Irrespective of ingress FQDN, Kubernetes creates Certificates with domain name ingress.local which creates below issues.
CoreOS Dex need certificates from valid CA, self-signed certificates will now work
Gardener dashboard authentication has issues with self-signed certificates. AuthN flow will not happen without accepting invalid Cert error
Accessing ingress in any browser will complain self-signed server error
Fix: Lets encrypt
Install Certbot from LetsEncrypt
$ brew install certbot
Create wildcard Certificate for domain, *.pd.example.com
Before entering Yes to confirm, make sure you add TXT record entry as prompted by certbot.
# create directories named le_wd, le_cd, le_ld before executing below command
$ certbot certonly --manual -d *.pd.example.com --work-dir=le_wd --config-dir=le_cd --logs-dir=le_ld
# Check if certificates are created
$ certbot certificates --work-dir=le_wd --config-dir=le_cd --logs-dir=le_ld
Certs are located at le_cd/live/pd.example.com /
Create secret with the Certificates we want to use
$ kubectl create secret tls pd-custom-certs --key pd.example.com.key --cert pd.example.com.crt -n namespace_of_interest
Configure ingress with the TLS secret.
----SNIP(FQDN 1)---- ingress: enabled: true path: / hosts: - a.pd.example.com tls: - hosts: - a.pd.example.com secretName: pd-custom-certs ----SNIP(FQDN 2)---- ingress: enabled: true path: / hosts: - b.pd.example.com tls: - secretName: pd-custom-certs hosts: - b.pd.example.com
Accessing ingress should not show invalid Cert errors now.
No comments:
Post a Comment