Use Ingress to direct traffic to an HTTPS backend

by

Recently working on exposing an application which was running on HTTPS port, I used following yaml to create ingress. 

# Source: connaisseur/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: connaisseur-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  ingressClassName: sample-ingress-class
  rules:
  - http:
      paths:
      - path: /connaisseur-svc/(.*)
        pathType: ImplementationSpecific
        backend:
          service:
            name: connaisseur-svc-health
            port:
              number: 5000

Note here that backend service “connaisseur-svc-health” was redirecting traffic to a pod which was listening on HTTPS port only. Therefore backend service was only reachable via HTTPS .

When accessing this via Ingress I got an error :- 502 Bad Gateway

Later on I realized that to use Ingress to direct traffic to an https backend we need to add 2 additional annotations

  • nginx.ingress.kubernetes.io/backend-protocol: “HTTPS” (indicate how NGINX should communicate with the backend service)
  • nginx.ingress.kubernetes.io/ssl-passthrough: “true” (instructs the controller to send TLS connections directly to the backend instead of letting NGINX decrypt the communication)

Therefore final yaml that worked looked like:

# Source: connaisseur/templates/ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: connaisseur-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"    
spec:
  ingressClassName: sample-ingress-class
  rules:
  - http:
      paths:
      - path: /connaisseur-svc/(.*)
        pathType: ImplementationSpecific
        backend:
          service:
            name: connaisseur-svc-health
            port:
              number: 5000

Reference:

  1. https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#backend-protocol
  2. https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#ssl-passthrough

PS: Scenario mentioned in this article was using Ingress-NGINX Controller for Kubernetes, please check your ingress type/version before using this solution.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.