alternative ways to create ssl certificates and expose the services.
alternative-01
helm install --name nginx-ingress stable/nginx-ingress --set controller.nodeSelector."beta\.kubernetes\.io/os"=linux --set defaultBackend.nodeSelector."beta\.kubernetes\.io/os"=linux --namespace ingress-basic
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -out aks-ingress-tls.crt -keyout aks-ingress-tls.key -subj "/CN=*.kaushik.development.net/O=aks-ingress-tls"
kubectl create secret tls aks-ingress-tls --namespace ingress-basic --key aks-ingress-tls.key --cert aks-ingress-tls.crt
reference:
https://github.com/kubernetes/ingress-nginx/tree/master/charts/ingress-nginx/templates
alternative-02
2) helm repo add jetstack https://charts.jetstack.io
reference : https://cert-manager.io/docs/configuration/acme/
3) create a yaml file called the clusterissuer.yaml file
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
name: external
spec:
acme:
# You must replace this email address with your own.
# Let's Encrypt will use this to contact you about expiring
# certificates, and issues related to your account.
email: user@example.com
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
# Secret resource that will be used to store the account's private key.
name: example-issuer-account-key
# Add a single challenge solver, HTTP01 using nginx
solvers:
- http01:
ingress:
class: nginx
4) cert-manager.io/cluster-issuer: external in values.yaml in ingress block
example
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: external
# kubernetes.io/tls-acme: "true"
hosts:
- host: test.kaushikdevelopment.net
paths:
# NB: You may also want to set the basePath above
- /
tls:
- secretName: tlssecret # this secret is automatically created when you install the helm chart.
hosts:
- test.kaushikdevelopment.net
example app : https://github.com/bootc/netbox-chart/blob/master/values.yaml
currently, the fourth implementation is not working because of the DNS issue.
troubleshooting steps
nslookup <dnsname> <dnsserver>
nslookup devtls.netboxdevelopment.net ns1-02.azure-dns.com.
Server: ns1-02.azure-dns.com.
Address: 2603:1061::2#53
Name: devtls.netboxdevelopment.net
Address: 20.185.246.138
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns-custom
namespace: kube-system
data:
test.server: |
netboxdevelopment.net:53 {
errors
cache 30
forward . ns1-02.azure-dns.com
}
# kubectl apply -f coredns.yaml
reference : https://docs.microsoft.com/en-us/azure/aks/coredns-custom
# kubectl delete pod --namespace kube-system -l k8s-app=kube-dns
command : host ns1-02.azure-dns.com
ns1-02.azure-dns.com has address 40.90.4.2
ns1-02.azure-dns.com has IPv6 address 2603:1061::2
kubectl get secret externaltlscert -n tlsnetbox -o yaml
Alternative-05
An ingress controller is a piece of software that provides reverse proxy, configurable traffic
routing, and TLS termination for Kubernetes services.
References:
https://docs.microsoft.com/en-us/azure/aks/ingress-tls
Topic 3, Manage security operations
References:
https://docs.microsoft.com/en-us/azure/aks/ingress-tls
Topic 3, Manage security operations
Alternative-06
https://github.com/Azure/application-gateway-kubernetes-ingress
How to generate the SSL certificates ?
https://app.zerossl.com/certificate/new
No comments:
Post a Comment