How to enable SSL passthrough on the nginx-ingress controller in Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x provisioned Kubernetes clusters

Follow
Table of Contents

Task

This article details how to enable SSL passthrough on the nginx-ingress controller in Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x provisioned Kubernetes clusters.

Pre-requisites

Resolution

Configuration for RKE provisioned clusters

  1. Edit the cluster configuration YAML file to include the enable-ssl-passthrough: true option for the ingress, as follows:

    ingress:
      provider: nginx
      extra_args:
        enable-ssl-passthrough: true
  2. Apply the changes to the cluster, by invoking rke up:

    rke up --config <cluster configuration yaml file>
  3. Recycle the nginx pods in-order to pick up new argument:

    for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name); do kubectl delete $pod -n ingress-nginx; echo "Sleeping for 5 seconds"; sleep 5; done
  4. Verify the new argument:

    for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n ingress-nginx exec "$pod" -- bash -c "ps aux | grep -v grep | grep enable-ssl-passthrough=true" > /dev/null 2>&1 && echo "Good" || echo "Bad"; done
  5. Edit the ingress to include the new annotations:

    kubectl -n default edit ingress hello-world-lb

    Example:

    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      annotations:
        nginx.ingress.kubernetes.io/ssl-passthrough: "true"
      name: hello-world-lb
      namespace: default

Configuration for Rancher provisioned clusters

  1. Login into the Rancher UI.
  2. Go to Global -> Clusters -> <>.
  3. From the Cluster Dashboard edit the cluster by Clicking on "⋮" then select Edit.
  4. Click "Edit as YAML".
  5. Enclude the enable-ssl-passthrough: true option for the ingress, as follows:

    ingress:
      provider: nginx
      extra_args:
        enable-ssl-passthrough: true
  6. Click "Save" at the bottom of the page.

  7. Wait for cluster to finish upgrading.
  8. Go back to the Cluster Dashboard and click "Launch kubectl".
  9. Run the following inside the kubectl CLI to recycle the nginx pods in-order to pick up new argument:

    for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name); do kubectl delete $pod -n ingress-nginx; echo "Sleeping for 5 seconds"; sleep 5; done
    9. Run the following inside the kubectl CLI to verify the new argument:

    for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n ingress-nginx exec "$pod" -- bash -c "ps aux | grep -v grep | grep enable-ssl-passthrough=true" > /dev/null 2>&1 && echo "Good" || echo "Bad"; done
  10. Browse to the ingress in question and click edit.

  11. Expand "Labels & Annotations".
  12. Click "Add annotation" and add nginx.ingress.kubernetes.io/ssl-passthrough=true under "Annotations".
  13. Click "Save".

Verification Steps

Run the following command to verify new certificate:

```bash
curl --insecure -v https://<<APP URL>> 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
```

Example output:

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: OU=Domain Control Validated; CN=*.rancher.tools
*  start date: Jul  2 00:42:01 2019 GMT
*  expire date: May  2 00:19:41 2020 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
*  SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
* Connection #0 to host lab.rancher.tools left intact

N.B. Some browsers will cache the certificate, as a result you might need to close and re-open the browser in order to get the new certificate. How to clear the SSL state in a browser.

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.