Let's face it: Nobody wants their personal blog to be vulnerable. A few weeks ago, I was setting up a new blog on Kubernetes, and I realized how crucial it was to secure it with SSL/TLS. This tutorial will walk you through the process, even if you're new to Kubernetes. We'll use the Nginx Ingress Controller and Cert-Manager to make it easy.
Objective: Secure a simple application (like a personal blog) running on Kubernetes using SSL/TLS certificates automatically obtained from Let's Encrypt.
Prerequisites:
- A Kubernetes cluster (Minikube is a great option for beginners!).
-
kubectlconfigured to access your cluster. - A basic understanding of Kubernetes concepts (we'll explain the important ones as we go!).
Steps:
1. Install Nginx Ingress Controller:
The Nginx Ingress Controller acts as a reverse proxy, directing traffic to your application. Think of it as a smart bouncer for your blog.
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/main/deploy/static/provider/cloud/deploy.yaml
This command applies a YAML configuration file. This file creates all the necessary Kubernetes components (namespaces, service accounts, etc.) to run the Nginx controller.
What's happening here? We're using a pre-built YAML file to automate the deployment. It handles the complexities of setting up the controller, so you don't have to!
2. Verify Installation:
Let's check if the controller is running.
kubectl get pods -n ingress-nginx
You should see pods with a "STATUS" of "Running". If you see any errors, check the pod logs for clues: kubectl logs <pod-name> -n ingress-nginx.
3. Install Cert-Manager:
Cert-Manager automates the process of getting and renewing SSL certificates from Let's Encrypt. It's like a magic certificate machine!
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.8.0/cert-manager.yaml
This installs Cert-Manager. [Insert Screenshot of the command and successful output.] Make sure you're using a compatible version.
4. Create a Certificate Issuer (Let's Encrypt Configuration):
We need to tell Cert-Manager to use Let's Encrypt. Create a file named issuer.yaml with this content, replacing <your-email@example.com> with your email address:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: <your-email@example.com>
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- http01:
ingress:
class: nginx
This configures Cert-Manager to use Let's Encrypt for certificate issuance.
5. Apply the Issuer:
kubectl apply -f issuer.yaml
This makes the Let's Encrypt configuration active.
6. Configure Ingress with TLS:
Now, let's secure your blog! Create ingress.yaml:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: my-blog-ingress
annotations:
cert-manager.io/issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- myblog.example.com # Replace with your domain
secretName: my-blog-tls
rules:
- host: myblog.example.com # Replace with your domain
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: my-blog-service # Replace with your service name
port:
number: 80
Remember to replace placeholders with your domain and service name.
7. Apply the Ingress:
kubectl apply -f ingress.yaml
This creates the Ingress resource. Cert-Manager will automatically start getting your certificate.
8. Test the Secure Ingress:
Once the certificate is issued (check the status of the secret my-blog-tls), access your blog via HTTPS: https://myblog.example.com.
Likely Challenges Encountered:
- DNS Propagation: It might take time for your DNS changes to take effect. Be patient!
- Rate Limits: Let's Encrypt has rate limits. If you encounter issues, try again later.
- HTTP-01 Challenge: This challenge requires your Ingress controller to be publicly accessible. Check your firewall settings.
Top comments (0)