Closed shairozan closed 2 years ago
Hi @shairozan, using an ingress is not a common configuration, a better option is to use a LoadBalancer service or a NodePort. But in case you want to use a ingress you will need to take into account that the service and the pod are expecting TLS.
For example, using the Nginx ingress controller, the configuration requires nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
. And the ingress object looks like this:
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
hosts:
- host: ca.mydomain.com
paths:
- path: /
tls:
- hosts:
- ca.mydomain.com
secretName: ingress-tls
Probably a better option would be to passthrough HTTPS with nginx.ingress.kubernetes.io/ssl-passthrough: "true"
but this is disabled by default, see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#ssl-passthrough
Sadly not usable for me as everywhere I've used it handles automatic DNS registration with ingress class as well as SSL termination by hostname + class. Ingress wouldn't work for me here then since the goal would be to let the K8s annotations on the ingress drive certificate acquisition / assignment. Thanks for the clarification though!
If you can use HTTPS as the backend protocol, and you get a certificate from the CA to your ingress using cert-manager
+ step-issuer
, you should be able to use the ingress.
Another option is to use an ingress in Layer 4 mode, so it proxies the TCP level.
With a Layer 7 ingress, if it gets an SSL certificate from a different CA, let's say let's encrypt, it won't work at the moment.
Hi @shairozan, using an ingress is not a common configuration, a better option is to use a LoadBalancer service or a NodePort. But in case you want to use a ingress you will need to take into account that the service and the pod are expecting TLS.
For example, using the Nginx ingress controller, the configuration requires
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
. And the ingress object looks like this:ingress: enabled: true annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" hosts: - host: ca.mydomain.com paths: - path: / tls: - hosts: - ca.mydomain.com secretName: ingress-tls
It would be helpful if your helm chart support options for LoadBalancer service type. I can see PR for that but with no reponse #32
Probably a better option would be to passthrough HTTPS with
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
but this is disabled by default, see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#ssl-passthrough
It is possible to do that with traefik ingress controller. You can set their crd ingressrouteTCP with tls passthrough
In the docs, it indicates that the
ingress.hosts
component of values is an array of "Step CA ingress hostNAMES (YAML)". This would lead someone to believe it's just hostnames.If you just attempt to use hostnames, it'll report during helm install that it can't serialize since it's not an object. So I went down the road of providing an object.
If I try the above or even the full configuration, I always get back
error validating data: ValidationError(Ingress.spec.rules[0].http): missing required field "paths" in io.k8s.api.networking.v1beta1.HTTPIngressRuleValue
Is there something simple I'm missing? It might be helpful to provide a sample for ingress configuration. I already have an ingress controller bound to my AWS certificates etc I've set in the annotations, but I can't get it to depoy