HTTP / TLS Ingress

In order to facilitate HTTP or TLS traffic coming into the cluster, Keisson manages an Ingress Controller_ on your behalf.

The Ingress Controller’s job is to intercept HTTP / TLS traffic, interpret it, and route it through the correct end service. This provides several advantages:

  • For IPv4, there are not enough public IPv4 addresses for each service. Instead, an ingress controller can use one public IPv4 address, with multiple services sat behind it.

  • The Ingress Controller can route based on complex path rules, allowing multiple seperate services to be presented as a single domain.

  • The Ingress Controller can perform TLS termination for services that do not support TLS natively, or perform routing based on TLS handshake server name.

Ingress

Keisson natively supports Ingress records to manage and route HTTP and TLS services.

In addition to the vanilla Kubernetes features of Ingress records, Keisson’s Ingress Controller is backed by Cilium, so some extra annotations are supported:

Annotations

ingress.cilium.io/tls-passthrough

Enables TLS Passthrough for this Ingress.

Acceptable values: enabled, disabled (default)

Normally, the Ingress Controller will attempt to terminate TLS connections and read the HTTP request directly to make routing decisions. In TLS Passthrough mode, the Ingress Controller will instead attempt to route only using the server name given in the TLS handshake. The TLS connection will then be passed through directly to the backend service.

This is advantageous as the Ingress Controller remains unable to see the content of any connection - instead traffic remains encrypted between your backend services and the client.

This mode can only be used when an Ingress record only includes / Prefix rules (routing based on paths is not possible in TLS Passthrough mode, because the Ingress Controller cannot see the content of any HTTP requests).

ingress.cilium.io/force-https

Enable HTTP -> HTTPS redirects for this Ingress.

Acceptable values: enabled, disabled (default)

When enabled, and the Ingress supports TLS termination, then when a client tries to connect to the host over plain HTTP, the Ingress Controller will respond with a permanent redirect to the HTTPS site.

ingress.cilium.io/request-timeout

Sets the request timeout for backend services.

Acceptable values: any integer, or 0 to set no limit (default)

Differences From Vanilla Kubernetes

Ingress records work in much the same way they would in any other cluster, with two minor limitations:

  • All Ingress Rules must have a host field.

  • Ingress Rules with wildcard host fields (eg “*.foo.example.com”) must not match all domains on a TLD (eg “*.com” is unacceptable).

  • Similarly, hosts may not match all domains on a hierarchical second level domain (eg “*.co.uk” is unacceptable).

  • The defaultBackend field cannot be set.