Kuberntes ingress and client auth application

June 4, 2022 / 2 minutes of reading

As pointed in the comments:

Hello, have you considered to use service of type LoadBalancer to send the traffic to your Pods without any facilities to “consume” your certificate? Also if you are using nginx-ingress you could look on SSL passthrough: kubernetes.github.io/ingress-nginx/user-guide/tls/…

Having a connection between a Client and a Pod in Kubernetes without “consuming” the certificate can be done by either:

  • Service of type LoadBalancer
  • Ingress controller with a SSL Passthrough

Service of type Loadbalancer

LoadBalancer: Exposes the Service externally using a cloud provider’s load balancer. NodePort and ClusterIP Services, to which the external load balancer routes, are automatically created.

Kubernetes.io: Service: LoadBalancer

You can configure a service that will expose your traffic externally on Layer4 (TCP/UDP). The traffic will be routed to your desired workload(Deployment/Statefulset).

Example:

apiVersion: v1
kind: Service
metadata:
  name: nginx-service
spec:
  selector:
    app: nginx
  ports:
    - protocol: TCP
      port: 443
      targetPort: 443
  type: LoadBalancer

Ingress controller with a SSL Passthrough

You can also use Ingress controller capable of SSL Passthrough. One of the controllers with this feature is ingress-nginx:

SSL Passthrough leverages SNI and reads the virtual domain from the TLS negotiation, which requires compatible clients. After a connection has been accepted by the TLS listener, it is handled by the controller itself and piped back and forth between the backend and the client.

This feature is implemented by intercepting all traffic on the configured HTTPS port (default: 443) and handing it over to a local TCP proxy. This bypasses NGINX completely and introduces a non-negligible performance penalty.

Kubernetes.github.io: Ingress nginx: User guide: TLS: SSL passthrough

Remember!

The --enable-ssl-passthrough flag enables the SSL Passthrough feature, which is disabled by default.

As more of a workaround solution you can also look on the (there is an example in the link):

Exposing TCP and UDP services

Ingress does not support TCP or UDP services. For this reason this Ingress controller uses the flags --tcp-services-configmap and --udp-services-configmap to point to an existing config map where the key is the external port to use and the value indicates the service to expose using the format: <namespace/service name>:<service port>:[PROXY]:[PROXY]

Kubernetes.github.io: Ingress nginx: User guide: Exposing tcp and udp services

CLICK HERE to find out more related problems solutions.

Leave a Comment

Your email address will not be published.

Scroll to Top