How to enable nginx ingress for end-to-end tls connection

1
votes

How can I enable nginx ingress to support end-to-end TLS connection without passthrough. The Ingress LoadBalancer is allowed with PublicCA and backend servers are also running on TLS port with PrivateCA

The following ingress definition will do the TLS offloading with the Public certificate installed on the Edge. 

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
  name: wbqgdimtzx
  namespace: default
spec:
  rules:
  - host: 0cloud0.com
    http:
      paths:
      - backend:
          serviceName: wbqgdimtzx
          servicePort: 443
        path: /
  tls:
  - hosts:
    - 0cloud0.com
  secretName: 0cloud0-wildcard-certs
status:
  loadBalancer:
    ingress:
    - {}

The backend pods are running on secure port where plain text connection is not allowed for security reasons.

What upstream changes do I need to do in the nginx ingress to support the end-to-end setting?

Based on Amit Response added

nginx.ingress.kubernetes.io/backend-protocol: HTTPS

It worked https://cunkexvoxu.0cloud0.com/

1
nginxkubernetesnginx-ingress
have you tried: kubernetes.github.io/ingress-nginx/user-guide/…Amit Kumar Gupta
@AmitKumarGupta After adding backed protocol its throwing Bad Gatewayanish
@AmitKumarGupta The Bad Gateway is Resolved Thanks for your Suggestionanish
@AmitKumarGupta could you add your solution as an answer? It will make your solution more visible if anyone will be searching for similar issues.PjoterS

1 Answers

0
votes

Based on @Amit Kumar Gupta comment, I am posting this as community wiki for better visibility.

As OP in his YAML specified backend with servicePort: 443 and tls, however it was not enought to ensure secure end2end connection. NGINX as default is using HTTP. If you want to reach your service only as HTTPS you have to add annotation to Ingress YAML.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: wbqgdimtzx
  namespace: default
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
...