This Blog will guide you on how to add a tls encryption in an ingress resource. In this i will also guide on how quickly we can start a nginx server and expose it using a service and ingress and then we will apply TLS encryption. So let’s start.
Transport Layer Security, TLS, is a widely adopted security protocol that facilitates privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers.
Kubernetes provides a
certificates.k8s.io API, which lets you provision TLS certificates signed by a Certificate Authority (CA) that you control. Workloads use CA and certificates to establish trust.
You can secure an application running on Kubernetes by creating a secret that contains a TLS (Transport Layer Security) private key and certificate.
On minikube check if your ingress is enabled or disabled
minikube addons list
If you don’t have Ingress enabled then you can run this command
minikube addons enable ingress
Setting up Nginx
So now we will deploy a nginx webserver then expose it with an ingress and then we also secure it with a self signed certificate. To begin this we first create a deployment using kubectl command.
kubectl create deployment nginx --image=nginx
Next we will create a service of type ClusterIP
kubectl expose deployment nginx --port 80
Now let us add a ingress resource through a Yaml File
--- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: myingress labels: name: myingress spec: rules: - host: example.com http: paths: - pathType: Prefix path: "/" backend: service: name: nginx port: number: 80
Now simply apply and create this.
Next we tell our machine that example.com(host) is running in this minikube cluster. We will do this by running this command.
echo "$(minikube ip) example.com" | sudo tee -a /etc/hosts
after this you will be able to access nginx by visiting example.com. Now next thing we want to do is add some https and add a TLS Certificate so that I can use a TLS. Now for this the easiest way to do so is use a self signed Certificate. we will do this with a single command.
Self Signed Certificate
You might be wondering what is this self signed certificate, From the name itself you must have guessed it is a certificate issued by a person creating it not by any authority.
Create a self-signed certificate, valid for 365 days.
openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout tls.key -out tls.crt -subj "/CN=example.com" -days 365
when you do ls you will find there is a tls key and tls certicate created. Now we will create a secret of type TLS
kubectl create secret tls example-com-tls --cert=tls.crt --key=tls.key
now we have this certificate in our cluster , to view that you can simply type
kubectl get secret -o yaml
Next we edit our ingress and including this tls
--- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: myingress labels: name: myingress spec: tls: - secretName: example-com-tls hosts: - example.com rules: - host: http: paths: - pathType: Prefix path: "/" backend: service: name: nginx port: number: 80
apply the configuration and check using
curl -k https://example.com
You will notice you are able to view and now its using your own Certifcate.
We have reached our goal: the application is reachable via HTTPS and even you type HTTP, the controller will redirect you to HTTPS. If you liked this Article please do comment, Like and share.