Gökhan MERDEN Kişisel Blog

TLS Certificate in K8s

I tried to move new server at work. I wanted to install k8s but this time i used microk8s. Microk8s, lightweight k8s deployment tool. It can be easy to manage after read a few documents about it.

I am using Ubuntu on server via following command script

sudo snap install microk8s --classic

Source : https://ubuntu.com/tutorials/install-a-local-kubernetes-with-microk8s#2-deploying-microk8s

Afterwards i created yaml files and applied to k8s and i enabled ingress to serve apis which i installed. 

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-service
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/use-regex: 'true'
    nginx.ingress.kubernetes.io/rewrite-target: /$1
    nginx.ingress.kubernetes.io/enable-access-log: "false"
    nginx.ingress.kubernetes.io/configuration-snippet: |-
      proxy_ssl_server_name on;
      proxy_ssl_name $host;
spec:
  tls:
  - hosts:
      - your-domain-name.com
    secretName: tls-secret-2
#testsecret-tls
  rules:
    - host: your-domain-name.com
      http:
        paths:
          - path: /?(.*)
            pathType: Prefix
            # UPDATE THIS LINE ABOVE
            backend:
              service:
                name: appointment-cluster-ip-service
                port:
                  number: 8080
ingressClassName: public

Also i want to enable tls for secure connection. After a few researches , i understand that i have to create new crt and private key.

System admin has sent pfx file to enable tls. I apllied following command to create key file from pfx.

openssl pkcs12 -in pfx-filename.pfx -nocerts -out key-filename.key

Second step creating decrypted file

openssl rsa -in key-filename.key -out key-filename-decrypted.key

Third step , creating crt file

openssl pkcs12 -in pfx-filename.pfx -clcerts -nokeys -out crt-filename.crt

Fourth step, creating secret on k8s

kubectl create secret tls tls-secret-2 --cert crt-filename.crt --key key-filename-decrypted.key

Consequently, i applied yaml file via following command.

microk8s kubectl apply -f your-ingress.yml

And test if it is done via following command. But i want to mention about this point. After i applied all steps i tried if it was accepting https requests. But it did not. So i went to take a cup of tea and came back about five or ten minutes later. I tested again and it was done 🙂

An edit, i realized that i have to concatenate intermediate cert to created primary crt file via following command. Because of following error, Javax.Net.Ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found

cat your_domain_name.crt DigiCertCA.crt >> bundle.crt

Source: Nginx: Create CSR & Install SSL Certificate (OpenSSL), DigiCert,

https://www.digicert.com/kb/csr-ssl-installation/nginx-openssl.htm#ssl_certificate_install

Have a good day

Source : Configuring a TLS certificate in Kubernetes, A.Dev (2021) , https://adolfi.dev/blog/tls-kubernetes/, A.D. : 10/06/2022

Posted

in

by

gokhanm

Tags:

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *