Skip to main content

Generate and configure TLS certs for an application in Kubernetes at Ingress level


TLS basic working model: 

 Secure communication between the two entities is paramount in today's digital world. TLS provides the secure end to end communication between two machines over a network.





Classic example of TLS model is accessing www.google.com(server) via browser(client). Following basic steps are involved
* Client makes a call, when URL was entered in browser
* Server sends its certificate
* Browser will check any Root CA present for server certificate, if its present it will validate via digital sign. If not it asks user to trust the certificate, happens when we use self signed certificates.
*  Client sends its certificates, will be verified at server, its optional
* Once verification is done, it starts exchanging encrypting messages, which will be only decrypted using certs and keys at their end.

Generating TLS certs:

There are many tools in market through which we can generate certs. Openssl is one of the widely used opensource tool, we will use this to generate CA(self-signed) and TLS certs.

Plain TLS certs:
openssl req -new -newkey rsa:4096 -x509 -sha256 -days 365 -nodes -out tls.crt -keyout tls.key
While executing the command, it asks for few details and make sure you have provided proper  Common Name(CN), through which we will access our sample application. Outcome would be tls.crt and tls.key cert files.

* Lets create kubernetes secret of TLS type using cert files
    kubectl create secret tls nginx-tls-secret --key tls.key --cert tls.crt -n default

*  Run nginx sample application and expose it via service using kubectl command line
    kubectl run nginx --image=nginx --port=80
    kubectl expose deploy/nginx

*  Assuming ingress controller is already running in kubernetes cluster, lets create ingress route for nginx application (Modify ingress class annotation according to the cluster ingress type). Copy the following content into a file and run kubectl apply -f filename.yaml

* If DNS record is not registered, make an /etc/hosts entry with hostname provided in ingress map to node ip address where ingress controller is running. Since we are going with self signed certs, certificate must be accepted while accessing the application.

Now application runs in kubernetes cluster with TLS certs via HTTPS (https://nginx.testdomain.com)
Labels:

Comments

Post a Comment

Popular posts from this blog

Automation scripts for Admins to run on Jenkins Script Console

Jenkins script console is one of the key feature for administrators to automate tasks, troubleshoot on server side like cleaning up older job builds, deleting/creating bunch of jobs, setting up log rotation on all jobs etc. It's hard and monotonous for them to do this tasks from UI repeatedly. The following scripts certainly helps to maintain and operate Jenkins efficiently.
3 comments
Read more

Release and Tagging strategy for Microservices running on Kubernetes

Releasing product is one of the critical phase of software development life cycle, so much brainstorming will go in to design versioning and release strategy for a product. In olden days, it was all different, applications were monolithic, build and release management teams used to build this, entirely as a package (.WAR or .EAR files) by creating one version and putting it in artifact repository, triggering a process to deploy package in application servers. Versioning is pretty straight forward because it is monolithic and treated as one application. Now things are changed, considering complexity and inflexibility of monolithic application, people has opted to build application as set of smaller and interconnected services called microservices. In effect of this, versioning and releasing of individual microservices and for overall application became complex. There are no straight forward principles which solves problem, it entirely depends on various factors like branching strateg
Post a Comment
Read more

Insights about Certified Kubernetes Administrator(CKA)

Attending certification exams is one of the way to test our skills and to check whether we are moving in right direction towards understanding technology properly. I have taken CKA exam in December 2018 and passed it with 92%. Overall it was very good experience, it's not that tough if you are already working on kubernetes clusters. Major advantage of taking up CKA is we will be able to cover almost all kubernetes concepts, core components and features etc during preparation. Normally in day to day work, we do not get opportunity to cover everything. Experiences: As a first step, I have read CKA experiences in Internet, it certainly gave me an idea how to prepare and how exam pattern looks like. Sharing some of the links. https://linuxacademy.com/community/posts/show/topic/25094-cka-exam-experience-and-some-useful-tips https://suraj.pro/post/journey-to-cka/ https://suraj.io/post/road-to-cka/ https://medium.com/@walidshaari/kubernetes-certified-administrator-cka-43a25ca4c61
3 comments
Read more