We’re using kong v2.0 in an EC2 Kubernetes cluster (v1.14), and we want to proxy an https call from the internet, through the Kong pod running in the cluster, to a backend legacy webserver that lives behind the firewall but outside the Kubernetes cluster. SSL certificates are generated from the AWS Certificate Manager.

Client -> ELB (L4 passthru) -> Kong Kubernetes pod -> Legacy Webserver

We are having issues with securing all parts of the communication path with SSL. Specifically, we cannot get Kong to terminate TLS with an AWS public certificate.

Questions:

1. Is it possible to have Kong to use an AWS public certificate (when they disallow exporting the private key)?
2. If not, is it possible to terminate at the AWS load balancer with a public cert, protect the Kong Kubernetes pod with a private cert, and then have kong proxy the call to the legacy webserver (that has a valid public cert)?
3. Is there a better and/or standard configuration?

No. You need the private key to terminate TLS. You can use Let’s Encrypt to provision a certificate for your domain.

Yes, that’s possible as well.