As pointed in the comments:
Hello, have you considered to use service of type LoadBalancer to send the traffic to your Pods without any facilities to “consume” your certificate? Also if you are using nginx-ingress you could look on SSL passthrough: kubernetes.github.io/ingress-nginx/user-guide/tls/…
Having a connection between a
Client and a
Pod in Kubernetes without “consuming” the certificate can be done by either:
- Service of type
Ingresscontroller with a
Service of type
LoadBalancer: Exposes the Service externally using a cloud provider’s load balancer. NodePort and ClusterIP Services, to which the external load balancer routes, are automatically created.
You can configure a service that will expose your traffic externally on Layer4 (TCP/UDP). The traffic will be routed to your desired workload(Deployment/Statefulset).
apiVersion: v1 kind: Service metadata: name: nginx-service spec: selector: app: nginx ports: - protocol: TCP port: 443 targetPort: 443 type: LoadBalancer
Ingress controller with a SSL Passthrough
You can also use
Ingress controller capable of
SSL Passthrough. One of the controllers with this feature is
SSL Passthrough leverages SNI and reads the virtual domain from the TLS negotiation, which requires compatible clients. After a connection has been accepted by the TLS listener, it is handled by the controller itself and piped back and forth between the backend and the client.
This feature is implemented by intercepting all traffic on the configured HTTPS port (default: 443) and handing it over to a local TCP proxy. This bypasses NGINX completely and introduces a non-negligible performance penalty.
— Kubernetes.github.io: Ingress nginx: User guide: TLS: SSL passthrough
--enable-ssl-passthroughflag enables the SSL Passthrough feature, which is disabled by default.
As more of a workaround solution you can also look on the (there is an example in the link):
Exposing TCP and UDP services
Ingress does not support TCP or UDP services. For this reason this Ingress controller uses the flags
--udp-services-configmapto point to an existing config map where the key is the external port to use and the value indicates the service to expose using the format:
<namespace/service name>:<service port>:[PROXY]:[PROXY]
— Kubernetes.github.io: Ingress nginx: User guide: Exposing tcp and udp services
CLICK HERE to find out more related problems solutions.