TLS Passthrough in Kong

[patrickgatiri]

Hello.

I need help configuring Kong to allow TLS passthrough to the upstream service.

I have deployed Kong as an ingress controller for my Kubernetes cluster. I am using Capsule: https://github.com/clastix/capsule as my multitenant solution. I have deployed Capsule Proxy: https://github.com/clastix/capsule-proxy as a reverse proxy for the Kubernetes API server. In order to authenticate the user, Capsule needs to be aware of the client certificates that a user provides to the ingress controller. This means that Kong needs not terminate the TLS connection from the client, but rather pass it forward as is to the capsule proxy.

I would really appreciate any help I can get.

[pmalek]

Hi @patrickgatiri 👋

What you're looking for is konghq.com/protocols: tls_passthrough annotation that you can set on TCPIngresses.

https://docs.konghq.com/kubernetes-ingress-controller/latest/references/annotations/#konghqcomprotocols

[patrickgatiri]

Hi @pmalek . Thank you very much for your response.

Do I need to setup any specific configuration on the Kong helm chart in order for this to work? I have created the TCPIngress resource and used both the protocols and snis annotations. However, I keep getting this error:
curl: (52) Empty reply from server

Is the SSL passthrough functionality supported out of the box by Kong?

[patrickgatiri]

Here is my full TCPIngress resource for context:

apiVersion: configuration.konghq.com/v1beta1
kind: TCPIngress
metadata:
  name: tcpingress
  annotations:
    konghq.com/protocols: tls_passthrough
    konghq.com/snis: "kong.local"
spec:
  rules:
  - port: 9000
    backend:
      serviceName: my_service
      servicePort: 12345

[pmalek]

What's the curl command you're using?