Reputation: 1409
Kubernetes routing HTTPS traffic to external HTTP services
I want to allow traffic to look like the following:
external client https request (e.g. https://my-app-out-side-cluster.com) -> inside the cluster (terminate tls) and change to http (e.g. http://my-app-out-side-cluster.com) -> service outside the cluster
I have followed this post to configure my Ingress and External traffic, however, since my service outside the cluster is http, I get an SSL error when making a request with https. Changing the request to http works, however, this is not desired.
My question is, is there a way to
- Terminate SSL in the Ingress (using the ingress controller)
- Redirect traffic to the service outside the cluster listening on http ?
---
kind: Service
apiVersion: v1
metadata:
name: my-external-service
spec:
type: ExternalName
externalName: my-app-out-side-cluster.com
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: kong
spec:
controller: ingress-controllers.konghq.com/kong
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
name: my-ingress
namespace: kong
annotations:
konghq.com/protocols: "https"
spec:
ingressClassName: kong
tls:
- secretName: my-secret
hosts:
- my-app-out-side-cluster.com
rules:
- host: my-app-out-side-cluster.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-external-service
port:
number: 80
Upvotes: 2
Views: 1938
Answers (2)
Reputation: 2367
It works on my kong setup, by adding a annotation on the service having the external name. konghq.com/protocol: "https"
Like this
kind: Service
apiVersion: v1
metadata:
name: proxy-to-httpbin
annotations:
konghq.com/protocol: "https"
spec:
ports:
- protocol: TCP
port: 443
type: ExternalName
externalName: httpbin.org
Upvotes: 0
Reputation: 30180
i am not sure how your setup and K8s cluster is set,
is it a private cluster or public cluster, how the request is getting outside of POD running any service of Node or Java that calling HTTP service?
external client https request (e.g. https://my-app-out-side-cluster.com) -> inside the cluster
For this you are on rigth path. You have to setup the ingress controller which will handle the incoming request and do the TLS termination.
Your TLS/SSL cert will be stored inside the secret of the Kubernetes and will get attached to ingress.
Ingress will allow the HTTPS traffic and will do the TLS termination so in background it will forward the plain http traffic.
Reference article : https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes
If you are on AWS : https://aws.amazon.com/premiumsupport/knowledge-center/terminate-https-traffic-eks-acm/
change to http (e.g. http://my-app-out-side-cluster.com) -> service outside the cluster
i think this endpoint might be getting called of service running inside the pod, so in that, you can change the HTTP simply and it will work.
In your K8s cluster depending on CNI plugin your traffic route, ideally, POD gets scheduled on Node and it will send a request directly from there.
Your request doesn't go outside of through the Nginx ingress controller unless it's the response.
Upvotes: 2
Related Questions
- how to redirect http to https using a kubernetes ingress controller on Amazon EKS
- Kubernetes ingress tls
- how to configure ingress to direct traffic to an https backend using https
- Ingress and SSL Passthrough
- Kubernetes: communicate internal services using HTTPS
- K8S traffic to one service via two separate ingress (http + https)
- How to use SSL requests from Kubernetes ingress to pods
- Kubernetes SSL Redirect Ingress
- Kubernetes-Ingress: How do I properly route to two services with HTTPS?
- How do I make an ingress forward to an ssl port(443) if https traffic