0

In kubernetes, deployment and service using type "LoadBalancer" is created for Nginx application. code is here. The application is accessible using External IP 10.120.x.y . The application is not exposed via HTTPS, it is insecure.

root@desktop:~/github/nginx-app# kubectl get svc
NAME                                       TYPE           CLUSTER-IP       EXTERNAL-IP                    PORT(S)                                                                   AGE
nginx-cms-service                          LoadBalancer   10.100.x.y   10.120.x.y,100.x.y.z   80:30596/TCP

I need expose application(obviously its service) via HTTPS using TLS in ingress (not sure whether this is the right approach to expose the application via https) I deployed the kubernetes nginx ingress controller and need to create the ingress for application. I am stuck while creating ingress, need to create the tls.crt and tls.key then create secret using the below commands for ingress.

  • I do not know what is value to pass to variable HOST and what is the significance that HOST name will make?
  • how and what is the external name by which the application will be accessible? Do I need an DNS entry to resolve the name to get to the application?

Generally, it make sense to use servername for server certificates like SERVERNAME.key, SERVERNAME.crt, where SERVERNAME is the actual hostname of the server. is the certificate created for ingress or service or application?

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${KEY_FILE} -out ${CERT_FILE} -subj "/CN=${HOST}/O=${HOST}"
kubectl create secret tls ${CERT_NAME} --key ${KEY_FILE} --cert ${CERT_FILE}

my ingress.yaml has value for spec.rules.host: nginx-cms-app.com, so using the name like below. Is this correct?

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout nginx-cms-app.com.key -out nginx-cms-app.com.crt -subj "/CN=nginx-cms-app.com/O=nginx-cms-app.com"
kubectl create secret tls nginx-cms-app.com --key nginx-cms-app.com.key --cert nginx-cms-app.com.crt
intechops6
  • 1,007
  • 4
  • 22
  • 43

1 Answers1

0

I suggest you to try this for cert-manager installation and thereafter you can follow this stackoverflow post.

The certificate will attain ready state once you add the secret name in TLS, note that you need not create that secret, it will be auto-created. Upon acme challenge verification, certificate will attain ready state.

Kindly use

apiVersion: cert-manager.io/v1alpha2

in clusterissuer, if the apiVersion for clusterIssuer present in that stackoverflow post is not acceptable

Tushar Mahajan
  • 2,044
  • 1
  • 7
  • 18
  • I can not install cert-manager using helm in kubernetes cluster v1.12. mine is 1.12. There is an validation error looking for "caBundle" which is copied here (https://github.com/get2arun/logs/blob/master/helm3-kube-server-12.6-caBundle-error). This issue is discussed here (https://github.com/helm/helm/issues/6883#issuecomment-550463352) For now, i can not upgrade the cluster. Any other way to setup HTTPS in ingress? – intechops6 Nov 14 '19 at 13:42
  • try with kube-lego – Tushar Mahajan Nov 14 '19 at 16:53
  • did you get idea on kube-lego ? – Tushar Mahajan Nov 15 '19 at 08:56
  • I found,HTTPS can be achieved via ingress,so trying to deploy ingress & expose service, but have issue at (https://stackoverflow.com/questions/58881789/error-create-resource-configmaps-while-deploying-nginx-ingress-controller) also, have a question, where I have to use this certs? Need to have ingress? or using Service type LoadBalancer that is service already. i believe certs are for ingress. how to achieve https using the existing Service type LoadBalancer(insecure)? for cert-manager, have to go with kube-lego since no support in cluster 1.12.4 and will come back on this. – intechops6 Nov 15 '19 at 17:45