Tag Archives: Kubernetes

List supported Chiper Suits in Kong Gateway using kubectl

Posted by on December 12, 2025 No comments

Working with data transportation (integration) you sometimes need to check the support for some obscure chiper suit that only works with machines from the 60’s 🙂 Here is one way to do that

# Get the name of a kong gateway pod. Here in the namespace "kong"
> kubectl get pods -n kong

...
kong-gateway-abcdef
...

# List chiper suits supported by the pod
> kubectl -n kong exec -it kong-gateway-abcdef -- openssl ciphers -v

Defaulted container "proxy" out of: proxy, clear-stale-pid (init)
TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any  Au=any   Enc=AESGCM(256)            Mac=AEAD
TLS_CHACHA20_POLY1305_SHA256   TLSv1.3 Kx=any  Au=any   Enc=CHACHA20/POLY1305(256) Mac=AEAD
TLS_AES_128_GCM_SHA256         TLSv1.3 Kx=any  Au=any   Enc=AESGCM(128)            Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384  TLSv1.2 Kx=ECDH Au=ECDSA Enc=AESGCM(256)            Mac=AEAD
ECDHE-RSA-AES256-GCM-SHA384    TLSv1.2 Kx=ECDH Au=RSA   Enc=AESGCM(256)            Mac=AEAD
DHE-RSA-AES256-GCM-SHA384      TLSv1.2 Kx=DH   Au=RSA   Enc=AESGCM(256)            Mac=AEAD
ECDHE-ECDSA-CHACHA20-POLY1305  TLSv1.2 Kx=ECDH Au=ECDSA Enc=CHACHA20/POLY1305(256) Mac=AEAD
...

Tested on Kubernetes v1.29.15, Kubectl v1.27, OpenSSL v3.0.30 and OSX v15.6.1

Kubernetes: Reference a section or value inside a manifest

Posted by on June 12, 2024 Comments Off on Kubernetes: Reference a section or value inside a manifest

A colleague showed me this neat trick so I didn’t have to write the same information twice in a Ingress manifest file. I needed to map two hosts to the same path, and instead of duplicate the same information twice we can just reference the “http” section in the previous definition in the second host.

Example:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
  namespace: default
  annotations:
spec:
  ingressClassName: nginx
  rules:
    - host: my-first.domain.se
      http: &http-paths
        paths:
          - path: /my-application
            pathType: Prefix
            backend:
              service:
                name: my-application-service
                port:
                  number: 8080
    - host: my-second.domain.se
      http: *http-paths

The trick here is to use the &-sign to mark a place in manifest that you want to reference. In this example I named the reference “&http-paths”. When we later define the second host (my-second.domain.se) we can just de-reference the reference with the *-sign, here show as “*http-paths”. This will “copy” the whole http section with path, service and port, from the first definition and “paste” it into the second host section.
In Kubernetes this will be de-referenced and look like I put the same information in both hosts

Tested on Tanzu Kubernetes v1.22

Path based routing in a Kubernetes Ingress (Nginx)

Posted by on May 28, 2024 Comments Off on Path based routing in a Kubernetes Ingress (Nginx)

Here we want to route traffic to different applications within our cluster with the help of paths. One advantage of this approach is that we only need one server certificate, since all traffic is going to use the same host.

We will focus on the Ingress here and not the Service object (every application that exposes services will need a Service object as a bridge between the application and the Ingress)

Example:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-application-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /$1
spec:
  ingressClassName: nginx
  rules:
 - host: my.domain.com
   http:
     paths:
     - path: /app-a/(.*)
       pathType: Prefix
       backend:
         service:
           name: my-app-a-service
           port:
             number: 8080  
     - path: /app-b/(.*)
       pathType: Prefix
       backend:
         service:
           name: my-app-b-service
           port:
             number: 8080

With the example configuration above we see that the following url’s are valid:

my.domain.com/app-a/ # will hit the root of my-app-a-service at "/"
my.domain.com/app-a/actuator/health # my-app-a-service at "/actuator/health"
my.domain.com/app-b/service # will route to my-app-b-service at "/service"

How does it work?
First we look at the paths: “/app-a/(.*)”. The “(.*)” part is a regular expression that means “match all characters after the slash (“/”) and put it into a group” .

A little higher up in the configuration we find “nginx.ingress.kubernetes.io/rewrite-target: /$1” annotation. This tells the Ingress that we should extract the first group (“$1”) and forward it to the backend Service. This is the way we remove the first part of the path (/app-a/). We only use this part to separate to what service the call should go and do not want it to follow the call to the backend. Everything after the last slash (“/”) is forwarded to the application, both url and any query parameters.

A nifty solution when you don’t need every service to be a separate domain

Tested on VMWare Tanzu Kubernetes v1.22