History

Joao Morais 67f1e77b08 Minor fix on console cmd of HAProxy docs		2017-02-08 07:26:31 -02:00
..
ingress-tls-default.yaml	Fix servicePort on HAProxy Ingress docs	2017-02-08 07:24:17 -02:00
ingress-tls-foobar.yaml	Fix servicePort on HAProxy Ingress docs	2017-02-08 07:24:17 -02:00
README.md	Minor fix on console cmd of HAProxy docs	2017-02-08 07:26:31 -02:00

README.md

HAProxy Ingress TLS termination

Prerequisites

This document has the following prerequisites:

Deploy HAProxy Ingress controller, you should end up with controller, a sample web app and default TLS secret
Create another secret named foobar-ssl and subject '/CN=foo.bar'

As mentioned in the deployment instructions, you MUST turn down any existing ingress controllers before running HAProxy Ingress.

Using default TLS certificate

Update ingress resource in order to add TLS termination to host foo.bar:

$ kubectl replace -f ingress-tls-default.yaml

The difference from the starting ingress resource:

 metadata:
   name: app
 spec:
+  tls:
+  - hosts:
+    - foo.bar
   rules:
   - host: foo.bar
     http:

Trying default backend:

$ curl -iL 172.17.4.99:30876            
HTTP/1.1 404 Not Found
Date: Tue, 07 Feb 2017 00:06:07 GMT
Content-Length: 21
Content-Type: text/plain; charset=utf-8

default backend - 404

Now telling the controller we are foo.bar:

$ curl -iL 172.17.4.99:30876 -H 'Host: foo.bar'
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: https://foo.bar/
Connection: close
^C

Note the Location header - this would redirect us to the correct server.

Checking the default certificate - change below 31692 to the TLS port:

$ openssl s_client -connect 172.17.4.99:31692
...
subject=/CN=localhost
issuer=/CN=localhost
---

... and foo.bar certificate:

$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
...
subject=/CN=localhost
issuer=/CN=localhost
---

Using a new TLS certificate

Now let's reference the new certificate to our domain. Note that secret foobar-ssl should be created as described in the prerequisites

$ kubectl replace -f ingress-tls-foobar.yaml

Here is the difference:

   tls:
   - hosts:
     - foo.bar
+    secretName: foobar-ssl
   rules:
   - host: foo.bar
     http:

Now foo.bar certificate should be used to terminate TLS:

$ openssl s_client -connect 172.17.4.99:31692
...
subject=/CN=localhost
issuer=/CN=localhost
---

$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
...
subject=/CN=foo.bar
issuer=/CN=foo.bar
---