How to terminate HTTPS traffic directly on Kubernetes container

6/28/2019

I have so far configured servers inside Kubernetes containers that used HTTP or terminated HTTPS at the ingress controller. Is it possible to terminate HTTPS (or more generally TLS) traffic from outside the cluster directly on the container, and how would the configuration look in that case?

This is for an on-premises Kubernetes cluster that was set up with kubeadm (with Flannel as CNI plugin). If the Kubernetes Service would be configured with externalIPs 1.2.3.4 (where my-service.my-domain resolves to 1.2.3.4) for service access from outside the cluster at https://my-service.my-domain, say, how could the web service running inside the container bind to address 1.2.3.4 and how could the client verify a server certificate for 1.2.3.4 when the container's IP address is (FWIK) some local IP address instead? I currently don't see how this could be accomplished.

UPDATE My current understanding is that when using an Ingress HTTPS traffic would be terminated at the ingress controller (i.e. at the "edge" of the cluster) and further communication inside the cluster towards the backing container would be unencrypted. What I want is encrypted communication all the way to the container (both outside and inside the cluster).

-- rookie099
https
kubernetes

1 Answer

7/1/2019

I guess, Istio envoy proxies is what you need, with the main purpose to authenticate, authorize and encrypt service-to-service communication.

So, you need a mesh with mTLS authentication, also known as service-to-service authentication.

Visually, Service A is your Ingress service and Service B is a service for HTTP container

enter image description here

So, you terminate external TLS traffic on the ingress controller and it will go further inside the cluster with Istio mTLS encryption.

It's not exactly what you asked for -

terminate HTTPS traffic directly on Kubernetes container

Though it fulfill the requirement-

What I want is encrypted communication all the way to the container

-- A_Suh
Source: StackOverflow