In the passthrough mode, an Ingress is used to send secure traffic to the backend pods without TLS termination in Avi.
Using the Passthrough Ingress
To use this, the Ingress is annotated with
Like passthrough Routes in the OpenShift environment, a set of shared L4 virtual services are created by AKO to handle all TLS passthrough hosts.
These virtual services would listen on port 443 and have one L4 SSL DataScript each. Name of the virtual service would be of the format clustername–‘Shared-Passthrough’-shardnumber. The number of shards can be configured using the flag
passthroughShardSize while installation using Helm.
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress1 annotations: passthrough.ako.vmware.com/enabled: "true" spec: ingressClassName: avi-lb rules: - host: "pass.avi.internal" http: paths: - path: /foo backend: service: name: avisvc1 port: number: 80
For each passthrough host, one unique pool group is created and the pool group is attached to the DataScript of the virtual service derived by the sharding logic. One pool is also attached to the corresponding pool group.
For passthrough hosts in Ingress, another virtual service is created for each shared L4 VS, to handle insecure traffic on port 80. HTTP Request polices would be added in this VS for each passthrough hosts to send a HTTP redirect response for insecure traffic. Both the Virtual Services listening on port 443 and 80 have a common VSVip. This allows DNS VS to resolve the hostname to one IP address consistently. The name of the insecure shared VS would be of the format
Document Revision History
|August 23, 2021||Published the article for Passthrough Ingress|