0

Tried creating a Kubernetes endpoints service to invoke resource hosted outside the cluster via static IP's over HTTPS protocol. Below is the endpoint code

kind: Service
apiVersion: v1
metadata:
  name: serviceRequest
spec:
  ports:
    - port: 8081
      targetPort: 8094      
      
---
kind: Endpoints
apiVersion: v1
metadata:
  name: serviceRequest
subsets:
  - addresses:
      - ip: XX.XX.XX.XX // **external IP which is accessible as https://XX.XX.XX.XX:8094**
    ports:
      - port: 8094

But the above configuration is giving 400 Bad Request with message as "This combination of host and port requires TLS."

Same is working for http not for https exposed "ip".Could someone please guide how to achieve this.

##Update1 This is how the flow is configured. Ingress->service->endpoints

pri
  • 49
  • 2
  • 5
  • your endpoint doesn't contain the definitions for a TLS certificate. endpoint is rather crude, you're probably better off picking an ingress controller. (https://learn.microsoft.com/en-us/azure/aks/ingress-basic) – sleepyhead Dec 10 '20 at 14:55
  • @sleepyhead already have a ingress setup before my service layer and i dont want to expose the service public it is of clusterType and same goes for endpoints as well. Could you please help with some more details on it. I am bit new to this concept. I have updated the flow in post. – pri Dec 10 '20 at 15:29

3 Answers3

1

This is the error message your get when calling a https endpoint with http. Are you sure that whoever is calling your service, is calling it with https:// at the beginning?

Fritz Duchardt
  • 11,026
  • 4
  • 41
  • 60
  • yes, with the configuration which i have mentioned above its making http://. But my resource is on https:// Looking for a guidance how we can make a service to use https:// for external IP endpoints. – pri Dec 10 '20 at 16:40
  • So, you want to call your service with http but have it forward that as https. I am afraid this is beyond k8s service functionality. You would need to use a service mesh like Isio for that: https://istio.io/latest/docs/tasks/traffic-management/egress/egress-tls-origination/ – Fritz Duchardt Dec 10 '20 at 16:47
0

Kubernetes Service is no more than a set of forwarding rules in iptables (most often), and it knows nothing about TLS.
If you want to enforce https redirection you might use ingress controller for this. All major ingress controllers have this capability.

For example, check for nginx-ingress.
https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#server-side-https-enforcement-through-redirect.

Basically, all you need is to add this annotation to your ingress rule.
nginx.ingress.kubernetes.io/ssl-redirect: "true"

Olesya Bolobova
  • 1,573
  • 1
  • 10
  • 21
0

Easypeasy, just add port 443 to the Service that will make the request TLS/https:

kind: Service
apiVersion: v1
metadata:
  name: serviceRequest
spec:
  ports:
    - port: 443 # <-- this is the way
      targetPort: 8094      
      
---
kind: Endpoints
apiVersion: v1
metadata:
  name: serviceRequest
subsets:
  - addresses:
      - ip: XX.XX.XX.XX # **external IP which is accessible as https://XX.XX.XX.XX:8094**
    ports:
      - port: 8094

So you can reach your serviceRequest from your containers on https://serviceRequest url.

Also keep in mind that in yaml the # character is the comment sing not //

zsolt
  • 1,233
  • 8
  • 18