tunnel between 2 AKS clusters

Question

Hi - This is a technical question and I am wondering how to achieve it. I have two Kubernetes clusters. I would like to set up a tunnel between the two clusters using stunnel in one side and nginx in the other. All TCP traffic going out of the first cluster will need to transit through stunnel. This TCP traffic will be encrypted using stunnel and then offloaded at the nginx ingress controller of the destination cluster. I would like some guidance on how to achieve the egress tunnel. i.e. How to configure stunnel "service" to tunnel traffic from one cluster to another cluster. Thank you

Answer 1

Hello maratusa, Welcome to microsoft Q&A, Thankyou for posting your query here. To set up a tunnel between two Kubernetes clusters using stunnel and nginx 1.Deploy stunnel in the source cluster and nginx in the destination cluster. i.You can deploy stunnel and nginx using Kubernetes deployments. example of a stunnel deployment.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: stunnel
spec:
  replicas: 1
  selector:
    matchLabels:
      app: stunnel
  template:
    metadata:
      labels:
        app: stunnel
    spec:
      containers:
      - name: stunnel
        image: stunnel:latest
        args: ["stunnel.conf"]

example of a Kubernetes deployment.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80

2.Create a Kubernetes service in the source cluster to expose the stunnel deployment. i.You can create a Kubernetes service to expose the stunnel deployment.

apiVersion: v1
kind: Service
metadata:
  name: stunnel
spec:
  selector:
    app: stunnel
  ports:
  - name: stunnel
    port: 443
    targetPort: 443

3.Create a Kubernetes service in the destination cluster to expose the nginx deployment. i.You can create a Kubernetes service to expose the nginx deployment.

apiVersion: v1
kind: Service
metadata:
  name: nginx
spec:
  selector:
    app: nginx
  ports:
  - name: http
    port: 80
    targetPort: 80

4.stunnel to forward traffic to the destination cluster. i. To configure stunnel to forward traffic to the destination cluster, you need to create a stunnel configuration file that specifies the source and destination endpoints. example of a stunnel configuration file

[nginx]
client = yes
accept = 127.0.0.1:443
connect = <destination-cluster-ip>:443

ii. Mount this configuration file as a Kubernetes ConfigMap and reference it in the stunnel deployment. example of how to mount the configuration file as a ConfigMap.

apiVersion: v1
kind: ConfigMap
metadata:
  name: stunnel-config
data:
  stunnel.conf: |
    [nginx]
    client = yes
    accept = 127.0.0.1:443
    connect = <destination-cluster-ip>:443

iii. You can then reference this ConfigMap in the stunnel deployment. example of a deployment.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: stunnel
spec:
  replicas: 1
  selector:
    matchLabels:
      app: stunnel
  template:
    metadata:
      labels:
        app: stunnel
    spec:
      containers:
      - name: stunnel
        image: stunnel:latest
        args: ["stunnel.conf"]
        volumeMounts:
        - name: stunnel-config
          mountPath: /etc/stunnel
      volumes:
      - name: stunnel-config
        configMap:
          name: stunnel-config

5.Configure nginx to receive traffic from stunnel. i.To configure nginx to receive traffic from stunnel, you need to configure the nginx ingress controller to listen on the port that stunnel forwards traffic to. example of an nginx ingress resource that listens on port 443.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  - host: <hostname>
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx
            port:
              name: http
  tls:
  - hosts:
    - <hostname>
    secretName: <tls-secret-name>

ii..You can then deploy the nginx ingress controller using a Kubernetes deployment.

          example of a deployment.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-ingress-controller
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-ingress-controller
  template:
    metadata:
      labels:
        app: nginx-ingress-controller
    spec:
      containers:
      - name: nginx-ingress-controller
        image: nginx-ingress-controller:latest
        args:
        - /nginx-ingress-controller
        - --configmap=$(POD_NAMESPACE)/nginx-ingress-controller
        - --default-backend-service=$(POD_NAMESPACE)/default-backend
        - --publish-service=$(POD_NAMESPACE)/nginx-ingress-controller
        - --annotations-prefix=nginx.ingress.kubernetes.io
        ports:
        - name: http
          containerPort: 80
        - name: https
          containerPort: 443

Hope this helps you, Please consider accepting the answer to help increase visibility of this question for other members of the Microsoft Q&A community. If not, please let us know what is still needed in the comments so the question can be answered. Thank you for helping to improve Microsoft Q&A!.