71 lines
1.8 KiB
Markdown
71 lines
1.8 KiB
Markdown
# TLS termination
|
|
|
|
Before continue, follow [deploying HAProxy Ingress](/examples/deployment/haproxy) in order to have a functional ingress controller.
|
|
|
|
Update ingress resource in order to add tls termination to host `foo.bar`:
|
|
|
|
kubectl replace -f ingress-tls-default.yaml
|
|
|
|
Trying default backend:
|
|
|
|
curl -iL 172.17.4.99:30876
|
|
HTTP/1.1 404 Not Found
|
|
Date: Tue, 07 Feb 2017 00:06:07 GMT
|
|
Content-Length: 21
|
|
Content-Type: text/plain; charset=utf-8
|
|
|
|
default backend - 404
|
|
|
|
Now telling the controller we are `foo.bar`:
|
|
|
|
curl -iL 172.17.4.99:30876 -H 'Host: foo.bar'
|
|
HTTP/1.1 302 Found
|
|
Cache-Control: no-cache
|
|
Content-length: 0
|
|
Location: https://foo.bar/
|
|
Connection: close
|
|
^C
|
|
|
|
Note the `Location` header - this would redirect us to the correct server.
|
|
|
|
Checking the default certificate - change below `31692` to the TLS port:
|
|
|
|
openssl s_client -connect 172.17.4.99:31692
|
|
...
|
|
subject=/CN=localhost
|
|
issuer=/CN=localhost
|
|
---
|
|
|
|
... and `foo.bar` certificate:
|
|
|
|
openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
|
|
...
|
|
subject=/CN=localhost
|
|
issuer=/CN=localhost
|
|
---
|
|
|
|
Let's create a new certificate to our domain:
|
|
|
|
openssl req \
|
|
-x509 -newkey rsa:2048 -nodes -days 365 \
|
|
-keyout tls.key -out tls.crt -subj '/CN=foo.bar'
|
|
kubectl create secret tls foobar-ssl --cert=tls.crt --key=tls.key
|
|
rm -v tls.crt tls.key
|
|
|
|
... and reference in the ingress resource:
|
|
|
|
kubectl replace -f ingress-tls-foobar.yaml
|
|
|
|
Now `foo.bar` certificate should be used to terminate tls:
|
|
|
|
openssl s_client -connect 172.17.4.99:31692
|
|
...
|
|
subject=/CN=localhost
|
|
issuer=/CN=localhost
|
|
---
|
|
|
|
openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
|
|
...
|
|
subject=/CN=foo.bar
|
|
issuer=/CN=foo.bar
|
|
---
|