How to enable SSL Passthrough in IBM Cloud Private
By using the nginx.ingress.kubernetes.io/ssl-passthrough
annotation, you can configure TLS termination in a pod and not in NGINX.
Using the annotation nginx.ingress.kubernetes.io/ssl-passthrough
invalidates all the other available annotations. This invalidation occurs because SSL Passthrough works on level 4 of the OSI stack (TCP), not on the HTTP/HTTPS level.
SSL Passthrough is disabled by default in the Kubernetes Ingress component. If you want to enable SSL Passthrough in ICP, you must use the enable-ssl-passthrough
parameter to enable this feature.
Enable SSL Passthrough in IBM Cloud Private 2.1.0.3
- Install the IBM Cloud Private 2.1.0.3 release package, and check the
nginx-ingress-controller
DaemonSet.
# kubectl get ds -n kube-system |grep nginx-ingress-controllernginx-ingress-controller 1 1 1 1 1 proxy=true 5h
2. Enable ssl-passthrough
on the Nginx controller. To enable ssl-passthrough
run the following command:
# kubectl edit nginx-ingress-controller -n kube-system
3. Verify the results.
# kubectl get ds nginx-ingress-controller -n kube-system -oyaml | grep ssl -B 4 - --default-backend-service=$(POD_NAMESPACE)/default-backend
- --configmap=$(POD_NAMESPACE)/nginx-ingress-controller
- --report-node-internal-ip-address=true
- --annotations-prefix=ingress.kubernetes.io
- --enable-ssl-passthrough=true
4. Create an ingress resource. To create the resource, use the platform-identity-provider
service as a backend service. This backend service must be able to access a WebSphere Liberty console endpoint. This ingress resource can be created by using the following yaml
file:
# cat ing-ssl.yamlapiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-ssl
namespace: kube-system
annotations:
ingress.kubernetes.io/ssl-passthrough: "true"
spec:
rules:
- host: testssl.ibm.com
http:
paths:
- backend:
serviceName: platform-identity-provider
servicePort: 9443
tls:
- hosts:
- testssl.ibm.com
5. After you have updated the yaml
file, create the ingress resource by running the following command:
# kubectl create -f ing-ssl.yaml
6. Check the ingress resource by using the kubernetes CLI:
# kubectl get ingress -n kube-systemNAME HOSTS ADDRESS PORTS AGE
my-ssl testssl.ibm.com 9.111.254.240 80, 443 1m
7. Add the IP address and hostname for your ingress resource into the /etc/hosts
file.
# cat /etc/hosts
9.111.254.240 testssl.ibm.com
8. Access the Webshpere Liberty console. To access the console, use the curl command or a browser.
- Access the WebSphere Liberty console by using a
curl
command:
# curl -k https://testssl.ibm.com:443
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>WebSphere Liberty 18.0.0.1</title>
</head>
<body>
<div class="background"></div>
<section id="welcome-section">
<article id="welcome-section-content">
<img src="WAS-Liberty-Logo-White.png">
<h1>Welcome to Liberty</h1>
<h2 class="secondary">WebSphere Liberty 18.0.0.1</h2>
</article>
</section>
<section id="resources">
<article>
<h2>Additional Resources</h2>
<ul>
<li><a href="http://wasdev.net/?wlp=welcome">WASdev Community</a></li>
<li><a href="https://www.ibm.com/support/knowledgecenter/SSAW57_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/cwlp_about.html">Liberty Documentation</a></li>
<li><a href="http://wasdev.net/answers/?wlp=welcome">WASdev Forum</a></li>
</ul>
</article>
</section>
<footer>
<article>
<img src="ibm-white-logo-small.png">
<p id="footer-copy">
Licensed Materials — Property of IBM © Copyright IBM Corp.
1997, 2015. All Rights Reserved. IBM, and the IBM logo are
trademarks or registered trademarks of International Business
Machines Corp., registered in many jurisdictions worldwide. Other
product and service names might be trademarks of IBM or other
companies. A current list of IBM trademarks is available on the Web
at <span class="underline">Copyright and trademark
information.</span>
</p>
</article>
</footer>
<div id="footer-extra-background"></div>
</body>
<!-- The call below attempts to get a latest release marker file from a specific location. -->
<!-- It's expected that the returned object will be a piece of JavaScript defining a -->
<!-- variable called latestReleasedVersion that contains the following fields: -->
<!-- version: The version number of the latest released product -->
<!-- availableAt: The URL where you can get the latest version (from a Web Browser) -->
<!-- availableAtLabel: The label to show on the anchor tag -->
<script type="text/javascript" src="https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/wasdev/downloads/wlp_ga_latestversion.js"></script>
<script type="text/javascript" src="version.js"></script>
<script type="text/javascript">
var urlForCssEnhancements = "https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/wasdev/downloads/adminCenter-welcome.css";
var isLibertyUpdateAvailable = false;
function doVersionCheck(latestVersion) {
// Check that the remote file was located
// and contains the required version details
if (latestVersion != null && latestVersion.productName != null
&& latestVersion.availableFrom != null
&& latestVersion.version != null) {// Check if the online version differs from this current version
if (latestVersion.version != current.version) {
isLibertyUpdateAvailable = true;
}
}
}
doVersionCheck(latestReleasedVersion);
</script>
<script type="text/javascript" src="https://public.dhe.ibm.com/ibmdl/export/pub/software/websphere/wasdev/downloads/adminCenter-welcome.js"></script>
</html>
- Accessing the WebSphere Liberty console by using the ingress resource URL
https://testssl.ibm.com:443