works. Also, when I use https://servicename.namespace.svc.XXXXX.com in the browser getting the cert error.
My application is running as https and it needs keystore and truststore in a property file like,
ssl.trustore=PATH_TO_THE_FILE
ssl.keystore=PATH_TO_THE_FILE
I am confused - how can I make the service type loadbalancer https?
Upvotes: 16
Views: 27446
Answers (2)
Reputation: 189
If you are using a cloud provider for example AWS you can enable TLS termination in a LoadBalancer Service like this:
apiVersion: v1
kind: Service
metadata:
name: api
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:...
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
spec:
type: LoadBalancer
selector:
app: myApp
ports:
- protocol: TCP
port: 443
targetPort: 8080
Upvotes: 17
Reputation: 8786
You answered yourself, but you didn't realize it.
As you well said, LoadBalancer type service creates a L4 load balancer. L4 load balancers are aware about source IP:port and destination IP:port, but they are not aware about anything on the application layer.
HTTP/HTTPS load balancers are on L7, therefor they are application aware.
So, basically you can't get a HTTPS load balancer from a Loadbalancer type service. You want it to be an ingress.
Upvotes: 17
Related Questions
- kubernetes force service to use https
- TLS doesn't work with LoadBalancer backed Service in Kubernetes
- How to create a loadbalancer backend service with HTTPS protocol by default in kubernetes ingress on GCP
- Kubernetes https communication
- Azure Kubernetes - Internal LoadBalancer with Https Service?
- kubernetes: set Https on LoadBalancer service
- Kubernetes - Communication between services using https
- Kubernetes Loadbalancer redirecting to HTTPs when application is on port 80
- Kuberntes SSL for Service of Type LoadBalancer
- How to access a kubernetes service through https?