Introduction
Secure Sockets Layer (SSL), which includes its successor, Transport Layer Security (TLS), are protocols for establishing authenticated and encrypted links between networked computers. In a Kubernetes context, it’s crucial for securing cluster components and containerized applications. With SSL/TLS, sensitive data can be transmitted securely over networks. In this tutorial, we’ll walk through how to set up and test an SSL-enabled Kubernetes cluster locally on your machine.
Prerequisites
- Basic understanding of Kubernetes concepts
- Docker Desktop or Minikube for local Kubernetes cluster
- Access to a terminal or command prompt
- OpenSSL for generating certificates
Setting Up a Local Kubernetes Cluster
Before testing SSL/TLS, we need a running Kubernetes cluster:
minikube startOr, if you’re using Docker Desktop, you can enable Kubernetes from the settings panel.
Installing Cert-Manager
For handling SSL in Kubernetes, we’ll use Cert-Manager. It’s a native Kubernetes certificate management controller. Install it via Helm:
helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.3.1 --set installCRDs=trueGenerating Self-Signed Certificates
In a real-world scenario, you would obtain a valid certificate from a Certificate Authority (CA). For testing purposes, we’re using OpenSSL to create a self-signed certificate:
openssl genrsa -out tls.key 2048
openssl req -new -key tls.key -out tls.csr -subj "/CN=localhost"
openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crtCreating Kubernetes Secrets for SSL
Now, we’ll add the generated SSL certificate and key as a secret in Kubernetes:
kubectl create secret tls test-tls --cert=tls.crt --key=tls.key --namespace=defaultThe TLS secret is now stored within your Kubernetes cluster and can be used by your services.
Configuring Ingress to Use SSL
Let’s create an Ingress resource with our self-signed certificate:
echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: example-ingress
annotations:
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
spec:
tls:
- hosts:
- localhost
secretName: test-tls
rules:
- host: localhost
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: example-service
port:
number: 80
" | kubectl apply -f -This Ingress will direct HTTPS traffic on localhost to a service named ‘example-service’.
Deploying a Test Application
We need an application to handle requests through the Ingress. Here’s how to deploy a simple nginx server:
kubectl run example-service --image=nginx --expose --port 80Testing HTTPS Connection
To test the SSL setup, you can use ‘curl’ with the ‘-k’ option to allow connections to SSL sites without certificates:
curl -ik https://localhostIf things are correctly set up, the command returns the default nginx welcome page served over HTTPS. If not, you’ll have to check the previous steps for any misconfiguration.
Advanced Configuration
For production-grade SSL with Kubernetes, you would automate certificate management using Cert-Manager with a real CA such as Let’s Encrypt. Ingress can be fine-tuned further with SSL policies and additional security settings.
Troubleshooting
There are sometimes issues when testing out SSL locally, which can be remedied by checking:
- The Kubernetes Secrets and ensuring the certificate and key match.
- The Cert-Manager status for deploying certificates.
- The Ingress annotations and configurations.
- Service health and readiness for handling HTTPS traffic.
Conclusion
Testing SSL on a local Kubernetes cluster involves generating a certificate, setting up a TLS secret, and configuring Ingress resources. While this guide covers testing locally with a self-signed certificate, you’ll want to use a trusted CA for production deployments. SSL security is vital, and Kubernetes offers robust tools to wire it into your cluster and its services.
