I have a spring boot application hosted on k8s and enforced mTLS on the App itself. I am able to do the mTLS on the connectivity by doing a SSL termination on the Ingress level and then again forwarding the certificates to the springboot pod as well.
Problem is, Liveness and Readiness probes as currently not sure how to send the certificates in the readiness/liveness probes?
Any help would be appreciated.
From the official documentation configuring probes:
If scheme field is set to HTTPS, the kubelet sends an HTTPS request skipping the certificate verification.
This is what the manifest would look like:
apiVersion: v1
kind: Pod
metadata:
labels:
run: nginx
name: alive-n-ready-https
spec:
containers:
- name: nginx
image: viejo/nginx-mockit
livenessProbe:
httpGet:
path: /
port: 443
scheme: HTTPS
readinessProbe:
httpGet:
path: /
port: 443
scheme: HTTPS
And while without scheme, the probes would fail with 400 (bad request), as you are sending a http packet to an endpoint that expects https:
10.132.15.199 - - [27/May/2020:18:10:36 +0000] "GET / HTTP/1.1" 400 271 "-" "kube-probe/1.17"
With scheme: HTTPS, it would succeed:
10.132.15.199 - - [27/May/2020:18:26:28 +0000] "GET / HTTP/2.0" 200 370 "-" "kube-probe/1.17"
