Ingress Gateway without TLS Termination
The Securing Gateways with HTTPS1 task describes how to configure HTTPS ingress access to an HTTP service. This example describes how to configure HTTPS ingress access to an HTTPS service, i.e., configure an ingress gateway to perform SNI passthrough, instead of TLS termination on incoming requests.
The example HTTPS service used for this task is a simple NGINX2 server.
In the following steps you first deploy the NGINX service in your Kubernetes cluster.
Then you configure a gateway to provide ingress access to the service via host nginx.example.com
.
Generate client and server certificates and keys
For this task you can use your favorite tool to generate certificates and keys. The commands below use openssl3
Create a root certificate and private key to sign the certificate for your services:
Create a certificate and a private key for
nginx.example.com
:
Deploy an NGINX server
Create a Kubernetes Secret4 to hold the server’s certificate.
Create a configuration file for the NGINX server:
Create a Kubernetes ConfigMap5 to hold the configuration of the NGINX server:
Deploy the NGINX server:
To test that the NGINX server was deployed successfully, send a request to the server from its sidecar proxy without checking the server’s certificate (use the
-k
option ofcurl
). Ensure that the server’s certificate is printed correctly, i.e.,common name
is equal tonginx.example.com
.
Configure an ingress gateway
Define a
Gateway
with aserver
section for port 443. Note thePASSTHROUGH
TLS mode which instructs the gateway to pass the ingress traffic AS IS, without terminating TLS.Configure routes for traffic entering via the
Gateway
:Follow the instructions in Determining the ingress IP and ports to define the
SECURE_INGRESS_PORT
andINGRESS_HOST
environment variables.Access the NGINX service from outside the cluster. Note that the correct certificate is returned by the server and it is successfully verified (SSL certificate verify ok is printed).
Cleanup
Remove created Kubernetes resources:
Delete the certificates and keys:
Delete the generated configuration files used in this example: