Example given in nginx-ingress for GRPC does not work without TLS in .NET client
https://kubernetes.github.io/ingress-nginx/examples/grpc/
Please help me to configure without TLS
Created .NET console app as GRPC client and trying to connect ingress-NGINX for GRPC traffic
Related
I am using an Ingress using Google-managed SSL certs mostly similar to what is described here:
https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs#setting_up_a_google-managed_certificate
However my backend service is a grpc service that is using HTTP2. According to the same documentation if I am using HTTP2 my backend needs to be "configured with SSL".
This sounds like I need a separate set of certificates for my backend service to configure it with SSL.
Is there a way to use the same Google managed certs here as well?
What are my other options here? I am using, Google managed certs for the Ingress not to manage any certs on my own, if I then use self signed certificates for my service, that kind of defeats the purpose.
i don't think it's required to create SSL for the backend services if you are terminating the HTTPS at LB level. You can attach your certs to at LB level and the backed-end will be HTTPS > HTTP.
You might need to create SSL/TLS new cert in case there is diff version ssl-protocols: TLSv1.2 TLSv1.3, Cipher set in your ingress controller configmap which you are using Nginx ingress controller, Kong etc.
If you are looking for End to End HTTPS traffic definitely you need to create a cert for the backend service.
You can also create/manage the Managed certificate or Custom cert with Cert manager the K8s secret and mount to deployment which will be used further by the service, in that case, no need to manage or create the certs. Ingress will passthrough the HTTPS request to service directly.
In this case, it will be an end-to-end HTTPS setup.
Update :
Note: To ensure the load balancer can make a correct HTTP2 request to
your backend, your backend must be configured with SSL. For more
information on what types of certificates are accepted, see Encryption
from the load balancer to the backends ." end to end tls seems to be a
requirement for HTTP2
This is my site https://findmeip.com it's running on HTTP2 and terminating the SSL/TLS at the Nginx level only.
Definitely, it's good to go with the suggested practice so you can use the ESP option from the Google, setting GKE ingress + ESP + grpc stack.
https://cloud.google.com/endpoints/docs/openapi/specify-proxy-startup-options?hl=tr
If not want to use ESP check above suggested :
You can Mount Managed certificate to
deployment which will be used further by the service, in that case, no
need to manage or create the certs. In other words, cert-manager will create/manage/re-new SSL/TLS on behalf of you in K8s secret which will used by service.
Google Managed Certificates can only be used for the frontend portion of the load balancer (aka client to LB). If you need encryption from the LB to the backends you will have use self-signed certificates or some other way to store said certificates on GKE as secrets and configuring the Ingress to connect to the backend using these secrets.
Like this https://cloud.google.com/kubernetes-engine/docs/concepts/ingress-xlb#setting_up_https_tls_between_client_and_load_balancer
I have Kubernetes with Kafka where is also running Istio with Strimzi. Certificates are stored in cert-manager. I want to use TLS passthrough in my ingress but I am a little bit confused of that.
When SIMPLE is used, there is credentialName, which must be the same as secret.
tls:
mode: SIMPLE
credentialName: httpbin-credential
It is nice and simple way. But how about mode: PASSTHROUGH when I have many hosts? I studied demo on istio web (https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/#deploy-an-nginx-server) and their certificate details are stored in server configuration file and they are creating configmap. In official Istio documentation is noted that this parameter is only for MUTUAL and SIMPLE.
What is correct and simple way to expose my hosts using istio ingress to external traffic using cert-manager?
The difference between SIMPLE & PASSTHROUGH is:
SIMPLE TLS instructs the gateway to pass the ingress traffic by terminating TLS.
PASSTHROUGH TLS instructs the gateway to pass the ingress traffic AS IS, without terminating TLS.
I want to configure SSL on keycloak deployment on openshift. I am using jboss/keycloak image for keycloak deployment which used latest keycloak version 4.6.final. But I read it somewhere that keycloak doesn't accept default TLS certificates available on openshift.
My purpose is to run the keycloak application on https on openshift. It works fine on http, but when I create the route with TLS enabled, it fails to run. I think I am missing some parameter somewhere in the deployment config.
You must configure in Openshift a route with reencrypt termination.
In my case that was solving the problem.
You have from your frontend tot openshift router ssl en ssl from your router to your backend pod. That requires reencrypt termination.
In your route you have to define 4 certificates
tls certificate
tls key
ca certificate (your intermediate certificate)
destination certifcate (the certificate you use on the keycloak pod)
For the desination certifcate I have used the certificate in my alpine pod in /etc/ssl/certs (ca-certifcates.crt)
More about reencrypt termination: https://docs.openshift.com/container-platform/4.7/networking/routes/secured-routes.html
In order to configure route with reencrypt termination:
oc create route reencrypt <NAME> --service=keycloak --port=keycloak --cert=<CERTIFICATEFILE>.crt --key=<KEYFILE>.key --hostname=sso.apps.company.lan
We are using rancher docker orchestration tool: it is using HAProxy for enabling load balancing.
I am wondering how how a hanshake is processed if a new HTTPS connection to a service is established.
Is the the handshake done between client and the load balancer (rancher/HAProxy) or will the load balancer just forward the HTTPS requests to the backend service?
It depends how you configure it.
SSL Termination the handshake is done by the load balancer.
SSL pass-through the handshake is done by the backend.
https://www.playframework.com/documentation/2.3.1/ConfiguringHttps describes, in detail, how to implement SSL in Play Framework 2.3.x
However, I am wondering how to implement TLS 1.2 in Play Framework, do I also need something like Nginx?
I am fairly new to this subject. https://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html shows us that SSL is older than TLS. I have heard that SSL is not secure any more, that's why I ask this question.
Nginx support TLS 1.2 without problems (check parameter "ssl_protocols"). Forget about SSL v2 and SSL v3, it is not secure, but most browsers support TLS v1.2, TLSv1.1 and TLS v1.
You can use Nginx as proxy, and configure HTTPS on nginx. Nginx has many usefull options, it can fast serving static files and proxying all other request to "play" application (to TCP port or to socket).
In your link there is information that you can run Play with HTTPS, so there is no need to use nginx, but I agreee with this part:
(..) using a reverse proxy in front of Play will give better control
and security of HTTPS.