How to enable nginx ingress for end-to-end tls connection

9/18/2019

How can I enable nginx ingress to support end-to-end TLS connection without passthrough. The Ingress LoadBalancer is allowed with PublicCA and backend servers are also running on TLS port with PrivateCA

The following ingress definition will do the TLS offloading with the Public certificate installed on the Edge.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
  name: wbqgdimtzx
  namespace: default
spec:
  rules:
  - host: 0cloud0.com
    http:
      paths:
      - backend:
          serviceName: wbqgdimtzx
          servicePort: 443
        path: /
  tls:
  - hosts:
    - 0cloud0.com
  secretName: 0cloud0-wildcard-certs
status:
  loadBalancer:
    ingress:
    - {}

The backend pods are running on secure port where plain text connection is not allowed for security reasons.

What upstream changes do I need to do in the nginx ingress to support the end-to-end setting?

Based on Amit Response added

nginx.ingress.kubernetes.io/backend-protocol: HTTPS

It worked https://cunkexvoxu.0cloud0.com/

-- anish
kubernetes
nginx
nginx-ingress

1 Answer

9/25/2019

Based on @Amit Kumar Gupta comment, I am posting this as community wiki for better visibility.

As OP in his YAML specified backend with servicePort: 443 and tls, however it was not enought to ensure secure end2end connection. NGINX as default is using HTTP. If you want to reach your service only as HTTPS you have to add annotation to Ingress YAML.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: wbqgdimtzx
  namespace: default
  annotations:
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
...
-- PjoterS
Source: StackOverflow