Passthrough Ingress
Overview
In the passthrough mode, an Ingress is used to send secure traffic to the backend pods without TLS termination in Avi.
Using the Passthrough Ingress
To use this, the Ingress is annotated with passthrough.ako.vmware.com/enabled: true.
Like passthrough Routes in the OpenShift environment, a set of shared L4 virtual services are created by AKO to handle all TLS passthrough hosts.
These virtual services would listen on port 443 and have one L4 SSL DataScript each. Name of the virtual service would be of the format clustername–‘Shared-Passthrough’-shardnumber. The number of shards can be configured using the flag passthroughShardSize while installation using Helm.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress1
annotations:
passthrough.ako.vmware.com/enabled: "true"
spec:
ingressClassName: avi-lb
rules:
- host: "pass.avi.internal"
http:
paths:
- path: /foo
backend:
service:
name: avisvc1
port:
number: 80
For each passthrough host, one unique pool group is created and the pool group is attached to the DataScript of the virtual service derived by the sharding logic. One pool is also attached to the corresponding pool group.
For passthrough hosts in Ingress, another virtual service is created for each shared L4 virtual service, to handle insecure traffic on port 80. HTTP Request policies would be added in this virtual service for each passthrough host to send an HTTP redirect response for insecure traffic. Both the virtual services listening on ports 443 and 80 have a common VSVip. This allows DNS virtual service to resolve the hostname to one IP address consistently. The name of the insecure shared virtual service would be of the format clustername--'Shared-Passthrough'-shard-number-'insecure'.
AviInfrasetting Support in Passthrough Ingress
AviInfraSetting can be applied to the passthrough ingress through the ingress class. For more information, see Attaching Avi Infra Setting to Ingress.
After applying AviInfrasetting to the ingress, a new set of L4 shared virtual services will be mapped to the host of the ingress.
-
The name of the virtual service that listen on port 443 would be of the format
<cluster-name>--Shared-Passthrough-<aviinfrasetting-name>-<shardnumber>. -
The name of the virtual service that listen for insecure traffic would be of the format
<cluster-name>--Shared-Passthrough-<aviinfrasetting-name>-<shardnumber>-insecure.
For each FQDN, a new unique pool group and pool will be created.
- The name of the pool group would be of the format
<cluster-name>--<aviinfrasetting-name>-<hostname>. - The name of the pool would be of the format
<cluster-name>--<aviinfrasetting-name>-<hostname>-<servicename>.
Document Revision History
| Date | Change Summary |
|---|---|
| September 29, 2022 | Updated AviInfrasetting support in passthrough ingress |
| August 23, 2021 | Published the article for Passthrough Ingress |