From b579cbba7412bc6999bbfd168c60c80c4da1be75 Mon Sep 17 00:00:00 2001 From: Joao Morais Date: Mon, 6 Feb 2017 22:28:45 -0200 Subject: [PATCH] Docs - TLS termination of HAProxy Ingress --- examples/tls-termination/haproxy/README.md | 71 +++++++++++++++++++ .../haproxy/ingress-tls-default.yaml | 16 +++++ .../haproxy/ingress-tls-foobar.yaml | 17 +++++ 3 files changed, 104 insertions(+) create mode 100644 examples/tls-termination/haproxy/README.md create mode 100644 examples/tls-termination/haproxy/ingress-tls-default.yaml create mode 100644 examples/tls-termination/haproxy/ingress-tls-foobar.yaml diff --git a/examples/tls-termination/haproxy/README.md b/examples/tls-termination/haproxy/README.md new file mode 100644 index 000000000..26a76e9ce --- /dev/null +++ b/examples/tls-termination/haproxy/README.md @@ -0,0 +1,71 @@ +# TLS termination + +Before continue, follow [deploying HAProxy Ingress](/examples/deployment/haproxy) in order to have a functional ingress controller. + +Update ingress resource in order to add tls termination to host `foo.bar`: + + kubectl replace -f ingress-tls-default.yaml + +Trying default backend: + + curl -iL 172.17.4.99:30876 + HTTP/1.1 404 Not Found + Date: Tue, 07 Feb 2017 00:06:07 GMT + Content-Length: 21 + Content-Type: text/plain; charset=utf-8 + + default backend - 404 + +Now telling the controller we are `foo.bar`: + + curl -iL 172.17.4.99:30876 -H 'Host: foo.bar' + HTTP/1.1 302 Found + Cache-Control: no-cache + Content-length: 0 + Location: https://foo.bar/ + Connection: close + ^C + +Note the `Location` header - this would redirect us to the correct server. + +Checking the default certificate - change below `31692` to the TLS port: + + openssl s_client -connect 172.17.4.99:31692 + ... + subject=/CN=localhost + issuer=/CN=localhost + --- + +... and `foo.bar` certificate: + + openssl s_client -connect 172.17.4.99:31692 -servername foo.bar + ... + subject=/CN=localhost + issuer=/CN=localhost + --- + +Let's create a new certificate to our domain: + + openssl req \ + -x509 -newkey rsa:2048 -nodes -days 365 \ + -keyout tls.key -out tls.crt -subj '/CN=foo.bar' + kubectl create secret tls foobar-ssl --cert=tls.crt --key=tls.key + rm -v tls.crt tls.key + +... and reference in the ingress resource: + + kubectl replace -f ingress-tls-foobar.yaml + +Now `foo.bar` certificate should be used to terminate tls: + + openssl s_client -connect 172.17.4.99:31692 + ... + subject=/CN=localhost + issuer=/CN=localhost + --- + + openssl s_client -connect 172.17.4.99:31692 -servername foo.bar + ... + subject=/CN=foo.bar + issuer=/CN=foo.bar + --- diff --git a/examples/tls-termination/haproxy/ingress-tls-default.yaml b/examples/tls-termination/haproxy/ingress-tls-default.yaml new file mode 100644 index 000000000..8afdaff52 --- /dev/null +++ b/examples/tls-termination/haproxy/ingress-tls-default.yaml @@ -0,0 +1,16 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: app +spec: + tls: + - hosts: + - foo.bar + rules: + - host: foo.bar + http: + paths: + - path: / + backend: + serviceName: nginx + servicePort: 80 diff --git a/examples/tls-termination/haproxy/ingress-tls-foobar.yaml b/examples/tls-termination/haproxy/ingress-tls-foobar.yaml new file mode 100644 index 000000000..e004822f5 --- /dev/null +++ b/examples/tls-termination/haproxy/ingress-tls-foobar.yaml @@ -0,0 +1,17 @@ +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: app +spec: + tls: + - hosts: + - foo.bar + secretName: foobar-ssl + rules: + - host: foo.bar + http: + paths: + - path: / + backend: + serviceName: nginx + servicePort: 80