ingress-nginx-helm/examples/tls-termination/haproxy/README.md

# HAProxy Ingress TLS termination

## Prerequisites

This document has the following prerequisites:

* Deploy [HAProxy Ingress controller](/examples/deployment/haproxy), you should end up with controller, a sample web app and default TLS secret
* Create [*another* secret](/examples/PREREQUISITES.md#tls-certificates) named `foobar-ssl` and subject `'/CN=foo.bar'`

As mentioned in the deployment instructions, you MUST turn down any existing
ingress controllers before running HAProxy Ingress.

## Using default TLS certificate

Update ingress resource in order to add TLS termination to host `foo.bar`:

```console
$ kubectl replace -f ingress-tls-default.yaml
```

The difference from the starting ingress resource:

```console
 metadata:
   name: app
 spec:
+  tls:
+  - hosts:
+    - foo.bar
   rules:
   - host: foo.bar
     http:
```

Trying default backend:

```console
$ curl -iL 172.17.4.99:30876            
HTTP/1.1 404 Not Found
Date: Tue, 07 Feb 2017 00:06:07 GMT
Content-Length: 21
Content-Type: text/plain; charset=utf-8

default backend - 404
```

Now telling the controller we are `foo.bar`:

```console
$ curl -iL 172.17.4.99:30876 -H 'Host: foo.bar'
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: https://foo.bar/
Connection: close
^C
```

Note the `Location` header - this would redirect us to the correct server.

Checking the default certificate - change below `31692` to the TLS port:

```console
$ openssl s_client -connect 172.17.4.99:31692
...
subject=/CN=localhost
issuer=/CN=localhost
---
```

... and `foo.bar` certificate:

```console
$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
...
subject=/CN=localhost
issuer=/CN=localhost
---
```

## Using a new TLS certificate

Now let's reference the new certificate to our domain. Note that secret
`foobar-ssl` should be created as described in the [prerequisites](#prerequisites)

```console
$ kubectl replace -f ingress-tls-foobar.yaml 
```

Here is the difference:

```console
   tls:
   - hosts:
     - foo.bar
+    secretName: foobar-ssl
   rules:
   - host: foo.bar
     http:
```

Now `foo.bar` certificate should be used to terminate TLS:

```console
$ openssl s_client -connect 172.17.4.99:31692
...
subject=/CN=localhost
issuer=/CN=localhost
---

$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
...
subject=/CN=foo.bar
issuer=/CN=foo.bar
---
```
Minor fix on console cmd of HAProxy docs 2017-02-08 09:26:31 +00:00			`# HAProxy Ingress TLS termination`
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			`## Prerequisites`
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			`This document has the following prerequisites:`
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			`* Deploy [HAProxy Ingress controller](/examples/deployment/haproxy), you should end up with controller, a sample web app and default TLS secret`
			* Create [another secret](/examples/PREREQUISITES.md#tls-certificates) named `foobar-ssl` and subject `'/CN=foo.bar'`
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			`As mentioned in the deployment instructions, you MUST turn down any existing`
			`ingress controllers before running HAProxy Ingress.`
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			`## Using default TLS certificate`
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			Update ingress resource in order to add TLS termination to host `foo.bar`:
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			```console
			`$ kubectl replace -f ingress-tls-default.yaml`
			```
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			`The difference from the starting ingress resource:`
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			```console
			`metadata:`
			`name: app`
			`spec:`
			`+ tls:`
			`+ - hosts:`
			`+ - foo.bar`
			`rules:`
			`- host: foo.bar`
			`http:`
			```
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			`Trying default backend:`
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			```console
			`$ curl -iL 172.17.4.99:30876`
			`HTTP/1.1 404 Not Found`
			`Date: Tue, 07 Feb 2017 00:06:07 GMT`
			`Content-Length: 21`
			`Content-Type: text/plain; charset=utf-8`
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			`default backend - 404`
			```
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			Now telling the controller we are `foo.bar`:
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			```console
			`$ curl -iL 172.17.4.99:30876 -H 'Host: foo.bar'`
			`HTTP/1.1 302 Found`
			`Cache-Control: no-cache`
			`Content-length: 0`
			`Location: https://foo.bar/`
			`Connection: close`
			`^C`
			```
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			Note the `Location` header - this would redirect us to the correct server.
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			Checking the default certificate - change below `31692` to the TLS port:
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			```console
			`$ openssl s_client -connect 172.17.4.99:31692`
			`...`
			`subject=/CN=localhost`
			`issuer=/CN=localhost`
			`---`
			```
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			... and `foo.bar` certificate:
Docs - TLS termination of HAProxy Ingress 2017-02-07 00:28:45 +00:00
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			```console
			`$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar`
			`...`
			`subject=/CN=localhost`
			`issuer=/CN=localhost`
			`---`
			```

			`## Using a new TLS certificate`

			`Now let's reference the new certificate to our domain. Note that secret`
			`foobar-ssl` should be created as described in the [prerequisites](#prerequisites)

			```console
			`$ kubectl replace -f ingress-tls-foobar.yaml`
			```

			`Here is the difference:`

			```console
			`tls:`
			`- hosts:`
			`- foo.bar`
			`+ secretName: foobar-ssl`
			`rules:`
			`- host: foo.bar`
			`http:`
			```

			Now `foo.bar` certificate should be used to terminate TLS:

			```console
Minor fix on console cmd of HAProxy docs 2017-02-08 09:26:31 +00:00			`$ openssl s_client -connect 172.17.4.99:31692`
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			`...`
			`subject=/CN=localhost`
			`issuer=/CN=localhost`
			`---`

Minor fix on console cmd of HAProxy docs 2017-02-08 09:26:31 +00:00			`$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar`
Consistency editing of HAProxy Ingress docs 2017-02-07 23:45:12 +00:00			`...`
			`subject=/CN=foo.bar`
			`issuer=/CN=foo.bar`
			`---`
			```