smallstep / helm-charts

Helm packages for Kubernetes
Apache License 2.0
49 stars 73 forks source link

Clarity on Ingress Values #77

Closed shairozan closed 2 years ago

shairozan commented 2 years ago

In the docs, it indicates that the ingress.hosts component of values is an array of "Step CA ingress hostNAMES (YAML)". This would lead someone to believe it's just hostnames.

If you just attempt to use hostnames, it'll report during helm install that it can't serialize since it's not an object. So I went down the road of providing an object.

hosts:
    - host: ca.mydomain.com
      http:
        paths:
          path: /

If I try the above or even the full configuration, I always get back error validating data: ValidationError(Ingress.spec.rules[0].http): missing required field "paths" in io.k8s.api.networking.v1beta1.HTTPIngressRuleValue

Is there something simple I'm missing? It might be helpful to provide a sample for ingress configuration. I already have an ingress controller bound to my AWS certificates etc I've set in the annotations, but I can't get it to depoy

maraino commented 2 years ago

Hi @shairozan, using an ingress is not a common configuration, a better option is to use a LoadBalancer service or a NodePort. But in case you want to use a ingress you will need to take into account that the service and the pod are expecting TLS.

For example, using the Nginx ingress controller, the configuration requires nginx.ingress.kubernetes.io/backend-protocol: "HTTPS". And the ingress object looks like this:

ingress:
  enabled: true
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  hosts:
  - host: ca.mydomain.com
    paths: 
    - path: /
  tls:
  - hosts: 
    - ca.mydomain.com
    secretName: ingress-tls

Probably a better option would be to passthrough HTTPS with nginx.ingress.kubernetes.io/ssl-passthrough: "true" but this is disabled by default, see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#ssl-passthrough

shairozan commented 2 years ago

Sadly not usable for me as everywhere I've used it handles automatic DNS registration with ingress class as well as SSL termination by hostname + class. Ingress wouldn't work for me here then since the goal would be to let the K8s annotations on the ingress drive certificate acquisition / assignment. Thanks for the clarification though!

maraino commented 2 years ago

If you can use HTTPS as the backend protocol, and you get a certificate from the CA to your ingress using cert-manager + step-issuer, you should be able to use the ingress.

Another option is to use an ingress in Layer 4 mode, so it proxies the TCP level.

With a Layer 7 ingress, if it gets an SSL certificate from a different CA, let's say let's encrypt, it won't work at the moment.

zolech commented 2 years ago

Hi @shairozan, using an ingress is not a common configuration, a better option is to use a LoadBalancer service or a NodePort. But in case you want to use a ingress you will need to take into account that the service and the pod are expecting TLS.

For example, using the Nginx ingress controller, the configuration requires nginx.ingress.kubernetes.io/backend-protocol: "HTTPS". And the ingress object looks like this:

ingress:
  enabled: true
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  hosts:
  - host: ca.mydomain.com
    paths: 
    - path: /
  tls:
  - hosts: 
    - ca.mydomain.com
    secretName: ingress-tls

It would be helpful if your helm chart support options for LoadBalancer service type. I can see PR for that but with no reponse #32

Probably a better option would be to passthrough HTTPS with nginx.ingress.kubernetes.io/ssl-passthrough: "true" but this is disabled by default, see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#ssl-passthrough

It is possible to do that with traefik ingress controller. You can set their crd ingressrouteTCP with tls passthrough