ssl-passthrough with ingress-nginx-controller
sankar ramamoorthi
Hi,
I was testing skupper on AWS EKS cluster with --ingress nginx-ingress-v1 option.
I issued the following ‘skupper init’ command
skupper init --enable-console --console-user admin --console-password password --enable-flow-collector --ingress nginx-ingress-v1 --ingress-host ingen.com --ingress-annotations "nginx.ingress.kubernetes.io/ssl-passthrough"
I noticed that after skipper init, skupper automatically populates ingrss-nginx-controller configuration file like this
Name: skupper
Labels: <none>
Namespace: west
Address: xxxx.us-west-2.elb.amazonaws.com
Ingress Class: nginx
Default backend: <default>
Rules:
Host Path Backends
---- ---- --------
/ skupper:8081 (192.168.21.10:8081)
/ skupper:8010 (192.168.21.10:8010)
/ skupper-router:55671 (192.168.59.42:55671)
/ skupper-router:45671 (192.168.59.42:45671)
Annotations: nginx.ingress.kubernetes.io/ssl-passthrough: true
nginx.ingress.kubernetes.io/ssl-redirect: true
The above Annotation introduced after ‘skupper init’ command seem to indicate ingress nginx controller will perform ssl pass-through.
After ensuring the token is created with the proper SAN field in tls.crt, I tried to perform a link from the client cluster. The link creation failed while verifying the certificate associated with the link target.
Debugging with openssl using the following command
openssl s_client -servername inter-router.west.ingen.com -connect inter-router.west.ingen.com:443 -tls1_3 -status -msg -debug -CAfile ./skupper-ca.pem
Found that the certificate returned from the server is the fake ACME corp certificate from nginx and not the certificate from skupper-router.
What am I missing?
Any suggestions on how ssl-passthrough can be enabled on ingress-nginx-controller on AWS EKS is welcome.
Thanks,
Sankar