| .. | ||
| ingress-tls-default.yaml | ||
| ingress-tls-foobar.yaml | ||
| README.md | ||
TLS termination
Before continue, follow deploying HAProxy Ingress in order to have a functional ingress controller.
Update ingress resource in order to add tls termination to host foo.bar:
kubectl replace -f ingress-tls-default.yaml
Trying default backend:
curl -iL 172.17.4.99:30876
HTTP/1.1 404 Not Found
Date: Tue, 07 Feb 2017 00:06:07 GMT
Content-Length: 21
Content-Type: text/plain; charset=utf-8
default backend - 404
Now telling the controller we are foo.bar:
curl -iL 172.17.4.99:30876 -H 'Host: foo.bar'
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: https://foo.bar/
Connection: close
^C
Note the Location header - this would redirect us to the correct server.
Checking the default certificate - change below 31692 to the TLS port:
openssl s_client -connect 172.17.4.99:31692
...
subject=/CN=localhost
issuer=/CN=localhost
---
... and foo.bar certificate:
openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
...
subject=/CN=localhost
issuer=/CN=localhost
---
Let's create a new certificate to our domain:
openssl req \
-x509 -newkey rsa:2048 -nodes -days 365 \
-keyout tls.key -out tls.crt -subj '/CN=foo.bar'
kubectl create secret tls foobar-ssl --cert=tls.crt --key=tls.key
rm -v tls.crt tls.key
... and reference in the ingress resource:
kubectl replace -f ingress-tls-foobar.yaml
Now foo.bar certificate should be used to terminate tls:
openssl s_client -connect 172.17.4.99:31692
...
subject=/CN=localhost
issuer=/CN=localhost
---
openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
...
subject=/CN=foo.bar
issuer=/CN=foo.bar
---