I'm running a Kubernetes cluster in AKS with Traefik as Ingress controller. I have cert-manager to automatically generate and renew certificates from Let's encrypt. It's a SaaS application, so users can choose to configure their own domain names. So for example, the "generic" URL would be mysaas.com, bust customers can choose to use something like customer.com and CNAME that to mysaas.com instead, and cert-manager will generate a cert for customer.com.
I'm currently looking at placing a WAF in front of all of this, and since I'm running in Azure I'm looking at Azure Application Gateway more specifically.
What I'm trying to figure out now, is how to automate configuration of the certs in the Application Gateway as well, so that it can decrypt/encrypt the traffic. These are the things I'm trying to figure out how to do (if they're even possible):
Automate upload of certs to Azure KeyVault and let Application Gateway read them from there
Con: Not sure how to do this
Pro: Cert management is still handled by cert-manager which I trust
Automate upload of certs directly to Application Gateway
Con: Not sure how to do this
Pro: Cert management is still handled by cert-manager which I trust
Skip encryption between Application Gateway and the AKS cluster and let Application Gateway handle generation/renewal of certs.
I would have to make the cluster private, but I guess that's a good thing.
Pro: Nice not having two things depend on the certs (Traefik and Application Gateway)
Con: The current setup using cert-manager works fine and I have monitoring in place for that. I'm not sure I can get a setup as nice as that using only Application Gateway, and I don't know if it's even possible.
I know that the Azure Application Gateway Ingress Controller exists, but I really like the setup with Traefik that I have in place today, and frankly there are too many things that scare me a bit about the AGIC.
Related
I'm building a service that require PKI MTLS X509Certificate authentication.
So I have an AWS ACM Private CA that issues private client certificates to identify the client and regular ACM issued certificate to identify the server.
For the MTLS authentication I use Spring security (Java), which requires a trust store containing the private root CA certificate for authenticating clients as well as a PKCS#12 key store to enforce SSL (for the client to authenticate the server).
Everything works fine when I run it locally using SSL.
Before I enabled SSL in the application, everything worked fine in the cluster as well.
However, when I added MTLS logic to the application the connection hangs when talking to the application in the cluster.
I'm guessing that I need to configure https for my service/ingress in the cluster, but everything I find specifies an arn for the certificate to be used, while I already have it installed in the application.
All I want to do is to allow https traffic to pass through the load balancer into my application and let the application handle the SSL stuff.
Alternatively if it would be possible to configure X509Certificate authentication in Spring security without the SSL certificate for the client to verify the server.
In that case the SSL certificate would only be used in production and not locally.
Would that be possible and what's the pros and cons with each?
So in the end I ended up using the nginx ingress controller with ssl-passthrough.
However, EKS Fargate pods do not support the nginx ingress controller, so I had to create a new managed cluster.
Technically I could have used mixed cluster with both managed and Fargate nodes, but I felt that Fargate had given me enough headache and when I did some calculations I found that Fargate probably costs more in our case.
I'm deploying a custom SaaS platform to Kubernetes and my clients get X.myplatform.com domains. So, could be acmecorp.myplatform.com, etc.
Previously, on our old devops setup, we just had an Apache record that was *.myplatform.com and had a wildcard Let's Encrypt certificate to secure it. However, we're now moving to Kubernetes and I feel a bit stumped on how to handle this.
For further context, we're using GitLab's Auto DevOps features for our deployments, though I can work to customize our Ingress or cert-manager installs however necessary.
Any suggestions on how to best achieve this? We use Cloudflare on the network level, but without their Enterprise plan, I can't proxy wildcard subdomains.
I'm trying to apply SSL to my kubernetes clusters (production & staging environment), but for now only on staging. I successfully installed the cert-manager, and since I have a 5 subdomains, I want to use wildcards, so I want to configure it with dns01. The problem is, we us GoDaddy for DNS management, but it's currently not supported (I think) by cert-manager. There is an issue (https://github.com/jetstack/cert-manager/issues/1083) and also a PR to support this, but I was wondering if there is a workaround for this to use godaddy with cert-manager since there is not a lot of activity on this subject? I want to use ACME so I can use let's encrypt for certificates.
I'm fairly new to kubernetes, so if I missed something let me know.
Is it possible to use let's encrypt with other type of issuers than ACME? Is there any other way where I can use GoDaddy DNS & let's encrypt with kubernetes?
For now I don't have any Ingresses but only 2 services that are external faced. One frontend and one API gateway as LoadBalancer services.
Thanks in advance!
yes definitely you can use the cert-manager with k8s and let's encrypt will be also nice to manage the certificate.
ACME have different api URL to register domain. from there also you can get wildcard * SSl for doamin.
in simple term install cert manager and use ingress controller of nginx and you will be done with it. you have to add the TLS cert on define it on the ingress object.
You can refer this tutorial for setup of cert-manager and nginx ingress controller.
https://docs.cert-manager.io/en/venafi/tutorials/quick-start/index.html
If you are looking to connect publicly-trusted CAs to Kubernetes via cert-manager (such as GlobalSign, DigiCert, Entrust), you can use Venafi Cloud as an issuer with cert-manager to automate certificate renewals for Kubernetes.
Venafi Cloud connects to third-party CAs and is integrated with cert-manager. Venafi Cloud also has a built-in certification authority for privately trusted certificates for internal-facing infrastructure such as containers.
Here are the links that are relevant to get this this set up:
https://cert-manager.io/docs/configuration/venafi/#creating-a-venafi-cloud-issuer
https://www.venafi.com/venaficloud
The accepted solution does work -- a different issuer is one way to go. Though if you want to use the ACME issuer, you'll need to solve challenges. This can be done via either a HTTP01 solver or a DNS01 solver. If you choose to go with the DNS01 solver, you'll either need:
to move your DNS hosting from GoDaddy to one of the supported providers.
or you can try using this GoDaddy Webhook provider, which you may already be aware of. Though I can't guarantee that the project is in working status.
I have an application that is internal and exposed only to other application on the cluster by a service with cluster IP. Other services are accessing this application via it's DNS (serviceName-namespace.svc.cluster.local). This application handles sensitive data, so although all the communication is inside the cluster I would like to use TLS to secure the communications to this application.
My question is - how can I enable TLS on a service? Is there something already exist or should I handle it on the application code? Also, is there already a CA I can use on the cluster that can sign certificates for .svc.cluster.local?
To clarify, I know I can use ingress for this purpose. The only problem is keeping this service internal only - so only services inside the cluster will be able to access it.
Thanks,
Omer
I just found that Kubernetes API can be used to generate a certificate that will be trusted by all the pods running on the cluster. This option might be simpler than the alternatives. You can find the documentation here, including full flow of generating a certificate and using it.
Following #vonc comments from bellow, I think I have a solution:
Purchase a public valid domain for this service (e.g. something.mycompany.com).
Use CoreDNS to add override rule so all requests to something.mycompany.com will go to something-namesapce.svc.cluster.local, as the service is not exposed externally (this can be done also with normal A record for my use case).
Use Nginx or something else to handle TLS with the certificate for something.mycompany.com.
This sounds pretty complicated but might work. What do you think?
Check if the tutorial "Secure Kubernetes Services with Ingress, TLS and LetsEncrypt" could apply to you:
Ingress can be backed by different implementations through the use of different Ingress Controllers. The most popular of these is the Nginx Ingress Controller, however there are other options available such as Traefik, Rancher, HAProxy, etc. Each controller should support a basic configuration, but can even expose other features (e.g. rewrite rules, auth modes) via annotations.
Give it a domain name and enable TLS. LetsEncrypt is a free TLS certificate authority, and using the kube-lego controller we can automatically request and renew LetsEncrypt certificates for public domain names, simply by adding a few lines to our Ingress definition!
In order for this to work correctly, a public domain name is required and should have an A record pointing to the external IP of the Nginx service.
For limiting to inside the cluster domain though (svc.cluster.local), you might need CoreDNS.
On Google Cloud you can make load balancer service internal, like this:
annotations = {
"cloud.google.com/load-balancer-type" = "Internal"
}
Is there built-in support for enabling SSL on Azure Container Instances? If not, can we hook up to SSL providers like Lets Encrypt?
There is nothing built-in today. You need to load the certs into the container and terminate SSL there. Soon, we will enable support for ACI containers to join an Azure virtual network, at which point you could front your containers with Azure Application Gateway and terminate SSL there.
As said above, no support today for built-in SSL when using ACI. I'm using Azure Application Gateway to publish my container endpoint using the HTTP-to-HTTPS bridge. This way, App Gateway needs a regular HTTPS cert (and you can use whichever model works best for you as long as you can introduce a .PFX file during provisioning or later during configuratiorn) and it will then use HTTP to talk to your (internally facing) ACI-based container. This approach becomes more secure if you bind your ACI-based container to a VNET and restrict traffic from elsewhere.
To use SSL within the ACI-container you'd need to introduce your certification while provisioning the container, and then somehow automate certificate expiration and renewal. As this is not supported in a reasonable way, I chose to use the App Gateway to resolve this. You could also use API Management but that is obviously slightly more expensive and introduces a lot more moving parts.
I blogged about this configuration here and the repo with provisioning scripts is here.
You can add SSL support at the API Gateway and simply configure the underlying API over HTTP.
You will need the secrete key to execute above api method!
You can access the underlying API hosted at the Azure Container Instance. This method does not require jwt token as this is a demo api.