Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Terminate API TLS with an ELB #234

Closed
ProTip opened this issue Jul 29, 2016 · 9 comments
Closed

Terminate API TLS with an ELB #234

ProTip opened this issue Jul 29, 2016 · 9 comments
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Milestone
1.5.2

Comments

@ProTip
Copy link

ProTip commented Jul 29, 2016

It would be great if we could allow the API's TLS to be terminated by an ELB. This would allow us to reuse certificates we have and avoid distributing the certs/keys around to the nodes. It's likely we would want to be going through an ELB when everything is deployed into private subnets as well.
@justinsb
Copy link
Member

justinsb commented Aug 3, 2016

I'm pretty sure we use client certificates and ELB doesn't support them. But I'll check!

@ProTip
Copy link
Author

ProTip commented Aug 3, 2016

It wouldn't. I guess I was just not aware of how authentication and encryption were handled.

If token or basic auth were used would we need TLS termination?

@justinsb justinsb modified the milestone: 1.3.2 Aug 15, 2016
@lattwood
Copy link
Contributor

lattwood commented Sep 7, 2016

Could do it in TCP mode instead of actually terminating things.

@chrislovecnm chrislovecnm mentioned this issue Oct 27, 2016
Closed
@zytek
Copy link
Contributor

zytek commented Nov 15, 2016

Does this relate to #834 ?

@justinsb justinsb modified the milestones: 1.4.5, 1.5.0 Dec 28, 2016
@justinsb
Copy link
Member

We now have ELB support for the API (and some refinements in #1268).

Moving this particular issue (TLS offload / custom certs) to 1.5.1 though.

@justinsb justinsb modified the milestones: 1.5.1, 1.5.0 Dec 28, 2016
@blakebarnett
Copy link

Is this actually needed? We do this by simply creating a separate "External" service record with a cert via the annotation in TCP mode and let dns-controller create the DNS for it.

@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 6, 2018
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 9, 2018
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed.
Projects
None yet
Milestone
1.5.2
Development

No branches or pull requests
7 participants
@justinsb @ProTip @zytek @lattwood @blakebarnett @k8s-ci-robot @fejta-bot