Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

How to set backend-protocol: "HTTPS" #91

Open
samstride opened this issue Apr 28, 2022 · 8 comments
Open

How to set backend-protocol: "HTTPS" #91

samstride opened this issue Apr 28, 2022 · 8 comments
Labels
enhancement New feature or request

Comments

@samstride
Copy link

samstride commented Apr 28, 2022
edited
Loading

Hi,

Thanks for maintaining this repo.

I am trying to use caddy ingress to expose the kubernetes dashboard.

With nginx, this annotation is needeed in the ingress:

nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

Whats the equivalent for Caddy's ingress?

I am on GKE 1.22.8.

My ingress definition looks something like this:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: k8s-ingress
  namespace: kubernetes-dashboard
  annotations:
    kubernetes.io/ingress.class: caddy
spec:
  rules:
    - host: k8s.mycompany.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kubernetes-dashboard
                port:
                  number: 443

Thanks.
@Embraser01
Copy link
Member

Hi, it's not something possible for now, should be feasible though

The thing I don't know yet, is how to handle TLS verification.
We would have to fill these fields : https://caddyserver.com/docs/json/apps/http/servers/errors/routes/handle/reverse_proxy/transport/http/

@samstride
Copy link
Author

samstride commented Apr 28, 2022
edited
Loading

@Embraser01 , thanks for clarifying.

Sorry, one more thing. When I install caddy via helm, is there any setting that can be used to select/set a load balancer ip.

The reason I ask is that on GKE, caddy defaulted to using the ephemeral IP of the cluster. I tried editing it to a reserved static IP but that did not work either.

But ya, apart from these 2 issues, it's been pretty awesome so far.

@Embraser01
Copy link
Member

The reason I ask is that on GKE, caddy defaulted to using the ephemeral IP of the cluster. I tried editing it to a reserved static IP but that did not work either.

Do you mean the status Ingress resources have? If so, you can find the logic here https://github.com/caddyserver/ingress/blob/master/internal/k8s/pod.go

If you mean the possibility of specifying the loadBalancerIP field in the Service, we could improve the Helm chart to allow adding it https://github.com/caddyserver/ingress/blob/master/charts/caddy-ingress-controller/templates/loadbalancer.yaml

@samstride
Copy link
Author

Hmmm, I don't think the IP status of Ephemeral is advertised to Kubernetes. It's more of a cloud provider thing I guess.

I used kubectl edit to manually change the IP to a static one that I reserved but for some reason it kept reverting back.

If we can figure out why manually setting it did not work and solve that first, I can then provide a PR to the template.

I'd also be glad to contribute to the docs around GKE setup too.

@Embraser01
Copy link
Member

Looking back at this issue, HTTPS services should kinda work because the 443 port on the service should make caddy use https automatically. It's probably the certificate validity of the kubernetes-dashboard that is self-signed ?

I used kubectl edit to manually change the IP to a static one that I reserved but for some reason it kept reverting back.

If we can figure out why manually setting it did not work and solve that first, I can then provide a PR to the template.
It's weird that service specs were not persisted. Maybe you can't edit a LoadBalancer ips once created on GKE? Didn't find anything related to this in docs.
The caddy controller doesn't patch anything except ingress statuses (with the service endpoint) so it shouldn't impact this.

@samstride
Copy link
Author

@Embraser01 , yes, from here

By default self-signed certificates are generated and stored in-memory. In case you would like to use your custom certificates follow the below steps, otherwise skip directly to the Dashboard deploy part.

With NGINX, The annotation nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" solves this.

The alternative is to create a secret using custom certs and modify the deployment, which will be good to document.

@Embraser01
Copy link
Member

Ok, thanks, found the Nginx ingress controller config for that: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#backend-certificate-authentication

It will take some work to make it fully work but it should be fairly easy to make it work with verification disabled (default in nginx)

@Embraser01 Embraser01 added the enhancement New feature or request label May 5, 2022
@samstride
Copy link
Author

Awesome + Thanks. Keen to try it out when it is ready and also happy to contribute to some GKE specific docs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Embraser01 @samstride