Comments (4)
maraino
commented on September 27, 2024
Hi @shairozan, using an ingress is not a common configuration, a better option is to use a LoadBalancer service or a NodePort. But in case you want to use a ingress you will need to take into account that the service and the pod are expecting TLS.
For example, using the Nginx ingress controller, the configuration requires nginx.ingress.kubernetes.io/backend-protocol: "HTTPS". And the ingress object looks like this:
ingress:
enabled: true
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
hosts:
- host: ca.mydomain.com
paths:
- path: /
tls:
- hosts:
- ca.mydomain.com
secretName: ingress-tls
Probably a better option would be to passthrough HTTPS with nginx.ingress.kubernetes.io/ssl-passthrough: "true" but this is disabled by default, see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#ssl-passthrough
from helm-charts.
shairozan
commented on September 27, 2024
Sadly not usable for me as everywhere I've used it handles automatic DNS registration with ingress class as well as SSL termination by hostname + class. Ingress wouldn't work for me here then since the goal would be to let the K8s annotations on the ingress drive certificate acquisition / assignment. Thanks for the clarification though!
from helm-charts.
maraino
commented on September 27, 2024
If you can use HTTPS as the backend protocol, and you get a certificate from the CA to your ingress using cert-manager + step-issuer, you should be able to use the ingress.
Another option is to use an ingress in Layer 4 mode, so it proxies the TCP level.
With a Layer 7 ingress, if it gets an SSL certificate from a different CA, let's say let's encrypt, it won't work at the moment.
from helm-charts.
zolech
commented on September 27, 2024
Hi @shairozan, using an ingress is not a common configuration, a better option is to use a LoadBalancer service or a NodePort. But in case you want to use a ingress you will need to take into account that the service and the pod are expecting TLS.
For example, using the Nginx ingress controller, the configuration requires
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS". And the ingress object looks like this:ingress: enabled: true annotations: nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" hosts: - host: ca.mydomain.com paths: - path: / tls: - hosts: - ca.mydomain.com secretName: ingress-tls
It would be helpful if your helm chart support options for LoadBalancer service type. I can see PR for that but with no reponse #32
Probably a better option would be to passthrough HTTPS with
nginx.ingress.kubernetes.io/ssl-passthrough: "true"but this is disabled by default, see https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#ssl-passthrough
It is possible to do that with traefik ingress controller. You can set their crd ingressrouteTCP with tls passthrough
from helm-charts.
Related Issues (20)
- Incorrect Prometheus scrape port in Service annotations [step-issuer]
- step-certificates: clarify optional `certificate_issuer_key` / `ssh_host_ca_key` and `ssh_user_ca_key` HOT 1
- step-certificates: allow enabling ssh HOT 3
- Add abililty to specify image pull secret(s) HOT 1
- [security] default registry image not available - step.sm - strange domain? HOT 3
- database dataSource as a secret HOT 2
- Typo on test-connection.yaml
- insecureAddress for SCEP provider HOT 2
- step-certificates repo is out of date HOT 1
- helm test fails for smallstep/step-certificates HOT 2
- Error getting root certificate with LinkedCA deployment on latest version HOT 3
- step-issuer fails because of helm annotation validation error HOT 1
- Simpler Way To Set Configmaps When Not Using The Bootstrap HOT 1
- step-issuer refuses to deploy if stepIssuer.create is set to true HOT 9
- Extra Containers HOT 9
- fix(step-certificates): Secrets are mounted event if we don't need them
- ServiceMonitor for Prometheus-Operator HOT 1
- step-certificates 0.26.1 has been released, Helm chart out-of-date HOT 1
- Allow usage of predefiend SSH templates HOT 2
- Test Connection Job should have SecurityContext for Restricted environments
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from helm-charts.