Passthrough Ingress

Overview

In the passthrough mode, an Ingress is used to send secure traffic to the backend pods without TLS termination in Avi.

Using the Passthrough Ingress

To use this, the Ingress is annotated with passthrough.ako.vmware.com/enabled: true.

Like passthrough Routes in the OpenShift environment, a set of shared L4 virtual services are created by AKO to handle all TLS passthrough hosts.

These virtual services would listen on port 443 and have one L4 SSL DataScript each. Name of the virtual service would be of the format clustername–‘Shared-Passthrough’-shardnumber. The number of shards can be configured using the flag passthroughShardSize while installation using Helm.


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress1
  annotations:
    passthrough.ako.vmware.com/enabled: "true"
spec:
  ingressClassName: avi-lb
  rules:
  - host: "pass.avi.internal"
    http:
      paths:
      - path: /foo
        backend:
          service:
            name: avisvc1
            port:
              number: 80

For each passthrough host, one unique pool group is created and the pool group is attached to the DataScript of the virtual service derived by the sharding logic. One pool is also attached to the corresponding pool group.

For passthrough hosts in Ingress, another virtual service is created for each shared L4 VS, to handle insecure traffic on port 80. HTTP Request polices would be added in this VS for each passthrough hosts to send a HTTP redirect response for insecure traffic. Both the Virtual Services listening on port 443 and 80 have a common VSVip. This allows DNS VS to resolve the hostname to one IP address consistently. The name of the insecure shared VS would be of the format clustername--'Shared-Passthrough'-shard-number-'insecure'.

Document Revision History

Date Change Summary
August 23, 2021 Published the article for Passthrough Ingress