Leveraging RKE2 with TLS Passthrough

Leveraging RKE2 with TLS Passthrough

What did I do?

As a new engineer at Rancher Federal (Suse Rancher Government Solutions) I wanted to setup Keycloak with TLS Passthrough on my shinny new RKE2 cluster. For the uninitiated TLS Passthrough is a way for the ingress or proxy to all TLS to passthrough. Meaning the pod itself will terminate TLS and not the ingress/proxy. RKE2 is fantastic that it ships with Nginx Ingress. There are a few other options out there on the market for ingress. Another favorite is Traeifk. But for this cluster I wanted to use the built in pieces. Nginx it is!

Why do I need it?

This is important if you want to support multiple tenants and don’t have access to Let’s Encrypt. There are several other use cases for using segregated Certificate Authorities (CA). Think logical separation of certificate domains. I know, geeky stuff. 😀

Fun fact, Nginx Ingress does not come configured with TLS Passthrough enabled by default. This is true everywhere. So we will need to enable it. Nginx has some ok docs on this. Basically --enable-ssl-passthrough: true needs to be added the command line for starting nginx. Let’s set up a cluster and update Nginx with Helm.

RKE2 for the win!

Setup the Cluster

For setting up RKE2 let’s look at the documentation. For simplicity, I like following the Tarball method, aka curl|bash. The instructions should be straight forward. The gist is to set up the server first and then add the other nodes. If you want the easy button there is a script for everything at the end of the post.

Updating Nginx Helm – HelmChartConfig

One cool feature of RKE2 is that it monitors a directory on the server to automatically deploy/update helm charts. We can easily take advantage of this for update Nginx to allow TLS Passthrough. From the documentation we can add a chart to /var/lib/rancher/rke2/server/manifests on the server. This will then automatically update. Below is the exact chart we used to automatically update Nginx to enable TLS Passthrough. Specifically the line enable-ssl-passthrough: true.

apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: rke2-ingress-nginx
  namespace: kube-system
spec:
  valuesContent: |-
    controller:
      config:
        use-forwarded-headers: true
      extraArgs:
        enable-ssl-passthrough: true

Fairly simple right?

Update Ingress Annotations

Once enable-ssl-passthrough is enabled we will need to update the Ingress object. Take a quick look at the formal Nginx documentation. We need to add nginx.ingress.kubernetes.io/ssl-passthrough: "true" to the annotation section to tell Nginx to pass the traffic to the pod.

Here is an example.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
  name: keycloak
  namespace: keycloak
spec:
  rules:
  - host: keycloak.dockr.life
    http:
      paths:
      - backend:
          service:
            name: keycloak
            port:
              number: 8443
        path: /
        pathType: Prefix

Profit!

success.jpg

Automate Things

What if we wanted to take things a step further? How can we automate all this? Let’s not get into a battle over which automation tool is better, bash of course. Take a look a repo/script I use to build clusters. github.com/clemenko/k3s. Specifically on line 187 there is an ssh –> echo command that will write out the help chart to the correct directory.

And for fun here is a snippet for deploying keycloak.

# deploy
kubectl apply -f https://raw.githubusercontent.com/clemenko/k8s_yaml/master/keycloak.yml

# add ingress
kubectl apply -f https://raw.githubusercontent.com/clemenko/k8s_yaml/master/keycloak_nginx.yml

Need Help?

Please feel free to reach out to me at:

Leave a Reply

Your email address will not be published. Required fields are marked *