[Question] Secure service backend on kong ingress and proxy path


#1

Hello,

With the new kong ingress, and I am trying to add an external service (a google cloud function https trigger) using https. I try to proxy my serverless function using kong. This is what I am trying to achieve:

 | Incoming Request | ----- http://foo.baz.local/foo -----> | Kong | ------ https:// myproject.cloudfunctions.net/foo-prod -----> | Google Function |

Using the following configuration, kong keep making request to the service through http.

kind: Service
apiVersion: v1
metadata:
  name: fooservice
  namespace: foo
spec:
  type: ExternalName
  externalName: myproject.cloudfunctions.net
  ports:
  - name: http
    port: 80
    protocol: TCP
  - name: https
    port: 443
    protocol: TCP

---
apiVersion: configuration.konghq.com/v1
kind: KongIngress
metadata:
  name: foo-ingress
  namespace: foo
proxy:
  path: /foo-prod
route:
  strip_path: true
---
apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: transform-request-to-external
  namespace: foo
config:
  remove:
    headers: host
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: foo-ingress
  namespace: foo
  annotations:
    request-transformer.plugin.konghq.com: |
      transform-request-to-external
spec:
  rules:
    - host: foo.baz.local
      http:
        paths:
        - path: /foo
          backend:
            serviceName: fooservice
            servicePort: https

Now if i run something similar to curl -X GET --url http://localhost:8001/services on the admin-api pods, it responds:

{"next":null,"data":[{"host":"foo.fooservice.https","created_at":1530465759,"connect_timeout":60000,"id":"xxxx-2866-xxxx-92fb-xxxx","protocol":"http","name":"foo.fooservice.https","read_timeout":60000,"port":80,"path":"\/le-cab-prod-1","updated_at":1530465759,"retries":5,"write_timeout":60000}]}

The port used by kong is “80” and the protocol is “http”, how can I ensure kong is making theses requests through HTTPS? I tryed to add ingress.kubernetes.io/secure-backends: "true" (from NGINX ingress spec) but this does not work. I can notice if upstream.Secure in file https://github.com/Kong/kubernetes-ingress-controller/blob/master/internal/ingress/controller/kong.go but I can not figure where “.Secure” comes from

Testing this deployment made me notice kong now route “http://foo.baz.local/foo” AND “http://foo.baz.local/foo-prod”. Should’nt it create only a route for “http://foo.baz.local/foo” with my configuration?


#2

Hello @Ngob

Apologies for delay in response on this.

Kong Ingress Controller 0.1.0 was released a while ago with support for upstream HTTPS using the KongIngress custom resource.

Please use the protocol property under proxy to specify HTTPS protocol for upstream communication.


#3

Hello, thanks for the response. I updated and everything is working fine