Sling Academy
Home/DevOps/How to test Kubernetes SSL (HTTPS) locally on your computer

How to test Kubernetes SSL (HTTPS) locally on your computer

Last updated: January 31, 2024

Table of Contents

  1. Introduction
  2. Setting Up a Local Kubernetes Cluster
  3. Installing Cert-Manager
  4. Generating Self-Signed Certificates
  5. Creating Kubernetes Secrets for SSL
  6. Configuring Ingress to Use SSL
  7. Deploying a Test Application
  8. Testing HTTPS Connection
  9. Advanced Configuration
  10. Troubleshooting
  11. Conclusion

Introduction

Secure Sockets Layer (SSL), which includes its successor, Transport Layer Security (TLS), are protocols for establishing authenticated and encrypted links between networked computers. In a Kubernetes context, it’s crucial for securing cluster components and containerized applications. With SSL/TLS, sensitive data can be transmitted securely over networks. In this tutorial, we’ll walk through how to set up and test an SSL-enabled Kubernetes cluster locally on your machine.

Prerequisites

  • Basic understanding of Kubernetes concepts
  • Docker Desktop or Minikube for local Kubernetes cluster
  • Access to a terminal or command prompt
  • OpenSSL for generating certificates

Setting Up a Local Kubernetes Cluster

Before testing SSL/TLS, we need a running Kubernetes cluster:

minikube start

Or, if you’re using Docker Desktop, you can enable Kubernetes from the settings panel.

Installing Cert-Manager

For handling SSL in Kubernetes, we’ll use Cert-Manager. It’s a native Kubernetes certificate management controller. Install it via Helm:

helm repo add jetstack https://charts.jetstack.io
helm repo update
helm install cert-manager jetstack/cert-manager --namespace cert-manager --create-namespace --version v1.3.1 --set installCRDs=true

Generating Self-Signed Certificates

In a real-world scenario, you would obtain a valid certificate from a Certificate Authority (CA). For testing purposes, we’re using OpenSSL to create a self-signed certificate:

openssl genrsa -out tls.key 2048
openssl req -new -key tls.key -out tls.csr -subj "/CN=localhost"
openssl x509 -req -days 365 -in tls.csr -signkey tls.key -out tls.crt

Creating Kubernetes Secrets for SSL

Now, we’ll add the generated SSL certificate and key as a secret in Kubernetes:

kubectl create secret tls test-tls --cert=tls.crt --key=tls.key --namespace=default

The TLS secret is now stored within your Kubernetes cluster and can be used by your services.

Configuring Ingress to Use SSL

Let’s create an Ingress resource with our self-signed certificate:

echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: 'true'
spec:
  tls:
  - hosts:
    - localhost
    secretName: test-tls
  rules:
  - host: localhost
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: example-service
            port:
              number: 80
" | kubectl apply -f -

This Ingress will direct HTTPS traffic on localhost to a service named ‘example-service’.

Deploying a Test Application

We need an application to handle requests through the Ingress. Here’s how to deploy a simple nginx server:

kubectl run example-service --image=nginx --expose --port 80

Testing HTTPS Connection

To test the SSL setup, you can use ‘curl’ with the ‘-k’ option to allow connections to SSL sites without certificates:

curl -ik https://localhost

If things are correctly set up, the command returns the default nginx welcome page served over HTTPS. If not, you’ll have to check the previous steps for any misconfiguration.

Advanced Configuration

For production-grade SSL with Kubernetes, you would automate certificate management using Cert-Manager with a real CA such as Let’s Encrypt. Ingress can be fine-tuned further with SSL policies and additional security settings.

Troubleshooting

There are sometimes issues when testing out SSL locally, which can be remedied by checking:

  • The Kubernetes Secrets and ensuring the certificate and key match.
  • The Cert-Manager status for deploying certificates.
  • The Ingress annotations and configurations.
  • Service health and readiness for handling HTTPS traffic.

Conclusion

Testing SSL on a local Kubernetes cluster involves generating a certificate, setting up a TLS secret, and configuring Ingress resources. While this guide covers testing locally with a self-signed certificate, you’ll want to use a trusted CA for production deployments. SSL security is vital, and Kubernetes offers robust tools to wire it into your cluster and its services.

Next Article: Kubernetes: How to list all pods in all namespaces

Previous Article: How to view the logs of a Kubernetes pod (with examples)

Series: Kubernetes Tutorials

DevOps

You May Also Like

  • How to reset Ubuntu to factory settings (4 approaches)
  • Making GET requests with cURL: A practical guide (with examples)
  • Git: What is .DS_Store and should you ignore it?
  • NGINX underscores_in_headers: Explained with examples
  • How to use Jenkins CI with private GitHub repositories
  • Terraform: Understanding State and State Files (with Examples)
  • SHA1, SHA256, and SHA512 in Terraform: A Practical Guide
  • CSRF Protection in Jenkins: An In-depth Guide (with examples)
  • Terraform: How to Merge 2 Maps
  • Terraform: How to extract filename/extension from a path
  • JSON encoding/decoding in Terraform: Explained with examples
  • Sorting Lists in Terraform: A Practical Guide
  • Terraform: How to trigger a Lambda function on resource creation
  • How to use Terraform templates
  • Understanding terraform_remote_state data source: Explained with examples
  • Jenkins Authorization: A Practical Guide (with examples)
  • Solving Jenkins Pipeline NotSerializableException: groovy.json.internal.LazyMap
  • Understanding Artifacts in Jenkins: A Practical Guide (with examples)
  • Using Jenkins with AWS EC2 and S3: A Practical Guide