3

I'm currently trying to setup a MQTT broker (VerneMQ) on my kubernetes cluster (GKE). At the moment I'm using nginx-ingress-controller with a Google provided L4 load balancer. The VerneMQ deployment and service are running in the cluster and a sub-domain is pointing to the specific IP of the load-balancer. The specific config-map for TCP over nginx-ingress-controller was created. I'm able to connect with a MQTT client via the subdomain via MQTT/TCP but now I want this also run in a more secure way with MQTTS/TLS.

Is it possible to run TCP over SSL through nginx-ingress-controller with lets-encrypt certificates issued by cert-manager in order to connect with MQTTS to my broker ?

Are there any other ingress-controllers which offer these functionality ?

Thank you in advance.

hengel28
  • 31
  • 1
  • 3

2 Answers2

1

It seems that haproxy-ingress supports this? I haven't tested it, but from the documentation this option may work:

...
data:
  "9900": "system-prod/admin:9900:PROXY::system-prod/tcp-9900"

9900 will proxy to admin service, port 9900, on the system-prod namespace. Clients should connect using the PROXY protocol v1 or v2. Upcoming connections should be encrypted, HAProxy will ssl-offload data using crt/key provided by system-prod/tcp-9900 secret.

Mike Fiedler
  • 2,182
fengwt
  • 11
  • 2
0

There exist two different nginx ingress controllers for Kubernetes:

  1. the "default" nginx-ingress, which is developed by the Kubernetes community and mostly referred to
  2. the "corporate" nginx-ingress version by the company NGINX (exists as a free version and a paid "PLUS" version)

The first one (Kubernetes Community version) only supports TLS termination for web-traffic (http). The second however, supports TLS termination on TCP Level through usage of the TransportServer Custom Resource. You need to define a custom MQTT listener when installing nginx in the global configuration for this to work.

See my answer to this question for more details.

nehtor.t
  • 131