Configure Https / TLS / SSL on Kubernetes with Kube-Lego hosted on Azure Container Service

What if you can configure your infrastucture with a process that requests your SSL Certificates automatic. Not only this, but this process registeres the certificates in your infrastructure also. There is more. The process also requests new versions of certificates every 30 days so the certificate will not expire. All of this, complely automated. It’s even completely free! You or your traditional ops department won’t believe this is possible.

Enter the new world of infrastructure: Kube-Lego, ofcourse hosted on Kubernetes.
Now I hear you think: “This is to good to be true. It must be hard to configure”. The configuration is really easy actually, as you will see in this blogpost.

Kube-Lego

The Open source tool Kube-Lego uses service Let’s Encrypt to acquire SSL Certificates.
With Let’s Encrypt you can get SSL/TLS certificates for free. Let’s Encrypt wants a more secure internet and they offer this service with automation in mind. Kube-Lego makes this possible in practice for Kubernetes. Let’s Encrypt will even support wildcard certificates from January 2018.

To install Kube-Lego we are going to deploy 2 resources in Kubernetes. A ConfigMap and a Pod. Besides this we are going to add some configuration to our Ingress.

Steps to install and configure Kube-Lego

Prerequisites:

  • you should have Ingress configured on your Kubernetes cluster. You can read how to do this in my blogpost for a step by step manual.
  • you also need to have a DNS entry configured so the public IP Address of the Ingress Service can be accessed on a URL. Otherwise the certificate won’t be succesfully requested.

1. Install a ConfigMap

Change the emailaddress. It’s being used to create an account on Let’s Encrypt. I’ve chosen to install Kube-Lego in the kube-system namespace.

apiVersion: v1
kind: ConfigMap
metadata:
  name: kube-lego
  namespace: kube-system
data:
  # modify this to specify your address
  lego.email"youremailaddress@xyz.com"
  # configure letsencrypt's production api
  lego.url"https://acme-v01.api.letsencrypt.org/directory"
Kubectl apply -f KubeLegoConfigMap.yaml

2. Install Kube-Lego Pod

apiVersion: extensions/v1beta1
kind: Deployment
metadata:
  name: kube-lego
  namespace: kube-system
spec:
  replicas: 1
  template:
    metadata:
      labels:
        app: kube-lego
    spec:
      containers:
      name: kube-lego
        image: jetstack/kube-lego:0.1.5
        imagePullPolicy: Always
        ports:
        containerPort: 8080
        env:
        name: LEGO_EMAIL
          valueFrom:
            configMapKeyRef:
              name: kube-lego
              key: lego.email
        name: LEGO_URL
          valueFrom:
            configMapKeyRef:
              name: kube-lego
              key: lego.url
        name: LEGO_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        name: LEGO_POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        readinessProbe:
          httpGet:
            path: /healthz
            port: 8080
          initialDelaySeconds: 5
          timeoutSeconds: 1

kubectl apply -f KubeLego.yaml

3. Change the Ingress

Based on the Ingress from my blogpost on how to configure Ingress, you have to add the following:
– Add the following annotation:

kubernetes.io/tls-acme"true"

– Add tls configuration:

spec:  
  tls:
  hosts:
    - mymicroservices.xpirit.nl
    secretName: tls-kubelego

The complete Ingress, looks like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: myingress  
  annotations:    
    kubernetes.io/tls-acme"true"
    kubernetes.io/ingress.classnginx
    ingress.kubernetes.io/rewrite-target/
spec:  
  tls:
  hosts:
    - mymicroservices.xpirit.nl
    secretName: tls-kubelego
  rules:
  host: mymicroservices.xpirit.nl
    http:
      paths:      
      path: /mywebapi
        backend:
          serviceName: myapiservice
          servicePort: 80
kubectl apply -f DeployIngress.yaml

Wait a short time after deployment, so Kube-Lego can create an account at Let’s Encrypt for you and after that can request, download and register the certificate in a secret. When you have multiple host names in your Ingress, Kube-Lego will request a certificate for each of them.

Now you can access your services through https.

In case of problems:
You can take a look at the logs of Kube-Lego:
1. Get the name of the Pod which is running Kube-Lego:
kubectl get pods -n kube-system
2. Take a look at the log:
kubectl logs -f “kubelegopodname” -n kube-system

All files can be found on my github account

Advertenties

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit / Bijwerken )

Twitter-afbeelding

Je reageert onder je Twitter account. Log uit / Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit / Bijwerken )

Google+ photo

Je reageert onder je Google+ account. Log uit / Bijwerken )

Verbinden met %s