cloudflare-ingress-controller
cloudflare-ingress-controller copied to clipboard
cloudflare
Ingress HTTPS native services
Trying to use argo tunnel with the kubernetes dashboard, only communicates via HTTPS.
Getting errors like this in the argo ingress controller
time="2018-09-04T01:23:49Z" level=error msg="HTTP request error" error="net/http: HTTP/1.x transport connection broken: malformed HTTP response \"\\x15\\x03\\x01\\x00\\x02\\x02\""
Is there a way to set up argo to be able to work with HTTPS services?
@tonyxiao Let me investigate and get back to you. I know that argo tunnel ingress controller will setup https termination as part of creating a tunnel. I believe the requests are then forwarded to the backend as http/1.1 (thats my guess as to what you are seeing).
Yep indeed requests are forwarded as HTTP. If there's a way to allow the backend to use HTTPS self signed certificate with argo, that'd simplify the setup of kubernetes dashboard via helm chart.
+1
This would be incredibly useful for exposing the Kubernetes API over an Argo Tunnel which only accepts HTTPS.
The current result is:
Client sent an HTTP request to an HTTPS server.
+1 I'd love to use Argo Tunnel to expose the UI for Hashicorp Vault, but it's failing due to HTTPS.
+1 Has anyone found a way to make the ingress controller work with HTTPS backends?
@tonyxiao @mazamats
+1 Has anyone found a way to make the ingress controller work with HTTPS backends?
@tonyxiao @mazamats
No, there isn't a way to do it. The ingress controller is being deprecated too.
It's better to run something like traefik or nginx-ingress and have a deployment with warp tunneling the ingress service to a single dns record. Use something like external-dns to handle the automatic dns record creation to CNAME to your ingress controllers dns.
@mazamats did you end up managing a secure way to expose your API server?
My current thoughts were to use Cloudflare DNS, run the Argo tunnel to expose my VIP which I'm load-balancing with HAProxy across multiple master nodes, just looking for ideas on how others have tackled a similar concept.
@mazamats did you end up managing a secure way to expose your API server?
My current thoughts were to use Cloudflare DNS, run the Argo tunnel to expose my VIP which I'm load-balancing with HAProxy across multiple master nodes, just looking for ideas on how others have tackled a similar concept.
@mazamats did you end up managing a secure way to expose your API server?
My current thoughts were to use Cloudflare DNS, run the Argo tunnel to expose my VIP which I'm load-balancing with HAProxy across multiple master nodes, just looking for ideas on how others have tackled a similar concept.
@xUnholy
Thats pretty much how I have it setup. However, logs -f and exec -ti don't work since those use QUIC and not HTTPS/Websockets
I used traefik for the ingress controller and have argo tunnel to svc/traefik at traefik.<DOMAIN>.com. Then I just CNAME kubernetes.<DOMAIN>.com to that.
The ingress for the API
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/protocol: https
name: k8s-api
spec:
rules:
- host: kubernetes.<DOMAIN>.com
http:
paths:
- backend:
serviceName: kubernetes
servicePort: 443
I'm running microk8s at home so my kubeconfig ends up looking like this
apiVersion: v1
clusters:
- cluster:
server: https://kubernetes.<DOMAIN>.com
name: microk8s-cluster
contexts:
- context:
cluster: microk8s-cluster
user: admin
name: microk8s
current-context: microk8s
kind: Config
preferences: {}
users:
- name: admin
user:
password: hunter2
username: admin
Does that mean you're running Argo Tunnel in a container - Or are you running it on the node?
I'm running a small Raspberry Pi project, there is a discord link if you would like to chat further, would be good to get more details.
https://github.com/raspbernetes
@xUnholy I run argo tunnel in its own deployment (container) with 1 replicas.
$ cloudflared tunnel --hostname taefik.<DOMAIN>.com http://traefik