Supporting SSL/TLS for a Kubernetes NodePort Service

3/6/2019

The Problem

I need to expose a Kubernetes NodePort service externally over https.

The Setup

  • I've deployed Kubernetes on bare-metal and have deployed Polyaxon on the cluster via Helm
  • I need to access Polyaxon's dashboard via the browser, using a virtual machine that's external to the cluster
  • The dashboard is exposed as a NodePort service, and I'm able to connect to it over http. I am not able to connect over https, which is a hard requirement in my case.
  • Following an initial "buildout" period, both the cluster and the virtual machine will not have access to the broader internet. They will connect to one another and that's it.

Polyaxon supposedly supports SSL/TLS through its own configs, but there's very little documentation on this. I've made my best attempts to solve the issue that way and also bumped an issue on their github, but haven't had any luck so far.

So I'm now wondering if there might be a more general Kubernetes hack that could help me here.

The Solutions

I'm looking for the simplest solution, rather than the most elegant or scalable. There are also some things that might make my situation simpler than the average user who would want https, namely:

  • It would be OK to support https on just one node, rather than every node
  • I don't need (or really want) a domain name; connecting at https://<ip_address>:<port> is not just OK but preferred
  • A self-signed certificate is also OK

So I'm hoping there's some way to manipulate the NodePort service directly such that https will work on the virtual machine. If that's not possible, other solutions I've considered are using an Ingress Controller or some sort of proxy, but those solutions are both a little half-baked in my mind. I'm a novice with both Kubernetes and networking ideas in general, so if you're going to propose something more complex please speak very slowly :)

Thanks a ton for your help!

-- JJL
kubernetes
networking

1 Answer

3/26/2019

Ingress-controller it's a standard way to expose HTTP backend over TLS connection from cluster to client.

Existing NodePort service has ClusterIP which can be used as a backend for Ingress. ClusterIP type of service is enough, so you can change service type later to prevent HTTP access via nodeIP:nodePort. Ingress-controller allows you to teminate TLS connection or pass-through TLS traffic to the backend.

You can use self-signed certificate or use cert-manager with Let's encrypt service.

Note, that starting from 0.22.0 version Nginx-ingress rewrite syntax has changed and some examples in the articles may be outdated.

Check the links:

-- VAS
Source: StackOverflow