1

I want to allow traffic to look like the following:

external client https request (e.g. https://my-app-out-side-cluster.com) -> inside the cluster (terminate tls) and change to http (e.g. http://my-app-out-side-cluster.com) -> service outside the cluster

I have followed this post to configure my Ingress and External traffic, however, since my service outside the cluster is http, I get an SSL error when making a request with https. Changing the request to http works, however, this is not desired.

My question is, is there a way to

  1. Terminate SSL in the Ingress (using the ingress controller)
  2. Redirect traffic to the service outside the cluster listening on http ?
---
kind: Service
apiVersion: v1
metadata:
  name: my-external-service
spec:
  type: ExternalName
  externalName: my-app-out-side-cluster.com
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
  name: kong
spec:
  controller: ingress-controllers.konghq.com/kong
---
kind: Ingress
apiVersion: networking.k8s.io/v1
metadata:
  name: my-ingress
  namespace: kong
  annotations:
    konghq.com/protocols: "https"
spec:
  ingressClassName: kong
  tls:
  - secretName: my-secret
    hosts:
    - my-app-out-side-cluster.com
  rules:
  - host: my-app-out-side-cluster.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-external-service
            port:
              number: 80
lion_bash
  • 1,309
  • 3
  • 15
  • 27

1 Answers1

2

i am not sure how your setup and K8s cluster is set,

is it a private cluster or public cluster, how the request is getting outside of POD running any service of Node or Java that calling HTTP service?

external client https request (e.g. https://my-app-out-side-cluster.com) -> inside the cluster

For this you are on rigth path. You have to setup the ingress controller which will handle the incoming request and do the TLS termination.

Your TLS/SSL cert will be stored inside the secret of the Kubernetes and will get attached to ingress.

Ingress will allow the HTTPS traffic and will do the TLS termination so in background it will forward the plain http traffic.

Reference article : https://www.digitalocean.com/community/tutorials/how-to-set-up-an-nginx-ingress-with-cert-manager-on-digitalocean-kubernetes

If you are on AWS : https://aws.amazon.com/premiumsupport/knowledge-center/terminate-https-traffic-eks-acm/

change to http (e.g. http://my-app-out-side-cluster.com) -> service outside the cluster

i think this endpoint might be getting called of service running inside the pod, so in that, you can change the HTTP simply and it will work.

In your K8s cluster depending on CNI plugin your traffic route, ideally, POD gets scheduled on Node and it will send a request directly from there.

Your request doesn't go outside of through the Nginx ingress controller unless it's the response.

Harsh Manvar
  • 27,020
  • 6
  • 48
  • 102
  • I am using kong as my ingress controller (it runs nginx under the hood). It is a private cluster running on bare metal. You mentioned that the Ingress will do the TLS termination, but how does it forward it to http traffic? This is where i'm getting an error, i believe my traffic is being forwarded as https since the request is https hence causing the SSL error as the service outside the cluster is expecting http. I pasted my ingress and service config in my post. Is there a way to check if traffic is going into the ingress and being terminated? – lion_bash Mar 22 '22 at 16:37
  • yes you can try running http server backend service to check what coming from kong ingress controller to service http or https. https://hub.docker.com/r/hashicorp/http-echo/ – Harsh Manvar Mar 24 '22 at 08:03