{"id":902,"date":"2022-03-16T14:59:48","date_gmt":"2022-03-16T14:59:48","guid":{"rendered":"https:\/\/blog.ngocha.biz\/?p=902"},"modified":"2022-03-16T14:59:48","modified_gmt":"2022-03-16T14:59:48","slug":"configure-ingress-tls-kubernetes","status":"publish","type":"post","link":"https:\/\/blog.ngocha.biz\/?p=902","title":{"rendered":"How To Configure Ingress TLS\/SSL Certificates in Kubernetes"},"content":{"rendered":"

In this blog, you will learn how to configure ingress TLS certificates for Kubernetes Ingress resources.<\/p>\n

This blog is based on an actual demo done using demo.mlopshub.com<\/code> public DNS and its self-signed certificate. If you do not have a domain name, you can use the workstation host file for DNS resolution or the curl resolve command.<\/p>\n

\n
Note<\/strong><\/b>: SSL & TLS are the same. SSL is the old name. TLS is the updated version of SSL. Dont get confused \ud83d\ude42<\/div>\n<\/div>\n

Prerequisites and Assumptions<\/h2>\n

For this blog, the assumption is you have a working ingress controller setup, and you want to configure TLS for your ingress resource.<\/p>\n

This blog is part of the Kubernetes Ingress series. If you do not have an ingress controllers setup or want to understand Kubernetes ingress concepts in detail, please go through the following blogs first.<\/p>\n

    \n
  1. Kubernetes Ingress Tutorial <\/a>– Covers all Ingress concepts<\/li>\n
  2. Setup Nginx Kubernetes Ingress controller<\/a> – Detailed guide on ingress controller<\/li>\n<\/ol>\n

    Obtaining Kubernetes Ingress SSL\/TLS Certificates<\/h2>\n

    The basic requirement for ingress TLS is a TLS\/SSL certificate<\/strong>. You can obtain these certificates in the following ways.<\/p>\n

      \n
    1. Self-Signed Certificates:<\/strong> TLS certificate created and signed by our own Certificage Authority. It is great optionfor development environments where you can share the rootCA with the team so that browsers can trust the certificate. Check out create self-signed certificate<\/a> blog to create your own certificates.<\/li>\n
    2. Purchase an SSL Certificate:<\/strong> You need to buy an SSL certificate from a well-known certificate authority trusted by browsers & operating systems for production use cases. Check out the top SSL Providers<\/a> for more information.<\/li>\n
    3. Use Letsencrpt Certificate:<\/strong> Letsencrypt<\/a> is a non-profit trusted certificate authority that provides free TLS certificates.<\/li>\n<\/ol>\n

      Every SSL certificate comes with an expiry date. So you need to rotate the certificate before it expires. For example, Letsecrypt certificates expire every three months. I will talk about automated certificate rotation towards the end of the article.<\/p>\n

      Also, if you are working on an internal application, most organizations have their own PKI infrastructure for providing SSL certificates for internal applications. You can request the network\/security team to provide the certificates.<\/p>\n

      How Does Ingress TLS\/SSL Work?<\/h2>\n

      Adding TLS to ingress is pretty simple. All you have to do is,<\/p>\n

        \n
      1. Create a Kubernetes secret with server.crt<\/code> certificate and server.key private key file.<\/li>\n
      2. Add the TLS block to the ingress resource with the exact hostname used to generate cert that matches the TLS certificate.<\/li>\n<\/ol>\n

        SSL is handled by the ingress controller, not the ingress resource<\/strong>. Meaning, when you add TLS certificates to the ingress resource as a kubernetes secret, the ingress controller access it and makes it part of its configuration.<\/p>\n

        For example, in the Nginx controller, the SSL certificates are dynamically handled<\/strong> by the following block in nginx.conf<\/code><\/p>\n

        ssl_certificate_by_lua_block {\n\t\t\tcertificate.call()\n\t\t}<\/code><\/pre>\n
        The following diagram shows the high-level ingress TLS workflow.<\/p>\n
        \"\"<\/figure>\n
        Configure Ingress TLS\/SSL Certificates<\/h2>\n
        Let’s look a the steps in configuring TLS in ingress.<\/p>\n
        Deploy a Test Application<\/h4>\n
        Let’s begin by deploying a sample application. We will use this application to test our ingress TLS.<\/p>\n
        Create a dev namespace.<\/p>\n
        kubectl create ns dev<\/code><\/pre>\n
        Save the following YAML as hello-app.yaml<\/code>. It has a deployment and service object.<\/p>\n
        apiVersion: apps\/v1\nkind: Deployment\nmetadata:\n  name: hello-app\n  namespace: dev\nspec:\n  selector:\n    matchLabels:\n      app: hello\n  replicas: 2\n  template:\n    metadata:\n      labels:\n        app: hello\n    spec:\n      containers:\n      - name: hello\n        image: \"gcr.io\/google-samples\/hello-app:2.0\"\n\n---\n\napiVersion: v1\nkind: Service\nmetadata:\n  name: hello-service\n  namespace: dev\n  labels:\n    app: hello\nspec:\n  type: ClusterIP\n  selector:\n    app: hello\n  ports:\n  - port: 80\n    targetPort: 8080\n    protocol: TCP\n<\/code><\/pre>\n
        Deploy the test application.<\/p>\n
        kubectl apply -f hello-app.yaml <\/code><\/pre>\n
        Create a Kubernetes TLS Secret<\/h4>\n
        \n
        Note<\/strong><\/b>: Here the assumption is you have the server.crt<\/code> and server.key<\/code> SSL files from a Certificate authority or your organization or self-signed.<\/div>\n<\/div>\n
        The SSL certificate should be added as a Kubernetes secret. It will be then referred to the ingress resources TLS block.<\/p>\n
        Let’s create a Kubernetes secret of type TLS with the server.crt<\/code> and server.key<\/code> files (SSL certificates). We are creating the secret in the dev namespace where we have a hello app deployment.<\/p>\n
        Execute the following kubectl command from the directory where you have the server.crt<\/code> and key files or provide the absolute path of the files . hello-app-tls<\/code> is an arbitrary name.<\/p>\n
        kubectl create secret tls hello-app-tls \\\n    --namespace dev \\\n    --key server.key \\\n    --cert server.crt<\/code><\/pre>\n
        Following is the equivalent YAML<\/code> file where you have to add the crt and key file contents.<\/p>\n
        apiVersion: v1\nkind: Secret\nmetadata:\n  name: hello-app-tls\n  namespace: dev\ntype: kubernetes.io\/tls\ndata:\n  server.crt: |\n       <crt contents here>\n  server.key: |\n       <private key contents here><\/code><\/pre>\n
        Add TLS block to Ingress Object<\/h4>\n
        The ingress resource with TLS has to be created in the same namespace where you have the application deployed. So we create the example ingress TLS resource<\/strong> in  dev<\/code> namespace.<\/p>\n
        Save the following YAML as ingress.yaml<\/code>. Replace demo.mlopshub.com<\/code> with your hostname.<\/p>\n
        apiVersion: networking.k8s.io\/v1\nkind: Ingress\nmetadata:\n  name: hello-app-ingress\n  namespace: dev\nspec:\n  ingressClassName: nginx\n  tls:\n  - hosts:\n    - demo.mlopshub.com\n    secretName: hello-app-tls\n  rules:\n  - host: \"demo.mlopshub.com\"\n    http:\n      paths:\n        - pathType: Prefix\n          path: \"\/\"\n          backend:\n            service:\n              name: hello-service\n              port:\n                number: 80<\/code><\/pre>\n
        As you can see, I have added the TLS block<\/strong> with the hostname (demo.mlopshub.com<\/code>) and tls secret we created in the previous step. I have created the self-signed TLS certificate with emo.mlopshub.com<\/code> domain.<\/p>\n
        tls:\n  - hosts:\n    - demo.mlopshub.com\n    secretName: hello-app-tls<\/code><\/pre>\n
        The host in the TLS block and rules block should match.<\/p>\n
        \ud83c\udf89  Congratulations you have deployed Ingress with TLS.<\/p>\n
        Validate Ingress TLS<\/h2>\n
        You can validate the Ingress TLS using the curl command as well as the browser.<\/p>\n
        From the CLI, run the curl command as given below with your domain name.<\/p>\n
        curl https:\/\/demo.mlopshub.com -kv<\/code><\/pre>\n
        In the output, under server certificate, you can validate the certificate details as shown below.<\/p>\n
        \"validate<\/figure>\n
        From the browser, access the domain and click the Lock icon to view the certificate details. If you have a valid certificate, you will see the information as shown below.<\/p>\n
        \"validate<\/figure>\n
        If you don’t have a valid certificate or if the ingress TLS configuration is wrong, you will see “Your connection is not private” security warning and if you check the certificate details, you will see the certificate name as “Kubernetes Ingress Controller Fake Certificate<\/strong>“.<\/p>\n
        \"Kubernetes<\/figure>\n
        Kubernetes Ingress Controller Fake Certificate<\/strong> is the default SSL certificate that comes with the Nginx ingress controller. If you check the nginx.conf of the Nginx<\/code> controller, you will see the configured default certificates as shown below.<\/p>\n
        \"default<\/figure>\n
        Ingress SSL Termination<\/h2>\n
        By default, SSL gets terminated in ingress the controller<\/p>\n
        So all the traffic from the controller to the pod will be without TLS (decrypted traffic)<\/p>\n
        If you want full SSL, you can add the supported annotation by the ingress controller you are using. For example, In the Nginx ingress controller, to allow SSL traffic till the application, you can use the nginx.ingress.kubernetes.io\/backend-protocol: \"HTTPS\"<\/code> annotation. For this, your application should have SSL configured.<\/p>\n
        Conclusion<\/h2>\n
        In this blog, we have learned to configure ingress TLS certificates with kubernetes <\/strong>ingress TLS example<\/strong><\/p>\n
        Also, you can configure more TLS parameters using annotations<\/strong>. The annotations differ between different ingress controllers.<\/p>\n
        Also, if you are learning Kubernetes, you can check out my Kubernetes tutorials for beginners<\/a>.<\/p>\n
        Drop a comment if you need any clarification or tips to share.<\/p>\n
        \n
        Ngu\u1ed3n:<\/strong> How To Configure Ingress TLS\/SSL Certificates in Kubernetes \u2014 DevOpsCube<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
        Source: https:\/\/devopscube.com\/configure-ingress-tls-kubernetes\/<\/p>\n","protected":false},"author":1,"featured_media":903,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-902","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/902","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=902"}],"version-history":[{"count":0,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/posts\/902\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=\/wp\/v2\/media\/903"}],"wp:attachment":[{"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=902"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=902"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ngocha.biz\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=902"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}