Kubernetes Course Labs

Ingress for HTTPS

You can use ingress for SSL termination, storing your HTTPS certificates as Kubernetes Secrets.

The ingress controller takes care of applying the cert to encrypt traffic, and it can also redirect HTTP requests to HTTPS.

Create a TLS cert for HTTPS access

Ingress controllers are the single entrypoint for all your apps. They're great for centralizing concerns like caching and HTTPS.

The controller applies the TLS certificates to the public endpoint, and internally the apps work on plain HTTP.

The Ingress spec supports HTTPS and the Nginx ingress controller is already running with a TLS certificate:

Browse to https://whoami.local:8040 or https://whoami.local:30040

You'll see an error because this is a self-signed certificate, which means it's not trusted. You can check the cert details in your browser and you'll see something like this:

You can apply your own certificates in Ingress rules. You might buy a TLS cert from an online provider specific to your host domains, but we'll generate our own:

Generate the certs:

kubectl apply -f labs/ingress/specs/tls

kubectl wait --for=condition=Ready pod tls-cert-generator

kubectl logs tls-cert-generator

(The Pod runs some OpenSSH commands - here's the script if you want to see how it's done).

Now you can copy the cert files from the Pod to your local machine:

kubectl cp tls-cert-generator:/certs/server-cert.pem tls.crt

kubectl cp tls-cert-generator:/certs/server-key.pem tls.key

And use them to create a Secret. Kubernetes supports TLS certificates as a special Secret type, and you pass the certificate file and key to the create secret command:

kubectl create secret tls https-local --key=tls.key --cert=tls.crt

kubectl label secret https-local kubernetes.courselabs.co=ingress

kubectl describe secret https-local

Now we have a Secret with a TLS cert that can be used for our local app domains.

Ideally you should use an automated process instead so your certs never expire - cert-manager is how you do that in Kubernetes.


Expose apps through HTTPS

HTTPS is really easy to apply with ingress - you just add the name of the Secret containing the TLS certificate to the Ingress spec:

Add TLS support:

kubectl apply -f labs/ingress/specs/tls/ingress

kubectl get ingress

The basic Ingress view doesn't show the TLS setup, you need to describe to see that

Now you can browse to the sites at the HTTPS endpoint:

You'll still get a browser warning, but if this was a trusted cert from a real authority you wouldn't

Ingress also redirects HTTP requests to HTTP but it only uses the default port 443:

curl -v http://pi.local:8040/

We're using a non-standard port for HTTPS, so the redirect won't work. In a real cluster the Service for the Ingress controller would listen on ports 80 and 443.


Cleanup

kubectl delete all,secret,ingress,ns -l kubernetes.courselabs.co=ingress