SSL Passthrough and UI with multiple ingress controllers

Guy. I really value the work you do but I just simply can’t get to a point where my setup is secure enough.

I want to enable consul UI in kubernetes using your helm chart. TLS is enabled, which means the deployment is exposed on port 443 and SSL passthrough has to be enabled so the clients connecting gets served with TLS certificates directly from the deployment.

This setup wont allow to have multiple ingress controllers (one internal, one external) because in SSL passthrough mode the connection is simply just passes through the nginx controller. So, even if the ingress for the consul-ui is configured with an ingress class pointing to an internal ingress (not exposed to public IP via LB) the ingress with public IP will still serve it since it cant read the context of the connection and passes down the connection to the kube-proxy? I guess.

This means even if the ingress is not defined for public access (defined for internal), public access will be available, thus exposing all the nodes and services to the internet since the default ACL allows read on nodes an services.

I tried disabling anonymous access (editing ACL) to deny but after redeploy these acl policies get overriden by the acl init container.

Could you help me out, how could I set consul up (possibly with TLS enabled) without having to expose my service to the public internet?

Thank you

Hi, sorry for the big delay.

I’d recommend either using two separate ingress controllers (Multiple Ingress controllers - NGINX Ingress Controller) one with SSL passthrough enabled and one without or simply setting HTTPS and not using the consul ui certs:

    annotations: | "HTTPS"