K
Q

k8s-ingress to make the application secured with https

3/2/2019

Im have k8s app (Web api) which first exposed via NodePort (I've used port forwarding to run it and it works as expected)

run it like localhost:8080/api/v1/users

Than I've created a service with type LoadBalancer to expose it outside, which works as expected.

e.g. http://myhost:8080/api/v1/users

apiVersion: v1
kind: Service
metadata:
  name: fzr
  labels:
    app: fzr
    tier: service
spec:
  type: LoadBalancer
  ports:
    - port: 8080
  selector:
    app: fzr

Now we need to make it secure and after reading about this topic we have decided to use ingress for it.

This is what I did

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: ctr-ingress
  selector:
    app: fzr
spec:
  ports:
    - name: https
      port: 443
      targetPort: https

now I want to run it like

https://myhost:443/api/v1/users

This is not working, im not able to run the application with port 443 as https, please advice?

-- Jenny M
amazon-web-services
google-cloud-platform
kubernetes
kubernetes-ingress
nginx-ingress

Similar Questions

How to create the dependency for a pod to come up after Pod secret comes up
Kubernetes Ingress path rewrites
Kubernetes ingress routing- Asterisk (*) is not working in ingress Path rules
Kubelet stopped posting node status (Kubernetes)
Kubernetes - Ingress: Error: connect ECONNREFUSED 127.0.0.1:80
ServiceBindings and Service instances are not coming up in OpenShift/kubernetes
unable to scale down Kubernetes cluster

1 Answer

3/4/2019

It looks to me like you are using a yaml template for a type service to deploy your ingress but not correctly. targetPort should be a numeric port, and anyway, I don't think "https" is a correct value (I might be wrong though).

Something like this:

apiVersion: v1
kind: Service
type: NodePort
metadata:
  name: fzr-ingress
spec:
  type: NodePort
  selector:
    app: fzr
  ports:
  - protocol: TCP
    port: 443
    targetPort: 8080

Now you have a nodeport service listening on 443 and forwarding the traffic to your fzr pods listening on port 8080.

However, the fact you are listening on port 443 does nothing to secure your app by itself. To encrypt the traffic you need a TLS certificate that you have to make available to the ingress as a secret.

If this seems somewhat complicated (because it is) you could look into deploying an Nginx ingress from a helm chart

In any case your ingress yaml would look something like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
  name: gcs-ingress
  namespace: default
spec:
  rules:
  - host: myhost
    http:
      paths:
      - backend:
          serviceName: fzr
          servicePort: 443
        path: /api/v1/users
  tls:
  - hosts:
    - myhost
    secretName: myhosts-tls

More info on how to configure this here

-- Jordi Miralles
Source: StackOverflow