This document has the following prerequisites:
- Deploy HAProxy Ingress controller, you should end up with controller, a sample web app and default TLS secret
- Create another secret named
foobar-ssland subject'/CN=foo.bar'
Update ingress resource in order to add TLS termination to host foo.bar:
$ kubectl replace -f ingress-tls-default.yamlThe difference from the starting ingress resource:
metadata:
name: app
spec:
+ tls:
+ - hosts:
+ - foo.bar
rules:
- host: foo.bar
http:Trying default backend:
$ curl -iL 172.17.4.99:30876
HTTP/1.1 404 Not Found
Date: Tue, 07 Feb 2017 00:06:07 GMT
Content-Length: 21
Content-Type: text/plain; charset=utf-8
default backend - 404Now telling the controller we are foo.bar:
$ curl -iL 172.17.4.99:30876 -H 'Host: foo.bar'
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: https://foo.bar/
Connection: close
^CNote the Location header - this would redirect us to the correct server.
Checking the default certificate - change below 31692 to the TLS port:
$ openssl s_client -connect 172.17.4.99:31692
...
subject=/CN=localhost
issuer=/CN=localhost
---... and foo.bar certificate:
$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
...
subject=/CN=localhost
issuer=/CN=localhost
---Now let's reference the new certificate to our domain. Note that secret
foobar-ssl should be created as described in the prerequisites
$ kubectl replace -f ingress-tls-foobar.yaml Here is the difference:
tls:
- hosts:
- foo.bar
+ secretName: foobar-ssl
rules:
- host: foo.bar
http:Now foo.bar certificate should be used to terminate TLS:
$ openssl s_client -connect 172.17.4.99:31692
...
subject=/CN=localhost
issuer=/CN=localhost
---
$ openssl s_client -connect 172.17.4.99:31692 -servername foo.bar
...
subject=/CN=foo.bar
issuer=/CN=foo.bar
---