ssl-passthrough terminates TLS even when not expected to

[Spindel]

I'm trying to get TLS passthrough to the inner pod with nginx-controller 0.9.0-beta.7

Ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/force-ssl-redirect: "false"
    ingress.kubernetes.io/ssl-passthrough: "true"
    kubernetes.io/ingress.allow-http: "false"
  name: ingress-foobar
spec:
  backend:
    serviceName: foobar-service
    servicePort: 443
  rules:
  - host: foobar.modio.se
    http:
      paths:
      - backend:
          serviceName: foobar-service
          servicePort: 443
  tls:
  - hosts:
    - foobar.modio.se

However, when performing a curl request on the ingress, I'm getting the TLS cert from the ingress, and not from the Pod.

Advice on how to debug this further would be welcome. Attached is the generated nginx conf, one foobar, one barfoo.
nginx.txt

[aledbf]

@Spindel remove the tls section and only leave the annotation ingress.kubernetes.io/ssl-passthrough: "true"

[Spindel]

Attempting that gives me an ingress configured on port 80, but nothing on port 443.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
      name: ingress-foobar
      annotations:
          ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  backend:
      serviceName: foobar-service
      servicePort: 443
  rules:
  - host: foobar.modio.se
    http:
      paths:
      - backend:
          serviceName: foobar-service
          servicePort: 443

[aledbf]

@Spindel ssl passthrough in the nginx ingress controller means that all the traffic received in port 443 will be sent to the foobar-service in port 443. There is no nginx listen server for that port (please check the bottom of the generated nginx.conf running kubectl exec <nginx pod> cat /etc/nginx/nginx.conf)

[Spindel]

Right, so how do I prevent http => https promotion from nginx where i use TLS passthrough?

I'm attempting to do something that I thought would be simple, forward https => https and http=>http on the pod.

[Spindel]

so, After restarting everyhing and going from a simple ssl-passthrough as this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/ssl-passthrough: "true"
  name: ingress-foobar
spec:
  rules:
  - host: foobar.modio.se
    http:
      paths:
      - backend:
          serviceName: foobar-service
          servicePort: 443

I have achieved ssl-passthrough!

However, http is also promoted to https in nginx, which completely breaks the point for us. Attempting to specify both http and https for the same backend (through ingress) works "sometimes" as it appears dependent on the order of the backends found if backend traffic is directed to http or https port.

This can be verified in the nginx config and the diff output from the controller.

So, I'm still not closer to a functional setup, but at least TLS ends up in the proper place, while HTTP ends up in the wrong place.

[Spindel]

so, further than that, since nginx-ingress listens on port 80 and redirects data to service:443, we can no longer even detect clear-text access and redirect or reject it.

[dghubble]

@Spindel was this addressed?

[PaulCharlton]

I am having precisely this issue -- 301 redirect from http to https .. with a barebones ingress resource spec same as above; for testing purposes, all backends are http with no TLS