github.com/nginxinc/kubernetes-ingress@v1.12.5/examples-of-custom-resources/tls-passthrough/README.md (about) 1 # TLS Passthrough 2 3 In this example, we show how to use a TransportServer resource to configure TLS Passthrough load balancing. 4 5 With the TLS Passthrough feature, the Ingress Controller accepts TLS connections on port 443 and routes them to the corresponding backend services without decryption. The routing is done based on the [SNI](https://en.wikipedia.org/wiki/Server_Name_Indication), which allows clients to specify a server name (like `example.com`) during the SSL handshake. At the same time, the Ingress Controller continues to handle regular HTTPS traffic on the same port 443, terminating TLS connections using the TLS certificate and keys, specified through [Ingress](https://docs.nginx.com/nginx-ingress-controller/configuration/ingress-resources/basic-configuration/) or [VirtualServer](https://docs.nginx.com/nginx-ingress-controller/configuration/virtualserver-and-virtualserverroute-resources/) resources. 6 7 We will deploy a backend application (we call it the *secure app*) that exposes port 8443 for TLS traffic. Then we will configure the Ingress Controller to route connections to the secure app using a TransportServer resource. 8 9 ## About the Secure App 10 11 The secure app is an NGINX pod (not to be confused with the Ingress Controller pod, which also includes NGINX) configured to serve HTTPS traffic on port 8443 for the host `app.example.com`. For TLS termination, a self-signed TLS certificate and key are used. The app responds to clients HTTPS requests with a simple text response `hello from pod <hostname of the pod>`. 12 13 You can see how the Secure App is implemented in the `secure-app.yaml` file. 14 15 ## Prerequisites 16 17 1. Follow the [installation](https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/) instructions to deploy the Ingress Controller: 18 * As part of Step 2 of those instructions, make sure to deploy the custom resource definition for the TransportServer resource. 19 * Set the [`-enable-custom-resources`](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-custom-resources) and [`-enable-tls-passthrough`](https://docs.nginx.com/nginx-ingress-controller/configuration/global-configuration/command-line-arguments/#cmdoption-enable-tls-passthrough) command-line arguments of the Ingress Controller to enable the TLS Passthrough feature. 20 1. Save the public IP address of the Ingress Controller into a shell variable: 21 ``` 22 $ IC_IP=XXX.YYY.ZZZ.III 23 ``` 24 1. Save the HTTPS port of the Ingress Controller into a shell variable: 25 ``` 26 $ IC_HTTPS_PORT=<port number> 27 ``` 28 29 ## Step 1 - Deploy the Secure App 30 31 Create the secure app deployment and service: 32 ``` 33 $ kubectl apply -f secure-app.yaml 34 ``` 35 36 ## Step 2 - Configure Load Balancing 37 38 1. Create the TransportServer resource to configure TLS Passthrough: 39 ``` 40 $ kubectl apply -f transport-server-passthrough.yaml 41 ``` 42 1. Check that the configuration has been successfully applied by inspecting the events of the TransportServer: 43 ``` 44 $ kubectl describe ts secure-app 45 . . . 46 Events: 47 Type Reason Age From Message 48 ---- ------ ---- ---- ------- 49 Normal AddedOrUpdated 9s nginx-ingress-controller Configuration for default/secure-app was added or updated 50 ``` 51 52 ## Step 3 - Test the Configuration 53 54 Now we access the secure app using *curl*. We'll use curl's `--insecure` option to turn off certificate verification of the app self-signed certificate and `--resolve` option to set the IP address and HTTPS port of the Ingress Controller to the domain name of the cafe application: 55 ``` 56 $ curl --resolve app.example.com:$IC_HTTPS_PORT:$IC_IP https://app.example.com:$IC_HTTPS_PORT --insecure 57 hello from pod secure-app-d986bcf6b-jwm2s 58 ```