k8s ingress controller doesn't pass certificate to upstream https service.
with nginx i could achive with something like this
location /upstream {
proxy_pass https://backend.example.com;
proxy_ssl_certificate /etc/nginx/client.pem;
proxy_ssl_certificate_key /etc/nginx/client.key;
}
Am i missing something here! My current config look something like this. I don't want pass ssl comming from client will terminate here.
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: backend
namespace: default
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: "/$1"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/proxy-ssl-secret: "proxy-ca-secret"
nginx.ingress.kubernetes.io/proxy-ssl-name: "backend.example.com"
spec:
rules:
- http:
paths:
- path: /(api/auth/.*)
backend:
serviceName: auth
servicePort: 8080Log shows
SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking to upstreamI verfied base64 cert with openssl cert look fine. Thanks in advance!
Issue in my case was indeed the cert as log says. documentation was not clear! I has to create generic secret for certs with ca because my certificate is self signed.
kubectl create secret generic proxy-ca-secret --from-file=tls.crt=client.crt --from-file=tls.key=client.key --from-file=ca.crt=ca.crtmistake it did was having certificate & chain in cert.pem and importing as tls
kubectl create secret tls proxy-ca-secret --key "client.key" --cert "client.pem"Try to add the following lines to your Ingress configuration file in annotation section:
nginx.ingress.kubernetes.io/ssl-passthrough: "true",
nginx.ingress.kubernetes.io/ssl-redirect: "true"Take a look: ingress-nginx-ssl.