I have a pod that serves HTTPS traffic on 443 using a self-signed certificate with a CN of app that matches the service name, app. It also serves HTTP on 80.
I also have an Ingress object that exposes the pod externally on foo.com and I use kube-lego to dynamically fetch and configure a LetsEncrypt certificate for foo.com:
spec:
rules:
- host: foo.com
http:
paths:
- backend:
serviceName: kube-lego-gce
servicePort: 8080
path: /.well-known/acme-challenge/*
- backend:
serviceName: app
servicePort: 80
path: /*
tls:
- hosts:
- foo.com
secretName: app-tls-stagingThis means there are two levels of SSL. If I set the servicePort of the Ingress to 443 to ensure traffic between Google's LB and my pod is encrypted, the endpoint returns 502 Server Error. Is this because it doesn't know to trust my self-signed cert? Is there a way to specify a CA?
Once I set it back to 80 the Ingress starts working normally again after a few minutes.
What you're looking for is "re-encryption" for Load Balancer <=> cluster traffic. If you see here, re-encryption is listed as "Future Work".
But I see this feature is merged: https://github.com/kubernetes/ingress/pull/519/commits
It looks like you can find an example here and it's described as "Backend HTTPS" in this document: https://github.com/kubernetes/ingress/tree/master/controllers/gce#backend-https
However today this feature seems to be in alpha, so it may be subject to change and you may need to create an alpha GKE cluster (which is short-lived) to use it.