Ingress-nginx: SSL Termination for tcp-services

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.):

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): tcp, tcp-services, tls, ssl, termination. This is similar to #2003 but that is a request for SSL passthrough, not termination.

Is this a BUG REPORT or FEATURE REQUEST? (choose one): Feature Request

NGINX Ingress controller version: 0.16.2

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"11", > GitVersion:"v1.11.0", GitCommit:"91e7b4fd31fcd3d5f436da26c980becec37ceefe", GitTreeState:"clean", BuildDate:"2018-06-27T20:17:28Z", GoVersion:"go1.10.2", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"11", GitVersion:"v1.11.1", GitCommit:"b1b29978270dc22fecc592ac55d903350454310a", GitTreeState:"clean", BuildDate:"2018-07-17T18:43:26Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}

Environment:

• Cloud provider or hardware configuration: AWS
• OS (e.g. from /etc/os-release):

NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

• Kernel (e.g. uname -a):

Linux hostname 4.4.0-112-generic #135-Ubuntu SMP Fri Jan 19 11:48:36 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

• Install tools:
  Rancher 2.0.7
• Others:

What happened:
We are going to deploy some (non-HTTP) TCP listening services inside of our Kubernetes cluster and are using the tcp-services ConfigMap to port-forward traffic coming in from outside the cluster to the services running inside the cluster. The problem is that some of the services we want to deploy in Kubernetes cannot terminate SSL themselves and so our only options at this time seem to be:
A) send everything as plaintext :no_good:
B) set up an ELB outside the cluster to terminate SSL and forward traffic :weary:
C) find out some other way to encrypt the traffic on the client side before sending them to these services inside the cluster :dizzy_face:

We are kind of stuck for the time being as there is no good solution to this problem as far as we can tell.

What you expected to happen:
I would like to have the capability to configure SSL termination for upstream TCP servers the same way I can do it for HTTP services in the nginx-configuration ConfigMap. Being able to leverage the default-ssl-certificate unless a cert is specified would be nice as well. There are a lot of SSL options so just to throw something out there perhaps the spec could be something like <listen port>-<ssl option>: "<value>", so a simple rule without proxy_protocol would look something like:

apiVersion: v1
kind: ConfigMap
metadata:
  name: tcp-services
  namespace: ingress-nginx
data:
  9000: "default/example-go:8080"
  9000-tls-secretname: "tls-secret"
  9000-ssl-protocols: "SSLv3 TLSv1 TLSv1.1 TLSv1.2"
  9000-ssl-ciphers: "HIGH:!aNULL:!MD5"

Or perhaps my ignorance is showing and that's the worst possible way of doing things but hopefully this at least gets a conversation going :smiley:.

How to reproduce it (as minimally and precisely as possible):
curl -v --tlsv1 $URL:$PORT should show the SSL handshake then forward plaintext traffic to the backing service.

Anything else we need to know:
This is supported by NGINX and is outlined in the NGINX documentation here. Would much rather be able to control everything via the NGINX ingress controller than mess with something else like ELBs.