Kubernetes ingress: How to enable HTTPS to backend service

8
votes

A typical ingress with TLS configuration is like below:

apiVersion: extensions/v1beta1 kind: Ingress metadata: name: no-rules-map spec: tls: - secretName: testsecret backend: serviceName: s1 servicePort: 80

By default, the load balancer will talk to backend service in HTTP. Can I configure Ingress so that the communication between load balancer and the backend service is also HTTPS?

Update:

Found GLBC talking about enabling HTTPS backend for GCE Ingress. Excerpt from the document:

"Backend HTTPS

For encrypted communication between the load balancer and your Kubernetes service, you need to decorate the service's port as expecting HTTPS. There's an alpha Service annotation for specifying the expected protocol per service port. Upon seeing the protocol as HTTPS, the ingress controller will assemble a GCP L7 load balancer with an HTTPS backend-service with a HTTPS health check."

It is not clear if the load balancer accepts 3rd party signed server certificate, self-signed, or both. How CA cert should be configured on load balancer to do backend server authentication. Or it will bypass authentication check.

3
kubernetesgoogle-kubernetes-engine

3 Answers

2
votes

Follow the instructions in "Backend HTTPS" section of GLBC, GCP HTTP(S) load balancer will build a HTTPS connection with the backend, traffic will be encrypted. There is no need to configure CA certificate on LB side (Actually you can't). This implies the load balancer will skip server certificate authentication.

2
votes

On ingress-nginx you can use the nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" annotation and point it to the HTTPS port on the service.

This is ingress controller specific and other ingress controllers might not provide the option (or provide an option that works differently)

With this setup, the ingress controller decrypts the traffic. (This allows the ingress controller to control things like ciphers and the certificate presented to the user and do path-based routing, which SSL passthrough does not allow)

It is possible to configure certificate validation with serveral other (ingress-nginx-specific) annotations: Docs

  • nginx.ingress.kubernetes.io/proxy-ssl-verify (it defaults to "off")
  • nginx.ingress.kubernetes.io/proxy-ssl-verify-depth
  • nginx.ingress.kubernetes.io/proxy-ssl-ciphers (ciphers, not validation related)
  • nginx.ingress.kubernetes.io/proxy-ssl-name (Override the name that the cert is checked against)
  • nginx.ingress.kubernetes.io/proxy-ssl-protocols (SSL / TLS versions)
  • nginx.ingress.kubernetes.io/proxy-ssl-server-name (SNI passthrough)
1
votes

You should enable SSL-Passthrough config for the ingress or load balancer. I suggest you using nginx ingress and kube-lego for SSL.

with this combination, you can use the ssl-passthrough config.

Nginx ingress for k8s

kube-lego for generating SSL certificate on the fly

Guidance for enable ssl-passthrough config