TLS termination

Let's secure booksapp.linkerd.local with TLS termination at the nginx gateway:

  1. Create a leaf certificate for booksapp.linkerd.local:
$ kubectl -n step exec -t step-0 -- 
step certificate create booksapp.linkerd.local booksapp.crt booksapp.key 
--profile leaf --ca identity.crt --ca-key identity.key 
--no-password --insecure --force --kty=RSA --not-after=2160h
Your certificate has been saved in booksapp.crt.
Your private key has been saved in booksapp.key.

$ kubectl -n step cp step-0:booksapp.crt booksapp.crt

$ kubectl -n step cp step-0:booksapp.key booksapp.key

We need to pass the certificate chain along with the leaf certificate private key to the nginx ingress controller so that it can provide a secure TLS connection to the client.

  1. Create a certificate chain of leaf and intermediate:
$ cat booksapp.crt /tmp/identity.crt > ca-bundle.crt
  1. Create a Kubernetes TLS secret, booksapp-keys, using a certificate chain, ca-bundle.crt, for the leaf certificate with the Computer Name (CN) as booksapp.linkerd.local and the private key as booksapp.key:
$ kubectl -n linkerd-lab create secret tls booksapp-keys --key booksapp.key --cert ca-bundle.crt
secret/booksapp-keys created
  1. The nginx controller will pick up the Kubernetes TLS secret, booksapp-keys, when we create an ingress rule for an external domain name to associate it with an internal microservice name. The following shows the modified ingress definition that we created earlier to now include the TLS secret:
# Script : 07-create-booksapp-ingress-tls.yaml

apiVersion: extensions/v1beta1
kind: Ingress
...
spec:
  rules:
  - host: booksapp.linkerd.local
    http:
      paths:
      - backend:
          serviceName: webapp
          servicePort: 7000
        path: /
  tls:
  - hosts:
    - booksapp.linkerd.local
    secretName: booksapp-keys
  1. Modify the ingress:
$ kubectl -n linkerd-lab apply -f 07-create-booksapp-ingress-tls.yaml
ingress.extensions/booksapp created
  1. nginx watches for all endpoints generated in all namespaces. As soon as an endpoint is created or updated, nginx picks it up immediately. Find out the nginx pod name:
$ NGINX_POD=$(kubectl -n kube-system get pod -l app=nginx-controller -o jsonpath='{.items..metadata.name}') ; echo $NGINX_POD
nginx-controller-5dbfd77f4d-2plhd
  1. List the configurations pushed:
$ kubectl -n kube-system exec -it $NGINX_POD -- ls -l /etc/nginx/conf.d
  1. Check the newly updated configuration:
$ kubectl -n kube-system exec -it $NGINX_POD -- cat /etc/nginx/conf.d/linkerd-lab-booksapp.conf

  1. List the TLS secrets:
$ kubectl -n kube-system exec -it $NGINX_POD -- ls -l /etc/nginx/secrets
  1. Check the updated secret—with certificate chain and private key:
$ kubectl -n kube-system exec -it $NGINX_POD -- cat /etc/nginx/secrets/linkerd-lab-booksapp-keys

After TLS termination at the ingress gateway, we will now switch back to the browser in the VM to test it.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.147.104.120