SSL offloading at Kong level

Hi Everyone,

I am trying to configure SSL certificates at Kong level on kubernetes cluster. Below is the deployment Object I am using for Kong deployment on kubernetes.:

Thanks and regards,
Rahul Salunke

What is your question and what have you tried so far?

My question that can we configure SSL certificates at Kong level?

As We configure SSL certificates at Load balancer level and then points it to Kong . I want to configure SSL certficate at kong level in Kubernetes deployment.

Yes you can.

In that case, you need to ensure that you are using an L4 load-balancer in-front of Kong so that kong can terminate the TLS session.

Hi Harry,

Thanks for your reply.

We are using AWS for infrastructure. So as you suggested to use L4 load-balancer i.e Network Load Balancer from AWS which operates at Layer 4.

Now the thing which is the way to include certtificates in below deployment YAML file for kong for kong v2.1 and kong-ingress-controller v0.9.1:

Hi Harry,

How I can check Certificates added to Kong are working?

How are you configuring Kong?
If you are using Kong as an Ingress Controller, then you should use the Ingress API to configure SSL certificates.

Hello @Rahul_Salunke, I’m not sure if you’re trying to set up a shared certificate or not, so hopefully this information is useful anyway.
I’ve found that, counter-intuitively, one can register shared (e.g. wildcard) certificates into Kong using a dummy Ingress resource.

For example, if you create this object:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: kong
  name: kong-default-backend
  namespace: kube-system
spec:

  # Register a dummy backend
  rules:
  - host: example.com
    http:
      paths:
      - backend:
          serviceName: default-http-backend
          servicePort: 80
        path: /

  # Register TLS certificates and associated hostnames for SNI
  # These will be used by any ingress that matches the host pattern
  tls:
  - hosts:
      - '*.myorg.com'
      - '*.myorg.net'
    secretName: our-wildcard-cert

Now ingresses in any namespace that match the tls block (e.g. dashboard.myorg.com) will automatically use that wildcard certificate.

(Users of external-dns will want to also use the brand-new v0.7.4 feature added in #1645)


© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ