I have 2 services in kubernetes, one is mtls, the other is tls. I'm trying to configure an ingress for them. I want to configure the ssl passthrough for the mtls service but leave the tls service without ssl-passthrough, it doesn't need client certificate.
I configured 2 ingress at the same hostname, with two different yaml file. One with passthrough, the other without passthrough.
The current behavior is if I create the mtls ingress first, the tls one will not work, the https request that I send to tls one will always route to the mtls service. Then returns 404. But, if I configure the tls ingress first, then the mtls one. Then the tls one will work, but the mtls one will be failed for certificate issue.
I'm not sure if the ssl passthrough annotation is configured at host level? Or can I make it work at each path level? The mtls ingress.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: "false"
name: mtls-ingress
spec:
rules:
- host: app.abc.com
http:
paths:
- backend:
service:
name: mtls-service
port:
number: 8081
path: /mtls-api
pathType: Prefix
tls:
- hosts:
- app.abc.com
secretName: tls-nginx-mtls
Then the tls ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/ssl-redirect: "false"
name: tls-ingress
spec:
rules:
- host: app.abc.com
http:
paths:
- backend:
service:
name: tls-service
port:
number: 8080
path: /tls-api
pathType: Prefix
tls:
- hosts:
- app.abc.com
secretName: tls-nginx-tls
It's like the two ingress override each other, only the first annotation works. It looks like passthrough is configured for the host but not the ingress or path. Have no idea. Please help. Thanks.
You want to use 2 services on the same host with the annotation nginx.ingress.kubernetes.io/ssl-passthrough: "true"
for one of them.
This will not work because with SSL Passthrough the proxy doesn't know the path to where route the traffic.
From the NGINX Ingress Controller User Guide:
The annotation nginx.ingress.kubernetes.io/ssl-passthrough instructs the controller to send TLS connections directly to the backend instead of letting NGINX decrypt the communication.
Because SSL Passthrough works on layer 4 of the OSI model (TCP) and not on the layer 7 (HTTP), using SSL Passthrough invalidates all the other annotations set on an Ingress object.
The solution is to use subdomains for your services, not paths.
Additionally, some links from GitHub about this problem:
Multiple Ingress backends ignored when SSL Passthrough is enabled
Ignoring SSL Passthrough for location "/*" in server "example.com"
Path based routing only works with base path
and from serverfault about NginX workflow for SSL Passthrough.