Question 185079 in Nginx Question posted in
The official documentation can be found here.

Nginx – TLS termination at pod level

I am trying to do tls termination at pod level.
ingress(nlb) –>service(clusterip) –> pod

I have set ingress with ssl passthrough by adding the following annotations,

annotations:
  nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
  nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  nginx.ingress.kubernetes.io/ssl-redirect: "true"

After this, I am not sure what needs to be done at pod to terminate tls. I am unable to find any document related to this. Is mTLS the only solution? I need to do tls termination for only 2 pods that are running in the namespace.

I tried below configuration. It is not working.
Am I missing anything?

nginx ingress controller:

enabled ssl-passthrough

Ingress annotations:

   nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"

Ingress spec:

spec:
  rules:
  - host: xyz.test.com
    http:
      paths:
      - backend:
          service:
            name: xyz
            port:
              number: 443
        path: /
        pathType: Prefix

Service – ports section in spec:

  ports:
  - name: https
    port: 443
    protocol: TCP
    targetPort: 1443

nginx sidecar container in app pod:
ports:
– containerPort: 1443
name: https
protocol: TCP

volumeMounts:
        - name: secret
          mountPath: /etc/nginx/ssl
          readOnly: true

  volumes:
  - name: secret
    secret:
      secretName: xyz-tls

I could exec into the pod and see that the certificates and key files are present in /etc/nginx/ssl

I also updated /etc/nginx/conf.d with following changes:

server {
  listen 1443 default_server ssl;
  listen [::]:1443 default_server ipv6only=on;
  ssl_certificate /etc/nginx/ssl/tls.crt;
  ssl_certificate_key /etc/nginx/ssl/tls.key;
.....
Tags:

2

Answers


  1. 0

    My advice: don’t do it! You don’t want to have to deal with certs inside your pods. Get the TLS done on your load balancers, managed by your cloud provider, or managed in your cluster by cert-manager and a proper cert provider (like Let’s Encrypt)

    If you really want to terminate TLS in your pod, then use TCP as the protocol, and that will let encrypted messages through.

    Login or Signup to reply.
  2. 0

    If you use cert-manager certificates with a trusted CA, all you need is tls.crt and lts.key data in the corresponding secret to configure termination.

    You can terminate TLS connections from your application pod in two ways:

    Terminate TLS in your application container

    In your application code, you have to initialize TLS connections using the mounted cert and key pair as mentioned above.

    Terminate TLS in a sidecar container of your application pod

    This way your application code remains the same. Incoming encrypted packets go to the sidecar and terminate the TLS and then decrypted packets flow to your application pod. This also provides the same level of network security as in the above option. You can use envoyproxy or nginx container properly configured with the tls key pair.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search