Tuesday, 7 June 2022

How to Install Certificate on Kubernetes Ingress Generated from CA


Assumption - Ingress controller is already installed in K8S cluster, if not, please follow https://kubernetes.github.io/ingress-nginx/deploy/
Step 1. Get Certificate from Global CA like Godaddy, Digicert, Comodo SSL or any one
Step 2. Create Secrete using Certificate and Key
Step 3. Create Kubernetes ingress or use existing ingress & Embedded Kubernetes secret in ingress configuration

How to do that:
Step 1: Certificate Generation Process
  • Create a private key using "openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr"
  • Upload server.csr and server.key to CA portal  to create certificate
  • Download certificate
Step 2.  Kubernetes Secrete Creation Process
  • Create Kubernetes secrete from downloaded certificate and private key(Server.cert and server.key)
  • There is two way to do that using Yaml or Using kubectl command line

By Using Yaml
apiVersion: v1
kind: Secret
metadata:
  name: hello-tls
  namespace: dev
type: kubernetes.io/tls
data:
  server.crt: <crt contents here>
  server.key: <private key contents here>
===========================================

By Kubectl Command Line:
Kubectl create secret tls hello-tls \
    --namespace dev \
    --key server.key \
    --cert server.crt
=====================================

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: hello-ingress
  namespace: dev
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - example.com
    secretName: hello-tls
  rules:
  - host: example.com
    http:
      paths:
      - path: "/"
        pathType: Prefix
        backend:
          service:
            name: service name(hello-service)
            port:
              number: 80
===================================================


Note: Ingress and service should be using same name space else have to setup cross name space communication.