Is the ssl-passthrough configured at the host level, kubernets ingress

1/20/2022

I have 2 services in kubernetes, one is mtls, the other is tls. I'm trying to configure an ingress for them. I want to configure the ssl passthrough for the mtls service but leave the tls service without ssl-passthrough, it doesn't need client certificate.

I configured 2 ingress at the same hostname, with two different yaml file. One with passthrough, the other without passthrough.

The current behavior is if I create the mtls ingress first, the tls one will not work, the https request that I send to tls one will always route to the mtls service. Then returns 404. But, if I configure the tls ingress first, then the mtls one. Then the tls one will work, but the mtls one will be failed for certificate issue.

I'm not sure if the ssl passthrough annotation is configured at host level? Or can I make it work at each path level? The mtls ingress.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  name: mtls-ingress
spec:
  rules:
  - host: app.abc.com
    http:
      paths:
      - backend:
          service:
            name: mtls-service
            port:
              number: 8081
        path: /mtls-api
        pathType: Prefix
  tls:
  - hosts:
    - app.abc.com
    secretName: tls-nginx-mtls

Then the tls ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
  name: tls-ingress
spec:
  rules:
  - host: app.abc.com
    http:
      paths:
      - backend:
          service:
            name: tls-service
            port:
              number: 8080
        path: /tls-api
        pathType: Prefix
  tls:
  - hosts:
    - app.abc.com
    secretName: tls-nginx-tls

It's like the two ingress override each other, only the first annotation works. It looks like passthrough is configured for the host but not the ingress or path. Have no idea. Please help. Thanks.

-- user2857793
kubernetes
kubernetes-ingress
ssl

1 Answer

1/22/2022

You want to use 2 services on the same host with the annotation nginx.ingress.kubernetes.io/ssl-passthrough: "true" for one of them.

This will not work because with SSL Passthrough the proxy doesn't know the path to where route the traffic.

From the NGINX Ingress Controller User Guide:

The annotation nginx.ingress.kubernetes.io/ssl-passthrough instructs the controller to send TLS connections directly to the backend instead of letting NGINX decrypt the communication.

Because SSL Passthrough works on layer 4 of the OSI model (TCP) and not on the layer 7 (HTTP), using SSL Passthrough invalidates all the other annotations set on an Ingress object.

The solution is to use subdomains for your services, not paths.

Additionally, some links from GitHub about this problem:

Multiple Ingress backends ignored when SSL Passthrough is enabled

Ignoring SSL Passthrough for location "/*" in server "example.com"

Path based routing only works with base path

and from serverfault about NginX workflow for SSL Passthrough.

-- Andrew Skorkin
Source: StackOverflow