How to enable SSL passthrough on the nginx-ingress controller in Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x provisioned Kubernetes clusters

This document (000020147) is provided subject to the disclaimer at the end of this document.

Situation

Task

This article details how to enable SSL passthrough on the nginx-ingress controller in Rancher Kubernetes Engine (RKE) CLI or Rancher v2.x provisioned Kubernetes clusters.

Pre-requisites

Resolution

Configuration for RKE provisioned clusters

  1. Edit the cluster configuration YAML file to include the enable-ssl-passthrough: true option for the ingress, as follows:

    ingress:
  provider: nginx
  extra_args:
    enable-ssl-passthrough: true

  2. Apply the changes to the cluster, by invoking rke up:

    rke up --config <cluster configuration yaml file>

  3. Recycle the nginx pods in-order to pick up new argument:

    for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name); do kubectl delete $pod -n ingress-nginx; echo "Sleeping for 5 seconds"; sleep 5; done

  4. Verify the new argument:

    for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n ingress-nginx exec "$pod" -- bash -c "ps aux | grep -v grep | grep enable-ssl-passthrough=true" > /dev/null 2>&1 && echo "Good" || echo "Bad"; done

  5. Edit the ingress to include the new annotations:

    kubectl -n default edit ingress hello-world-lb

    Example:

    apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  name: hello-world-lb
  namespace: default
Configuration for Rancher provisioned clusters
  1. Login into the Rancher UI.
  2. Go to Global -> Clusters -> <>.
  3. From the Cluster Dashboard edit the cluster by Clicking on "⋮" then select Edit.
  4. Click "Edit as YAML".

  5. Enclude the enable-ssl-passthrough: true option for the ingress, as follows:

    ingress:
  provider: nginx
  extra_args:
    enable-ssl-passthrough: true

  6. Click "Save" at the bottom of the page.

  7. Wait for cluster to finish upgrading.
  8. Go back to the Cluster Dashboard and click "Launch kubectl".

  9. Run the following inside the kubectl CLI to recycle the nginx pods in-order to pick up new argument:

    for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name); do kubectl delete $pod -n ingress-nginx; echo "Sleeping for 5 seconds"; sleep 5; done
    9. Run the following inside the kubectl CLI to verify the new argument: 
    for pod in $(kubectl get pods -l app=ingress-nginx -n ingress-nginx --no-headers -o name | awk -F '/' '{print $2}'); do echo -n "Checking $pod .... "; kubectl -n ingress-nginx exec "$pod" -- bash -c "ps aux | grep -v grep | grep enable-ssl-passthrough=true" > /dev/null 2>&1 && echo "Good" || echo "Bad"; done

  10. Browse to the ingress in question and click edit.

  11. Expand "Labels & Annotations".
  12. Click "Add annotation" and add nginx.ingress.kubernetes.io/ssl-passthrough=true under "Annotations".
  13. Click "Save".
Verification Steps

Run the following command to verify new certificate:

```bash
curl --insecure -v https://<<APP URL>> 2>&1 | awk 'BEGIN { cert=0 } /^\* SSL connection/ { cert=1 } /^\*/ { if (cert) print }'
```

Example output:

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: OU=Domain Control Validated; CN=*.rancher.tools
*  start date: Jul  2 00:42:01 2019 GMT
*  expire date: May  2 00:19:41 2020 GMT
*  issuer: C=BE; O=GlobalSign nv-sa; CN=AlphaSSL CA - SHA256 - G2
*  SSL certificate verify ok.
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
* Connection #0 to host lab.rancher.tools left intact

N.B. Some browsers will cache the certificate, as a result you might need to close and re-open the browser in order to get the new certificate. How to clear the SSL state in a browser.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:000020147
  • Creation Date: 06-May-2021
  • Modified Date:06-May-2021
    • SUSE Rancher

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center
Report a Software Vulnerability Submit Tips, Tricks, and Tools Download Free Tools