Journey into Kubernetes - SSL

May 6, 2020·

2 min read

In this short article I want to prepare us for what will be the last step in this series - ingress controller and TLS termination. This preparation will entail generating an SSL certificate and key on our local machine and storing them in a 'secret' in our K8s cluster.

In a production scenario, you'll want to get a real certificate from a trusted entity like Verisign or use Let's Encrypt. That's not related to Kubernetes though, so it's out of scope of this series.

Let's get started!

You're gonna need bash shell installed on your PC, or some way to run openssl. If you're on Linux or Mac, you're golden, but if you're on Windows like me, you may already have Git for Windows installed which comes with bash and thus openssl. Open bash and type in:

openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out aks-ingress-tls.crt -keyout aks-ingress-tls.key

We're creating a new x509 certificate with RSA-2048 encryption valid for 365 days. We're also asking for crt and key files to be created. When you run this command, you'll be asked a few questions. The only thing that really matters is the company name. Everything else you can leave blank.

The crt and key files are created in the directory where you ran the command. I recommend you store them somewhere safe, perhaps in the same folder as your cluster definition YAML files.

In preparation for the next article, we're going to create a new namespace. This namespace was also created by the ingress controller installation YAML, but we need it now... not in the next article. Go ahead and create a YAML file named nginx-ingress.yml and add this to it:

apiVersion: v1
kind: Namespace
  name: ingress-nginx
  labels: ingress-nginx ingress-nginx

Apply it:

kubectl apply -f nginx-ingress.yml

This will create a new namespace where we'll store the ingress controller. We'll discuss why we want a new namespace in the next article, but for now, just trust me!

In the same directory as the crt and key files, you can now run the following command:

kubectl create secret tls aks-ingress-tls --namespace ingress-nginx --key aks-ingress-tls.key --cert aks-ingress-tls.crt

We're creating a secret in our cluster which we can then refer to later when creating the ingress controller and setting up TLS termination. This secret contains the certificate and the key we created earlier.

Great! We're now ready for the moment you've all been waiting for -- making our API service hosted inside our K8s cluster accessible to the public, complete with SSL support! That's coming up in the next article.


Did you find this article valuable?

Support Paul K by becoming a sponsor. Any amount is appreciated!