Certificates

https://howhttps.works/certificate-authorities/

Once you deploy an application and you get a "Your connection is not secure" with no padlock on the website. That means the certificate from the server is not trusted by the browser (certificate was not issused by a CA authority).

If the application is deployed on Kubernetes, you need to track down where the certificate is located (which pod and the location inside the pod). You can usually find the path / secretName / credentialName in the Ingress resource or even istio Gateway resource. Then find the corresponding pods and go to that path to find the certificate

The certificate is most likely self-signed by letsencrypt or another third-party issuer (resource type: ClusterIssuer). Find out how it is being generated (look for resource Certificate).

To get a CA authorized certificate, you must go through your cloud provider. For Azure, you have to create a Key Vault and create a signed certificate. For IBM Cloud, if you are using a load balancer, there is a single command to run to obtain a DNS and certificate for that load balancer!

If you are using Azure, export the signed certificate you just created in .pfx format. Using OpenSSL, you can split this .pfx file into .crt and .key files shown here.

Istio Gateway

https://istio.io/latest/docs/tasks/traffic-management/ingress/secure-ingress/

If you are using istio Gateway resource, then the file should be something like this:

  apiVersion: networking.istio.io/v1alpha3
  kind: Gateway
  metadata:
  name: kubeflow-gateway
  namespace: kubeflow
  spec:
  selector:
      istio: ingressgateway
  servers:
  - hosts:
      - '*'
      port:
          name: http
          number: 80
          protocol: HTTP
      # Upgrade HTTP to HTTPS
      tls:
          httpsRedirect: true
  - hosts:
      - '*'
      port:
          name: https
          number: 443
          protocol: HTTPS
      tls:
          mode: SIMPLE
          privateKey: /etc/istio/ingressgateway-certs/tls.key # WHERE THE .key FILE PATH SHOULD BE EXPORTED INTO
          serverCertificate: /etc/istio/ingressgateway-certs/tls.crt # WHERE THE .CRT FILE PATH SHOULD BE EXPORTED INTO

You can also do it through secrets

kubectl create -n istio-system secret tls istio-ingressway-tls \
	--key=istio-ingressway-tls.key \
  --cert=istio-ingressway-tls.crt

  apiVersion: networking.istio.io/v1alpha3
  kind: Gateway
  metadata:
  name: kubeflow-gateway
  namespace: kubeflow
  spec:
  selector:
      istio: ingressgateway
  servers:
  - hosts:
      - '*'
      port:
          name: http
          number: 80
          protocol: HTTP
      # Upgrade HTTP to HTTPS
      tls:
          httpsRedirect: true
  - hosts:
      - '*'
      port:
          name: https
          number: 443
          protocol: HTTPS
      tls:
        mode: SIMPLE
        credentialName: istio-ingressway-tls # must be the same as secret

Kubernetes Ingress

kubectl create secret tls ingress-tls \
    --key ingress-tls.key \
    --cert ingress-tls.crt

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tls-example-ingress
spec:
  tls:
  - hosts:
      - https-example.foo.com
    secretName: ingress-tls
  rules:
  - host: https-example.foo.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: service1
            port:
              number: 80

PreviousKubernetes NextExample

Last updated 2 years ago