I have a GKE cluster, external domain name, and letsencrypt certs. When I am using a Load balancer and instruct pods to use certs that I generate using certbot then performance is quite good. But I have to renew certs manually which takes a lot of effort.
When using an ingress controller and letting cert-manager update certs by itself then additional hops add latency and make the traffic path more complex. Then the connection is on h2 from client to ingress and then the connection become plain HTTP from ingress to pods.
Is there any way remove the extra hops when using nginx ingress controller and take out the performance issue?
CodePudding user response:
There is no extra hop if you are using the cert-manager with ingress.
You can use the cert-manager it will save the cert into secret and attach to ingress. However, it's up to you where you are doing TLS termination.
You can also bypass the HTTPS traffic till POD for end-to-end encryption if you are doing TLS termination at ingress level backed traffic till POD will be in plain HTTP.
Internet > ingress (TLS in secret) > Plain HTTP if you terminate > service > PODs
If you want to use the certificate into POD you can mount the secret into POD and that will be further used by the application.
https://kubernetes.io/docs/concepts/configuration/secret/#using-secrets-as-files-from-a-pod
If you will use the secret with POD you might need to reload the POD in that case you can use the Reloader to auto roll out the PODs.
Reloader : https://github.com/stakater/Reloader