I have a pod with two containers in it - one of them supports HTTPS (Spring Boot SSL with SSC) on port 8081. I want to expose this port somehow so for /ts prefix there will be HTTPS support, but not for others. I don't want to configure TLS Termination or something else provided by ambassador, just expose my own HTTPS handling. Is it possible?
---
apiVersion: v1
kind: Service
metadata:
name: {{ include "project.fullname" . }}
labels:
app.kubernetes.io/name: {{ include "project.name" . }}
helm.sh/chart: {{ include "project.chart" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
spec:
type: {{ .Values.service.type }}
ports:
- port: 8081
targetPort: 8081
protocol: TCP
name: ts-https
- port: {{ .Values.service.port }}
targetPort: 8080
protocol: TCP
name: http
selector:
app.kubernetes.io/name: {{ include "project.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
...
---
apiVersion: getambassador.io/v2
kind: Mapping
metadata:
name: {{ include "project.name" . }}-ts
spec:
prefix: /ts
rewrite: ""
host: cluster.local
service: https://project:8081
timeout_ms: 10000
connect_timeout_ms: 10000
curl doesn't work sadly:
$ curl --raw -vLk 'https://cluster.local/ts/demo'
* Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to cluster.local (127.0.0.1) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to cluster.local:443
* Closing connection 0
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to cluster.local:443
So I suppose cluster.local:80/ts is forwarded to project:8081 but port 443 is not.