Getting error "http: TLS handshake error from EOF" in kubernetes go program

1/9/2020

I have a kubernetes pod configured as a webserver supporting https. This pod is giving the TLS handshake error logs. When we try to access the loadbalancer service IP on the browser, it gives error - the connection is not secure proceed to unsafe. For secure connection we have a self signed certificate mounted as a secret to the pod volume. If we remove support of https everything works fine. Can somebody suggest what could be the possible reason for such behaviour.

-- PREETI BANSAL
client-go
kubernetes

1 Answer

1/9/2020

By default a https connection exist only between the browser and the loadbalancer. The loadbalancer communicates with pods using plain http.

browser -------------->|loadbalancer|-----------> POD https http

In that case, the certificate needs to be present on the loadbalancer, not on the POD, and you should disable HTTPS on the pod.

The loadbalancer can be configured to communicate with PODs using https, but it will be a different https connection:

browser -------------->|loadbalancer|-----------> POD https https

Here two certificates are needed, one on the loadbalancer and one on the pod itself.

The last option is pass-through SSL, but it's not enabled by default:

                    **loadbalancer**

browser --------------|--------------|-----------> POD https

Here the certificate should be placed on the pod.

The way of configuring HTTPS depends on the used loadbalancer, cloud provider etc. If you are using Ingress, this page might help: Kubernetes: Using Ingress with SSL/TLS termination and HTTP/2

Sidenote: browsers always complain about insecure connection when using a self-signed certificate (unless you configure them not to do it).

-- Mafor
Source: StackOverflow