Handling TLS #1486
-
|
We're looking to replace nginx with YARP acting as a gateway to our services running inside of Kubernetes. Right now our services are hosted at svcname.domain.com with the idea being that we'd use YARP to convert that to something more like gateway.domain.com/api/svcname (or similar). We'd then use YARP to handle things like Auth and other cross-cutting concerns. That part is easy and I understand how to handle all of that just from the docs. The problem is that we are currently making use of Let's Encrypt certificates (managed by cert manager) for non-production and planned to use our existing wildcard certificate for production. Right now as I begin to introduce YARP, I am running it behind nginx and letting that handle TLS. But ideally I'd nix that from the setup. I'm not yet using the k8s controller (sample) either, I planned to ease that in once I got a basic setup running. I'm just not sure what the best/correct plan is for handling the TLS certificates. Since everything will be on the same domain and accessed via this gateway, I don't really need to worry about per-ingress certificates. I suppose I just need the single certificate (wildcard or otherwise) for the YARP ingress, assuming I can mount it into the container. Does this then become a kestrel concern vs a YARP one? In either case, any idea what I should be looking at? I read elsewhere (for something wholly unrelated) that should I want any sort of readiness/liveness/health check probe I'd have to make sure that the YARP application wasn't doing auto https redirect otherwise the certificate (for my actual domain) wouldn't match the localhost urls used by the probes. Should I have https redirect disabled anyways for YARP (I don't see it in any of the samples, so I assume yes?) or is there someway to get the best of both worlds? |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Ok so I was able to get it all working by looking into Kestrel's certificate and SNI support. All's well. Next time I'll put a bit more effort in before posting a question :) I guess the only thing missing then (and unrelated to my use case) is support for the k8s controller to leverage an ingress's TLS secret. That'd be pretty sweet if it can be done, especially for instances leveraging Let's Encrypt/certmanager since it looks like LettuceEncrypt is in maintenance-only mode |
Beta Was this translation helpful? Give feedback.
Ok so I was able to get it all working by looking into Kestrel's certificate and SNI support. All's well. Next time I'll put a bit more effort in before posting a question :)
I guess the only thing missing then (and unrelated to my use case) is support for the k8s controller to leverage an ingress's TLS secret. That'd be pretty sweet if it can be done, especially for instances leveraging Let's Encrypt/certmanager since it looks like LettuceEncrypt is in maintenance-only mode