HTTPS endpoints for local kubernetes backend service addresses, after SSL termination

10/2/2018

I have a k8s cluster that sits behind a load balancer. The request for myapisite.com passes through the LB and is routed by k8s to the proper deployment, getting the SSL cert from the k8s load balancer ingress, which then routes to the service ingress, like so:

spec:
  rules:
  - host: myapisite.com
    http:
      paths:
      - backend:
          serviceName: ingress-605582265bdcdcee247c11ee5801957d
          servicePort: 80
        path: /
  tls:
  - hosts:
    - myapisite.com
    secretName: myapisitecert
status:
  loadBalancer: {}

So my myapisite.com resolves on HTTPS correctly.

My problem is that, while maintaining the above setup (if possible), I need to be able to go to my local service endpoints within the same namespace on HTTPS, i.e. from another pod I should be able to curl or wget the following without a cert error:

https:\\myapisite.namespace.svc.cluster.local

Even if I were interested in not terminating SSL until the pod level, creating a SAN entry on the cert for a .local address is not an option, so that solution is not viable.

Is there some simple way I'm missing to make all local DNS trusted in k8s? Or some other solution here that's hopefully not a reinvention of the wheel? I am using kubernetes version 1.11 with CoreDNS.

Thanks, and sorry in advance if this is a dumb question.

-- Nick Schroeder
coredns
kubernetes
ssl

1 Answer

10/2/2018

If your application can listen on both HTTP and HTTPS, you can configure both. Meaning you will be able to access via both HTTP and HTTPS by your preference. Now, how you create and distribute certificate is a different story, but you must solve it on your own (probably by using your own CA and storing cert/key in secret). Unless you want to use something like Istio and its mutual tls support to secure traffic between services.

While you write what you want to achieve, we don't really know why. The reason for this need might actually help to suggest the best solution

-- Radek 'Goblin' Pieczonka
Source: StackOverflow