How to get ssl on a kubernetes application?

Question

I have a simple meteor app deployed on kubernetes. I associated an external IP address with the server, so that it's accessible from within the cluster. Now, I am up to exposing it to the internet and securing it (using HTTPS protocol). Can anyone give simple instructions for this section?

Answer 1

In my opinion kube-lego is the best solution for GKE. See why:

• Uses Let's Encrypt as a CA
• Fully automated enrollment and renewals
• Minimal configuration in a single ConfigMap object
• Works with nginx-ingress-controller (see example)
• Works with GKE's HTTP Load Balancer (see example)
• Multiple domains fully supported, including virtual hosting multiple https sites on one IP (with nginx-ingress-controller's SNI support)

Example configuration (that's it!):

kind: ConfigMap
apiVersion: v1
metadata:
  name: kube-lego
  namespace: kube-lego
data:
  lego.email: "your@email"
  lego.url: "https://acme-v01.api.letsencrypt.org/directory"

Example Ingress (you can create more of these):

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: site1
  annotations:
    # remove next line if not using nginx-ingress-controller
    kubernetes.io/ingress.class: "nginx"
    # next line enable kube-lego for this Ingress
    kubernetes.io/tls-acme: "true"
spec:
  tls:
  - hosts:
    - site1.com
    - www.site1.com
    - site2.com
    - www.site2.com
    secretName: site12-tls
  rules:
    ...

Answer 2

There are several ways to setup a ssl endpoint, but your solution needs to solve 2 issues: First, you need to get a valid cert and key. Second, you would need to setup a ssl endpoint in your infrastructure.

Have a look at k8s ingress controller. You can provide an ingress controller with a certificate/key secret from the k8s secret store to setup a ssl endpoint. Of course, this requires you to already have a valid certificate and key.

You could have a look at k8s specific solutions for issuing and using certificates like the Kubernetes Letsencrypt Controller, but I have never used them and cannot say how well they work.

Here are some general ideas to issue and use ssl certificates:

1. Getting a valid ssl certificate and key

AWS

If you are running on AWS, the easiest way I can think of is by setting up an ELB, which can issue the ssl cert automatically for you.

LetsEncrypt

You could also have a look at LetsEncrypt to issue free certificates for your domain. Nice thing about it is that you can automate your cert issuing process.

CA

Of course, you could always go the old-fashion way and issue a certificate from a provider that you trust.

2. Setting up the ssl endpoint

AWS

Again, if you have an ELB then it already acts as an endpoint and you are done. Of course your client <-> ELB connection is encrypted, but ELB <-> k8s-cluster is unencrypted.

k8s ingress controller

As mentioned above, depending on the k8s version you use you could also setup a TLS ingress controller.

k8s proxy service

Another option is to setup a service inside your k8s cluster, which terminates the ssl connection and proxies the traffic to your meteor application unencrypted. You could use nginx as a proxy for this. In this case I suggest you store your certificate's key inside k8s secret store and mount it inside the nginx container. NEVER ship a container which has secrets such as certificate keys stored inside! Of course you still somehow need to send your encrypted traffic to a k8s node - again, there several ways to achieve this... Easiest would be to modify your DNS entry to point to the k8s nodes, but ideally you would use a TCP LB.