k8s ingress controller doesn't pass certificate to upstream https service.
with nginx i could achive with something like this
location /upstream {
proxy_pass https://backend.example.com;
proxy_ssl_certificate /etc/nginx/client.pem;
proxy_ssl_certificate_key /etc/nginx/client.key;
}
Am i missing something here! My current config look something like this. I don't want pass ssl comming from client will terminate here.
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: backend
namespace: default
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: "/$1"
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/proxy-ssl-secret: "proxy-ca-secret"
nginx.ingress.kubernetes.io/proxy-ssl-name: "backend.example.com"
spec:
rules:
- http:
paths:
- path: /(api/auth/.*)
backend:
serviceName: auth
servicePort: 8080
Log shows
SSL_do_handshake() failed (SSL: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate:SSL alert number 42) while SSL handshaking to upstream
I verfied base64 cert with openssl cert look fine. Thanks in advance!
Issue in my case was indeed the cert as log says. documentation was not clear! I has to create generic secret for certs with ca because my certificate is self signed.
kubectl create secret generic proxy-ca-secret --from-file=tls.crt=client.crt --from-file=tls.key=client.key --from-file=ca.crt=ca.crt
mistake it did was having certificate & chain in cert.pem and importing as tls
kubectl create secret tls proxy-ca-secret --key "client.key" --cert "client.pem"
Try to add the following lines to your Ingress configuration file in annotation section:
nginx.ingress.kubernetes.io/ssl-passthrough: "true",
nginx.ingress.kubernetes.io/ssl-redirect: "true"
Take a look: ingress-nginx-ssl.