While configuring the HPA EKS Ingress, I want to setup the SSL. I want to know, How I can achieve this? In which YAML file and where I need to add the Annotation.
Related
I have Kubernetes with Kafka where is also running Istio with Strimzi. Certificates are stored in cert-manager. I want to use TLS passthrough in my ingress but I am a little bit confused of that.
When SIMPLE is used, there is credentialName, which must be the same as secret.
tls:
mode: SIMPLE
credentialName: httpbin-credential
It is nice and simple way. But how about mode: PASSTHROUGH when I have many hosts? I studied demo on istio web (https://istio.io/latest/docs/tasks/traffic-management/ingress/ingress-sni-passthrough/#deploy-an-nginx-server) and their certificate details are stored in server configuration file and they are creating configmap. In official Istio documentation is noted that this parameter is only for MUTUAL and SIMPLE.
What is correct and simple way to expose my hosts using istio ingress to external traffic using cert-manager?
The difference between SIMPLE & PASSTHROUGH is:
SIMPLE TLS instructs the gateway to pass the ingress traffic by terminating TLS.
PASSTHROUGH TLS instructs the gateway to pass the ingress traffic AS IS, without terminating TLS.
I want to generate SSL certificate automatically on Kubernetes. My site is already up and running but it is on HTTP:// not on HTTPS:// so which is the best way to provide them and generate the SSL certificate automatically.
I am new to k8s and learning. If the first time I manually install it then also the next time if the pod gets recreated the certificate will be deleted.
So suggest me easy way to manage certificate manager on K8s
A few of options I can think of:
You can try the certificate manager with Letsencrypt certificates.
You can try an a Kubernetes Ingress with an ingress controller like nginx also with Letsencrypt and this described here.
You can try a Traefik ingress controller also with Letsencrypt.
I am trying to setup Traefik on Kubernetes with Let's Encrypt enabled. I managed yesterday to retrieve the first SSL certificated from Let's Encrypt but am a little bit stuck on how to store the SSL certificates.
I am able to create a Volume to store the Traefik certificates but that would mean that I am limited to a single replica (when having multiple replicas am I unable to retrieve a certificate since the validation goes wrong most of the times due to that the volume is not shared).
I read that Traefik is able to use something like Consul but I am wondering if I have to setup/run a complete Consul cluster to just store the fetched certificates etc.?
You can store the certificate in a kubernetes secret and you reference to this secret in your ingress.
spec:
tls:
- secretName: testsecret
The secret has to be in same namespace the ingress is running in.
See also https://docs.traefik.io/user-guide/kubernetes/#add-a-tls-certificate-to-the-ingress
You can set up the ingress with controller and apply for the SSL certificate of let's encrypt.
You can use cluster issuer to manage the SSL certificates and store that tls certificate on ingress.you can also use different ingress controllers like nginx also can use service mess istio.
For more details you can check : https://docs.traefik.io/user-guide/kubernetes/
So I want to have this:
/ Nginx1 (SSL)
HAProxy-- Nginx2 (SSL)
\ Nginx3 (SSL)
But I have questions:
How do I update Letsencrypt certs on all nodes?
If I can't do this with certbot (+some config) - how do you do this? Maybe some distributed k/v storages?
The best thing is to use HTTP only services (not HTTPS) on Nginx nodes and configure SSL on balancer.
Options:
Traefik. Can be configured to auto update LetsEncrypt certs.
Fabio. Also can be configured to use SSL certs. (I've used Hashicorp Vault to store them). Need to configure updates myself.
Those 2 integrate well with service discovery tools like Consul.
I have been reading the Amazon Elastic Beanstalk documentation, and was able to add the following lines to a configuration file in .ebextensions to set the Elastic Load Balancer to use HTTPS:
option_settings:
# Elastic Load Balancer Options
- namespace: aws:elb:loadbalancer
option_name: LoadBalancerHTTPPort
value: 80
- namespace: aws:elb:loadbalancer
option_name: LoadBalancerPortProtocol
value: HTTP
- namespace: aws:elb:loadbalancer
option_name: LoadBalancerHTTPSPort
value: 443
- namespace: aws:elb:loadbalancer
option_name: LoadBalancerSSLPortProtocol
value: HTTPS
- namespace: aws:elb:loadbalancer
option_name: SSLCertificateId
value: arn:aws:iam:<my cert ARN>
That works perfectly. However, I was unable to find in the documentation any points on how to set the list of allowed ciphers for this load balancer without resorting to the Console or to the CLI commands. Any ideas on how to do this?
Contacted AWS support and confirmed that this is not yet supported. Bummer.
I'm not sure when/if this changed, but you can do this on a "classic" load balancer using .ebextensions:
option_settings:
aws:elb:policies:tlspolicy:
SSLProtocols: "Protocol-TLSv1.2,Server-Defined-Cipher-Order,ECDHE-RSA-AES256-SHA384,ECDHE-RSA-AES256-GCM-SHA384,ECDHE-RSA-AES128-SHA256,ECDHE-RSA-AES128-GCM-SHA256"
LoadBalancerPorts: "443"
https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/command-options-general.html
It seems this is possible now. According to this Elastic Load Balancer doc, you can create your own policy:
Custom Security Policy
You can create a custom negotiation configuration with the ciphers and protocols that you need. Note that Some security compliance standards (such as PCI, SOX, and so on) might require a specific set of protocols and ciphers to ensure that the security standards are met. In such cases, you can create a custom security policy to meet those standards.
There are instructions at the AWS page, Update the SSL Negotiation Configuration of Your Load Balancer, for using the aws elb command to customize a policy.
I don't want to just quote what's there, but I wanted to note that it seems possible now in case somebody else comes across the question here. In brief, though, you'd use aws elb create-load-balancer-policy to create a policy where you define the set of ciphers and their order, then aws elb set-load-balancer-policies-of-listener to enable it on your load balancers.