Securely traffic communication between ingress and pods #core 2.1 #kubernetes #docker #azure

Sergii Bielskyi
Nov 14, 2018 · 2 min read

Today, I would like to spend a few words about my experience to configure communication between ingress and pods.

You know that you can set up TLS connection for external requests using such documentation https://kubernetes.io/docs/concepts/services-networking/ingress/#tls, but internal communication will work using HTTP requests. That means if you build the right solution using SSL protocol and then publish it as pod to your kubernetes cluster, the system will try to use HTTP requests for connecting to the pod. In the end, you will see an error like this below

[error] 7335#7335: OCSP_basic_verify() failed (SSL: error:27069076:OCSP routines:OCSP_basic_verify:signer certificate not found) while requesting certificate status, responder

And other issues related to dealing with certificates or SSL connections. So, let me give you a few tips on how to sort out this problem.

First of all, you need to create a solution with using SSL protocol. I use webapi core 2.1. This is an article how to do it https://docs.microsoft.com/en-us/aspnet/core/security/enforcing-ssl?view=aspnetcore-2.1&tabs=visual-studio.

Then, you need to prepare the right Dockerfile with certificates. Take a look below an example,

FROM microsoft/dotnet:2.1-aspnetcore-runtime AS base

WORKDIR /app

EXPOSE 5002

FROM microsoft/dotnet:2.1-sdk AS build

WORKDIR /src

COPY . /src

RUN dotnet restore /src/api.csproj

COPY . /api

WORKDIR /api

RUN dotnet build /api/api.csproj -c Release -o /app

FROM build AS publish

RUN dotnet publish api.csproj -c Release -o /app

FROM base AS final

WORKDIR /app

COPY --from=publish /app .

ENV ASPNETCORE_ENVIRONMENT: "Development"

ENV ASPNETCORE_URLS https://+:5002

ENV ASPNETCORE_HTTPS_PORT 5002

ENV ASPNETCORE_Kestrel__Certificates__Default__Password <put you password>

RUN openssl genrsa -des3 -passout pass:${ASPNETCORE_Kestrel__Certificates__Default__Password} -out server.key 2048

RUN openssl rsa -passin pass:${ASPNETCORE_Kestrel__Certificates__Default__Password} -in server.key -out server.key

RUN openssl req -sha256 -new -key server.key -out server.csr -subj '/CN=localhost'

RUN openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt

RUN openssl pkcs12 -export -out api.pfx -inkey server.key -in server.crt -certfile server.crt -passout pass:${ASPNETCORE_Kestrel__Certificates__Default__Password}

RUN update-ca-certificates

RUN apt-get install -qqy ca-certificates

ENV ASPNETCORE_Kestrel__Certificates__Default__Path api.pfx

ENTRYPOINT ["dotnet", "api.dll"]

Next steps are configuring ingress service to use SSL for internal requests. In the annotation section, you need to put

nginx.ingress.kubernetes.io/ssl-passthrough: “true”

The last thing is to publish changes and after restarting ingress you will see how it works.

Good luck.

Sergii Bielskyi

Written by

Cloud is more that you imagine… Cloud Infrastructure Architect | Microsoft Azure MVP | Founder of IoT community in Ukraine | MCPD | MCTS | MCP

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade