You can use ingress for SSL termination, storing your HTTPS certificates as Kubernetes Secrets.
The ingress controller takes care of applying the cert to encrypt traffic, and it can also redirect HTTP requests to HTTPS.
Ingress controllers are the single entrypoint for all your apps. They're great for centralizing concerns like caching and HTTPS.
The controller applies the TLS certificates to the public endpoint, and internally the apps work on plain HTTP.
The Ingress spec supports HTTPS and the Nginx ingress controller is already running with a TLS certificate:
Browse to https://whoami.local:8040 or https://whoami.local:30040
You'll see an error because this is a self-signed certificate, which means it's not trusted. You can check the cert details in your browser and you'll see something like this:
You can apply your own certificates in Ingress rules. You might buy a TLS cert from an online provider specific to your host domains, but we'll generate our own:
Generate the certs:
kubectl apply -f labs/ingress/specs/tls kubectl wait --for=condition=Ready pod tls-cert-generator kubectl logs tls-cert-generator
(The Pod runs some OpenSSH commands - here's the script if you want to see how it's done).
Now you can copy the cert files from the Pod to your local machine:
kubectl cp tls-cert-generator:/certs/server-cert.pem tls.crt kubectl cp tls-cert-generator:/certs/server-key.pem tls.key
And use them to create a Secret. Kubernetes supports TLS certificates as a special Secret type, and you pass the certificate file and key to the
create secret command:
kubectl create secret tls https-local --key=tls.key --cert=tls.crt kubectl label secret https-local kubernetes.courselabs.co=ingress kubectl describe secret https-local
Now we have a Secret with a TLS cert that can be used for our local app domains.
Ideally you should use an automated process instead so your certs never expire - cert-manager is how you do that in Kubernetes.
HTTPS is really easy to apply with ingress - you just add the name of the Secret containing the TLS certificate to the Ingress spec:
Add TLS support:
kubectl apply -f labs/ingress/specs/tls/ingress kubectl get ingress
The basic Ingress view doesn't show the TLS setup, you need to
describeto see that
Now you can browse to the sites at the HTTPS endpoint:
You'll still get a browser warning, but if this was a trusted cert from a real authority you wouldn't
Ingress also redirects HTTP requests to HTTP but it only uses the default port 443:
curl -v http://pi.local:8040/
We're using a non-standard port for HTTPS, so the redirect won't work. In a real cluster the Service for the Ingress controller would listen on ports 80 and 443.
kubectl delete all,secret,ingress,ns -l kubernetes.courselabs.co=ingress