Sunday, September 15, 2019

Kubernetes ingress custom Certificates with valid CA

Irrespective of ingress FQDN, Kubernetes creates Certificates with domain name ingress.local which creates below issues.
CoreOS Dex need certificates from valid CA, self-signed certificates will now work
Gardener dashboard authentication has issues with self-signed certificates. AuthN flow will not happen without accepting invalid Cert error
Accessing ingress in any browser will complain self-signed server error

Fix: Lets encrypt

Install Certbot from LetsEncrypt
$ brew install certbot

Create wildcard Certificate for domain, * 

Before entering Yes to confirm, make sure you add TXT record entry as prompted by certbot.
# create directories named le_wd, le_cd, le_ld before executing below command
$ certbot certonly --manual -d *  --work-dir=le_wd --config-dir=le_cd --logs-dir=le_ld 

# Check if certificates are created
$ certbot certificates --work-dir=le_wd --config-dir=le_cd --logs-dir=le_ld

Certs are located at le_cd/live/ /

Create secret with the Certificates we want to use
$ kubectl create secret tls pd-custom-certs --key --cert -n namespace_of_interest

Configure ingress with the TLS secret.
----SNIP(FQDN 1)---- ingress: enabled: true path: / hosts: - tls: - hosts: - secretName: pd-custom-certs ----SNIP(FQDN 2)---- ingress: enabled: true path: / hosts: - tls: - secretName: pd-custom-certs hosts: -

Accessing ingress should not show invalid Cert errors now.

No comments:

Post a Comment