Guy. I really value the work you do but I just simply can’t get to a point where my setup is secure enough.
I want to enable consul UI in kubernetes using your helm chart. TLS is enabled, which means the deployment is exposed on port 443 and SSL passthrough has to be enabled so the clients connecting gets served with TLS certificates directly from the deployment.
This setup wont allow to have multiple ingress controllers (one internal, one external) because in SSL passthrough mode the connection is simply just passes through the nginx controller. So, even if the ingress for the consul-ui is configured with an ingress class pointing to an internal ingress (not exposed to public IP via LB) the ingress with public IP will still serve it since it cant read the context of the connection and passes down the connection to the kube-proxy? I guess.
This means even if the ingress is not defined for public access (defined for internal), public access will be available, thus exposing all the nodes and services to the internet since the default ACL allows read on nodes an services.
I tried disabling anonymous access (editing ACL) to deny but after redeploy these acl policies get overriden by the acl init container.
Could you help me out, how could I set consul up (possibly with TLS enabled) without having to expose my service to the public internet?
Thank you