Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How do you enable SSL Passthrough in the ingress deployment #6403

Open
pglockwo opened this issue Jan 27, 2020 · 8 comments
Open

How do you enable SSL Passthrough in the ingress deployment #6403

pglockwo opened this issue Jan 27, 2020 · 8 comments
Labels
addon/ingress help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/documentation Categorizes issue or PR as related to documentation. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/backlog Higher priority than priority/awaiting-more-evidence.

Comments

@pglockwo
Copy link

pglockwo commented Jan 27, 2020
edited
Loading

Hi, I am trying to enable ingress on minikube and then allow --enable-ssl-passthrough

I have tried editing the deployment with kubectl

I have tied patching the deployment

but everything I try results in no changes to the underlying resource.

My question is, is ssl passthrough even possible on the version of ingress that comes as an addon to minikube and if so how do you do it.

I would really appreciate the help.

Thanks,

Paul
@priyawadhwa priyawadhwa added the kind/support Categorizes issue or PR as a support question. label Jan 27, 2020
@avif
Copy link

avif commented Feb 7, 2020
edited
Loading

Can't answer your question, but I can offer a workaround:
Disable ingress addon
minikube addons disable ingress

If you are using Helm 3, add stable repo
helm repo add stable https://kubernetes-charts.storage.googleapis.com/

Install nginx ingress controller with "ssl-passthrough" enabled

helm upgrade ingress stable/nginx-ingress \
  --install \
  --namespace kube-system \
  --set rbac.create=true \
  --set "controller.extraArgs.enable-ssl-passthrough=" \
  --set controller.hostNetwork=true \
  --set "controller.extraArgs.report-node-internal-ip-address="

You could do this without Helm too, but you get the point.

Ref

@avif
Copy link

avif commented Feb 7, 2020

I also get the feeling like you are trying to run Strimzi kafka on minikube with ingress external like I did, so here's a working example just in case:
Install ingress controller like previously described.

Install strimzi operator.

Apply a kafka cluster configuration with ingress external, TLS and some user:

$ cat kafka.yaml
apiVersion: kafka.strimzi.io/v1beta1
kind: Kafka
metadata:
  name: my-cluster
spec:
  kafka:
    version: 2.3.0
    replicas: 3
    listeners:
      tls: {}
      external:
        type: ingress
        authentication:
          type: tls
        configuration:
          bootstrap:
            host: bootstrap.kafka.local
          brokers:
            - broker: 0
              host: broker-0.kafka.local
            - broker: 1
              host: broker-1.kafka.local
            - broker: 2
              host: broker-2.kafka.local
    config:
      offsets.topic.replication.factor: 1
      transaction.state.log.replication.factor: 1
      transaction.state.log.min.isr: 1
      log.message.format.version: "2.3"
    storage:
      type: ephemeral
  zookeeper:
    replicas: 3
    storage:
      type: ephemeral
  entityOperator:
    topicOperator: {}
    userOperator: {}
---
apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaTopic
metadata:
  name: my-topic
  labels:
    strimzi.io/cluster: my-cluster
spec:
  partitions: 1
  replicas: 1
  config:
    retention.ms: 7200000
    segment.bytes: 1073741824  
---
apiVersion: kafka.strimzi.io/v1beta1
kind: KafkaUser
metadata:
  name: my-user
  labels:
    strimzi.io/cluster: my-cluster
spec:
  authentication:
    type: tls
  authorization:
    type: simple
    acls:
      # Example consumer Acls for topic my-topic suing consumer group my-group
      - resource:
          type: topic
          name: my-topic
          patternType: literal
        operation: Read
        host: "*"
      - resource:
          type: topic
          name: my-topic
          patternType: literal
        operation: Describe
        host: "*"
      - resource:
          type: group
          name: my-group
          patternType: literal
        operation: Read
        host: "*"
      # Example Producer Acls for topic my-topic
      - resource:
          type: topic
          name: my-topic
          patternType: literal
        operation: Write
        host: "*"
      - resource:
          type: topic
          name: my-topic
          patternType: literal
        operation: Create
        host: "*"
      - resource:
          type: topic
          name: my-topic
          patternType: literal
        operation: Describe
        host: "*"
$ kubectl create ns kafka
$ kubectl -n kafka apply -f kafka.yaml

Extract ca-cert & my-user cert:

$ kubectl -n kafka get secret my-cluster-cluster-ca-cert -o jsonpath='{.data.ca\.crt}' | base64 -d > ca.crt

$ kubectl -n kafka get secret my-user -o jsonpath='{.data.user\.crt}' | base64 -d > user.crt
$ kubectl -n kafka get secret my-user -o jsonpath='{.data.user\.key}' | base64 -d > user.key

Create truststore & keystore (use any or no password):

$ keytool -keystore client.truststore.jks -alias CARoot -import -file ca.crt
$ openssl pkcs12 -export -in user.crt -inkey user.key -name my-user -password pass:password -out user.p12

Use the following configs when connecting to the cluster (use 443 port):

security.protocol=SSL
ssl.truststore.password=password #omit if none
ssl.truststore.location=./client.truststore.jks
ssl.keystore.password=password #omit if none
ssl.keystore.location=./user.p12
ssl.endpoint.identification.algorithm=
  • Note that I have kafka operator listening on all namespaces

@tstromberg tstromberg added addon/ingress help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/documentation Categorizes issue or PR as related to documentation. priority/backlog Higher priority than priority/awaiting-more-evidence. and removed kind/support Categorizes issue or PR as a support question. labels Mar 18, 2020
@tstromberg
Copy link
Contributor

If there are any ingress experts in the house, it'd be wonderful to see a tutorial written up for this similar to:

https://minikube.sigs.k8s.io/docs/tutorials/nginx_tcp_udp_ingress/

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 16, 2020
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Jul 16, 2020
@sharifelgamal sharifelgamal added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. labels Jul 29, 2020
@Huskehhh
Copy link

If you find yourself in this situation, I was able to solve it with minikube via...

minikube kubectl -- patch deployment -n ingress-nginx ingress-nginx-controller -p='{"spec":{"template":{"spec":{"containers":[{"name":"controller","args":["/nginx-ingress-controller","--ingress-class=nginx","--configmap=$(POD_NAMESPACE)/ingress-nginx-controller","--report-node-internal-ip-address","--tcp-services-configmap=$(POD_NAMESPACE)/tcp-services","--udp-services-configmap=$(POD_NAMESPACE)/udp-services","--validating-webhook=:8443","--validating-webhook-certificate=/usr/local/certificates/cert","--validating-webhook-key=/usr/local/certificates/key","--enable-ssl-passthrough"]}]}}}}'

Which just patches the deployment of the ingress-nginx-controller with an extra argument --enable-ssl-passthrough.

It seems it also auto-redeploys after a patch, so it should pop back up fairly quick after the patch!

@christianh814
Copy link

I've done it using json type patching that's a little easier

kubectl patch deployment -n ingress-nginx ingress-nginx-controller --type='json' \
-p='[{"op": "add", "path": "/spec/template/spec/containers/0/args/-", "value":"--enable-ssl-passthrough"}]'

@etimoshenko
Copy link

etimoshenko commented Feb 27, 2024
edited
Loading

You can just enable it from values.yaml

controller:
  extraArgs:
    "enable-ssl-passthrough": ""

@kvaps kvaps mentioned this issue Jul 8, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
addon/ingress help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. kind/documentation Categorizes issue or PR as related to documentation. lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. priority/backlog Higher priority than priority/awaiting-more-evidence.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
10 participants
@tstromberg @Huskehhh @avif @pglockwo @christianh814 @priyawadhwa @k8s-ci-robot @sharifelgamal @fejta-bot @etimoshenko