Login/Register
k8s reverse proxy secure upstream with self signed cert nginx
Asked Answered
Solved nginxkubernetesreverse-proxykubernetes-ingressnginx-reverse-proxy
Q

2

6

k8s ingress controller doesn't pass certificate to upstream https service.

with nginx i could achive with something like this

location /upstream {
    proxy_pass                https://backend.example.com;
    proxy_ssl_certificate     /etc/nginx/client.pem;
    proxy_ssl_certificate_key /etc/nginx/client.key;
}

Am i missing something here! My current config look something like this. I don't want pass ssl comming from client will terminate here.

  apiVersion: networking.k8s.io/v1beta1
  kind: Ingress
  metadata:
  name: backend
  namespace:  default
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/rewrite-target: "/$1"
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/secure-backends: "true"
    nginx.ingress.kubernetes.io/proxy-ssl-secret: "proxy-ca-secret"
    nginx.ingress.kubernetes.io/proxy-ssl-name: "backend.example.com"
  spec:
    rules:
    - http:
        paths:
        - path: /(api/auth/.*)
          backend:
          serviceName: auth
          servicePort: 8080

Log shows 

 SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking to upstream

I verfied base64 cert with openssl cert look fine. Thanks in advance!

Queri answered 5/6, 2020 at 10:14 Comment(0)
Q
2

Issue in my case was indeed the cert as log says. documentation was not clear! I has to create generic secret for certs with ca because my certificate is self signed.

kubectl create secret generic proxy-ca-secret --from-file=tls.crt=client.crt --from-file=tls.key=client.key --from-file=ca.crt=ca.crt

mistake it did was having certificate & chain in cert.pem and importing as tls

kubectl create secret tls proxy-ca-secret --key "client.key" --cert "client.pem"
Queri answered 6/6, 2020 at 9:57 Comment(0)
C
1

Try to add the following lines to your Ingress configuration file in annotation section:

nginx.ingress.kubernetes.io/ssl-passthrough: "true",  
nginx.ingress.kubernetes.io/ssl-redirect: "true"

Take a look: ingress-nginx-ssl.

Chafe answered 5/6, 2020 at 13:25 Comment(1)
Thanks for the response! nginx.ingress.kubernetes.io/ssl-passthrough sends encrypted SSL requests directly to the backend. I don't want to do it, request coming from browser will terminate in aws alb ingress controller.Queri

© 2022 - 2024 — McMap. All rights reserved.