All geek questions in one place

How to get ssl in kubernetes app?

I have a simple meteorite app deployed on kubernets,
I set the server to an external IP address.
therefore, it is accessible from within the cluster. Now I am going to expose it on the Internet and provide it (using the https protocol),
I can't figure it out ...
Can anyone give simple instructions for this section?

+6
source share
2 answers

In my opinion, kube-lego is the best solution for GKE. See why:

Configuration example (what it is!):

kind: ConfigMap apiVersion: v1 metadata: name: kube-lego namespace: kube-lego data: lego.email: " your@email " lego.url: "https://acme-v01.api.letsencrypt.org/directory"

Ingress example (you can create several of them):

 apiVersion: extensions/v1beta1 kind: Ingress metadata: name: site1 annotations: # remove next line if not using nginx-ingress-controller kubernetes.io/ingress.class: "nginx" # next line enable kube-lego for this Ingress kubernetes.io/tls-acme: "true" spec: tls: - hosts: - site1.com - www.site1.com - site2.com - www.site2.com secretName: site12-tls rules: ...
+10
source

There are several ways to configure the ssl endpoint, but your solution needs to solve two problems: first, you need to get a valid certificate and key. Secondly, you need to configure the ssl endpoint in your infrastructure.

Look at the k8s input controller . You can provide the input controller with a certificate / key key from the k8s secret store to set the ssl endpoint. Of course, this requires that you already have a valid certificate and key.

You can take a look at specific k8 solutions for issuing and using certificates, such as Kubernetes Letsencrypt Controller , but I have never used them and cannot tell how well they work.

Here are some general ideas for issuing and using ssl certificates:

1. Obtaining a valid ssl certificate and key

Aws

If you are working on AWS, the easiest way I can think of is to create an ELB that can automatically issue an ssl certificate.

Letsencrypt

You can also watch LetsEncrypt to issue free certificates for your domain. The nice thing is that you can automate the process of issuing certificates.

CA

Of course, you can always go the old way and issue a certificate from a supplier that you trust.

2. Configure ssl endpoint

Aws

Again, if you have an ELB, then it already acts as an endpoint, and you're done. Of course, your client & lt → ELB connection is encrypted, but ELB ↔ k8s-cluster is not encrypted.

input controller k8s

As mentioned above, depending on the version of k8s you are using, you can also configure the TLS input controller .

K8s proxy

Another option is to configure a service inside your k8s cluster that terminates the ssl connection and proxies traffic to your meteor application, unencrypted. You can use nginx as a proxy for this. In this case, I suggest that you store the certificate key inside the k8s secret store and mount it inside the nginx container. NEVER sends a container that has secrets, such as certificate keys stored inside! Of course, you still need to send your encrypted traffic to the k8s node - again, there are several ways to achieve this ... The easiest way would be to change your DNS record to point to the k8s nodes, but ideally you would use TCP LB.

+6
source

Source: https://habr.com/ru/post/1014795/

More articles:


All Articles