K3S + Nginx + Cert-Manager + LetsEncrypt | HTTPS for your Kubernetes (K8s) Cluster | Tutorial

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hello folks and welcome to another video by cloud versity my name is stefan and today's topic actually got requested from someone from a little community so the question was how do i enable https for my website or my api whatever application is running on your kubernetes cluster and a little theory maybe beforehand you may have heard about ssl so the secure socket layer protocol which is now outdated so there's a new one it's called tls it's a transport layer security protocol and these protocols actually add a security layer on top of your http connection so they they wrap around the http connection and therefore the data which is exchanged between the server and the client is then secured so there's a lot of back and forth in the beginning if a client connects to your server and want to establish the connection initially but what the server needs to enable https in the first place is the server needs to have a certificate if it's a non-trust certificate you will end up with a warning page i mean i think you saw this at least once in your life like a warning certificate is not trusted and if it's a good certificate a valid certificate then you will end up without any warning and you will have like a green lock in the top left corner of your browser i think for chrome it's actually gray right now but whatever and now you could maybe ask why do i need an https connection certificates sounds super complicated i will stick with http so yes maybe there's a complexity layer which is added because you want to use certificates but http is not best practice anymore so if you want to do something in production or even not in production nowadays you're kind of forced to use https just to secure the connection between i mean think of like a man in the middle attack someone some some intruder sits in the middle of the client and the server and now everything which is sent between them passwords username banking data api data everything is just in plain text and what https does is that the traffic in between is encrypted and so the intruder even if he can listen to the traffic in between it's encrypted and he cannot decrypt this on time there's there's no way so so by using https you actually protect privacy security and the integrity of your website or your api your application on your cluster or even just a plain web server and we what we want to achieve in this tutorial is that we want to obtain a valid certificate for our application it's a demo application we will run on our k3s cluster by using lynn node again so we will spawn the vm in by using the node cloud provider we will install nginx as an ingress controller then we will install cert manager or certificate manager on top of this on top of this so as an add-on and then we can obtain valid certificates for our domain by using the non-profit certificate authority called let's encrypt if this sounds interesting to you and you are thrilled to see more content like this then you should definitely consider to smash the like and subscribe button right now down below and follow me on social media like instagram and twitter so you don't miss any of the upcoming content and of course help the channel grow i would say grab a cup of coffee or a cup of tea depending on the hour you are watching this video and let me walk you through today's topic after a small intro see you in a second [Music] welcome back so if you want to follow along then you need to set up a k3s cluster on your own and the nginx as an ingress controller if you don't know how to do this no worries as i said in the in the beginning in the intro i did already a video about this uh it will be linked in the top right corner right now in this video and it will be in the video description down below so you can go there first set up the cluster and then you can come back and come can follow along or if you don't want to follow along and just want to watch the video of course you can just stay here and watch the hands-on tutorial okay we have our cluster set up we have our nginx ingress controller as you can see here in the top right corner of my page of my screen and you can see that i have the a vm in by using the lynnote cloud provider already set up and i just installed kfrees onto onto it what we also need is this little repository here so this will be also linked in the video description down below and you will find all resources i will use in this video in this gitlab repository so you can just clone it and then use it on your own and you will be fine on top of this we need to install the certificate manager this certificate manager is um kind of an add-on like the nginx ingress controller and we need this to communicate with a provider which will give us our certificate we will request so we want to obtain a certificate so we need to do some configuration work we will configure cert manager to speak with let's encrypt let's encrypt is a non-profit certificate authority and they offer you different ways to obtain certificates for your domains of course what what do you need to do actually to get a valid certificate is that you need to prove you need to prove that you are the owner of that domain that you are the owner of the server and the domain you want to obtain the certificate for and there is like a tool add-on for this it's the cert manager and we will use this in our k3s cluster so that we can community communicate with let's encrypt and then we get our certificate i will show you how we do this and i will show you also how you can use that certificate you then obtained for your applications so first of all we need to have a running application right so i will just go ahead and install the demo application or the demo application either you already have a demo application then you don't need to do this otherwise you can clone the repository and then you need to apply the deployment and the service yaml as well as the ingress yaml in the ingress yaml we will make a small change but afterwards you will have a running application demo application on your cluster so i will go ahead and say q control apply minus app and we'll create the deployment yml okay good this will spawn a demo application from ranger and we will see this in a second i will do the same for the service there's nothing special about this so it's really a deployment which has free replicas and we can also take a look at this you will see that there's nothing special in here so it's just free replicas of this demo application here and for the service parts it's as well a really easy service yaml it's it's just listening on port 80 and will forward the traffic it receives to port 8080 and uh last but not least we need to apply the ingress yemo but first we need to take a look at this the ingress yml and you will see that here are some some comments so we need to insert our ip address and there's an extended or the ip address is extended by dot nib.io what is this provider doing we need to have to obtain certificates we need to have a valid dns or from the perspective of kubernetes we need to have a valid dns so maybe if you want to follow along you only have the ip address maybe you also have a domain like i do have the domain cloudversity.com i could point it to the ip address this would also work but for demo use cases you will most likely just have the ip address and those providers like like nip io except io and i think traffic io what they will do is you will go to their website or you you will go to their domain and with your ip address as subdomain and they will just redirect the traffic they receive to the ip address in the subdomain so they will help you together to generate an ip address at the end and you don't need to worry about this so nice providers out there who offer great services for free i really like this so all we have to do is we need to grab our ip address here from our k3s cluster and put it into here yeah in this in the placeholder and the comments above we can ignore them for now but they will be important as soon as we have certificates okay let's save this and apply this file okay this is also applied so what we can do now is we can open actually we can open this already with https https or ip.net dot io and we should see something okay we got not secure warning okay click on advanced proceed and we have our demo application running so it's just load balancing between the three replicas of our image you can see this uh yeah you can see this here by looking at the the three cows uh one of them is always like dark blue and then it's uh or light blue and changing because it's load balancing between the three parts whatever we receive the warning and we can take a look at the certificate the certificate here is issued to kubernetes ingress controller fake certificate and obviously this is not what we want if you want to have your api exposed to the world wide web to your clients or you want to have your own website you don't want to end up with invalid certificates and certificate warnings and we want to change this yeah so that's our goal of this video and i will just make a screenshot of this so we have we can take a look at this later on okay so next step as already mentioned is we need to install the certificate manager that's super easy it's also linked in the video description or you find it in the in the read me of the repository is you grab this one insert manager io docs installation and then just grab the first line you will be offered for a static install copy paste it here hit enter and this may take like 30 seconds or something or not it only took five um so we have certificate manager installed and now we need to configure the certificate manager that it can communicate with let's encrypt that's the first step and for the first step we have our issuers we need to define i have two of them one is a production issuer and one is the staging issuer more on that in a second let's take a look at the cluster issuer first first of all we with the certificate manager we installed some custom resources in our kubernetes cluster and now we need to install we need to create a cluster issuer or just a plain issuer it's dependent if you want to have them accessible through all your namespaces or just limit to one namespace in your kubernetes cluster so we will take the cluster issuer and then there's are two important parts one part is the acme part acme is the protocol which is used to obtain certificates and you need to provide something there you need to provide the server which will actually give you the certificate where you can request it where you make the exchanges which are important uh that you at the end end up with a valid certificate i will not go too much into detail here because there's like million pages in the world wide web who will explain how um you can obtain certificates and theory theory based this is more like a hands-on tutorial but i maybe i will make kind of a theory short theory video about this uh yeah maybe in a week or something so i can link this here as well so we will link to or we will point to a server from let's encrypt and that's the staging server you need to put in an email address something like example.com will not work so put in your real email address if it's a production server because if your certificate is about to is about to because if your certificate is about to expire then you will receive an email as well and those information will be stored in secret this is the name of the secret and then there's the important part of the solvers so what is a solver um certificate manager the issuer will listen to all ingresses of class nginx because we have an nginx controller makes sense that it listens to all ingresses which have the ingress class nginx and as a solver we use http01 this is a challenge called a challenge a challenge which is necessary to prove that you are the owner of the domain and the owner of the server there's also a dns challenge which is a little bit more complicated and you can almost do the same with both but you are limited in the http challenge you cannot get certificates with a wildcard so if you want to have something like if you want to have a valid certificate for start.example.com for example example.com for example this can only be done if you have if you use the dns challenge but this is not part of this video maybe like an extended one in the future but i will use the http challenge where you need to point either exactly to example.com or foo.example.com or bard.example.com something like this okay so let us insert our email here i know that will be info at city.com save it and we will do the same for the cluster issuer production oops production ammo as you can see there is a diff difference in the in the server url it's here's no staging yeah like here why is that you have two different endpoints for let's encrypt one is staging you will get a certificate which will also give you a warning but it's actually issued for your domain and the other one is a production certificate which will leave you or give you the gray lock top of the page on the top left corner valid certificate no warning at all all fine so why don't we use the production one all the time because it's a non-profit organization so let's encrypt not is a non-profit organization you are limited for the production api you obtain i think like five or maybe 10 certificates per day and if you mess up your configuration you can reach that limit pretty fast and you don't want to run into this limit if you use or if you are really a production user so if you have an application which is production ready because ending up with a invalid certificate is kind of it's not that good let's put it that way that's this way okay so we set both configurations up a production one and a staging okay so we can apply them oops cluster research staging and we can do the same cluster issuer and then production we can also check if they are available by cubecontrol getcluster issuer and both of them are true so this worked our configuration seems to be good so the next step is to actually grab a certificate for this we also need again to apply a resource the resource again is two of them are in the repository one is a staging one one production one and uh if we take a look here we it's it's not it does not look complicated so it's a certificate we want to obtain we need to specify a secret name for this the secret will store the private key and the public key that's like um a tls or certificate works for web servers you need both of them and then there's the user jumps to you or it wants to connect to your server there's an exchange of their public key and this public key and then there's a secure connection afterwards so that's like really broken down to one sentence there's a lot of exchanging stuff at the beginning but whatever in this secret there's a tls key and uh the public one and the private one and we need to uh reference our issuer we just configured so for the staging certificate we obviously reference our let's encrypt staging issuer yeah and as you can see here common name is necessary and dns name so we need to fill this out um changing we need to fill this out and this is just our ip address i will copy this from here and here and this is a list so if you have multiple domains or multiple subdomains you can list them all in this certificate here but it's not necessary that you need to create a certificate for each subdomain but you need to list them here then you can yeah obtain a certificate maybe for this domain but with multiple sub-domains now easy as that so we will put this here and we need to do this again for the production one so change this here and here as well okay and then last but not least we need to apply them queue patrol flying zev certificate aging yemel and production ammo let's check if this worked cube control get certificates both are false right now so let's wait a second sometimes it just takes seconds sometimes takes a minute it took like a minute for the staging certificate but the bad news are that for the production one it tells me that we exceeded the rate limit for the domain nib dot io so that's exactly what i pointed out in like three to five minutes ago in this video if you use domains which can be used from everyone like the bio then there will be a rate limiting from let's encrypt if you have your own domain you won't run into this issue what we can do now or what will i try to do is i will try to edit this certificate and i will use another another provider like let's encrypt uh like sorry like uh nipio but another provider would be traffic dot me let's see if we can get a valid certificate for this one hey that worked so there's no rate limit right now or the traffic dot me domain which is exactly the same like nip io just another ending of your domain um and we received a certificate for this one so a little hiccup but not everything works like a charm in the devops world right so just keep that in mind and if you use as i said your own domain you won't run into this issue that fast now we have our certificates as you can see here we have staging one which is true and the projection one which is also true so what we need to do next or as a final step because our demo application is still running on nibio with the invalid certificate so i will go back and we have our ingress resource here and i pointed out at the beginning that we need to make some changes here to actually make use of our certificates we just got so i will cube control edit our ingress with the name rancher demo and let's see it's not here anymore so we need to copy paste this in again paste okay so we don't need we don't need this line here and we don't need this line and this lines just commentary is yes this looks good okay so what we do here is we enable tls for our ingress resource obviously we need to fill in our ip address again and then because we want to have tls we need to define the host and the secret name and a secret name we will use our staging certificate first yeah so this will be the first first one so i will save oops i will save this okay and i refresh the page here from our demo application and we go to certificate okay it's still the old one i think that's a chrome thing because chrome also caches certificates so i will just open an incognito tab here and we will use https and nib.io it is still a warning page there is still a warning page but the difference now is that the certificate is actually issued to our domain so that's the main difference it's almost a valid one it's it is at least issued to our domain but it's still invalid for the browser so it's not fully proven certificate but at the moment you would have an https connection already yeah you can see this here in front there is the hdp s which is important okay and now we want to use the production certificate and to do so we need to edit our ingress again yeah we need to go in here and we'll say okay we don't want to use the secret for staging and we want to use the production one and of course that's the little difference now we need to change this also to traffic dot me because we issued the production certificate because of the rate limit or traffic dot me and not nib io so keep that in mind because this video didn't work like so flawlessly like it should have been okay save this as well and if we open this page again but this time with traffic.me we don't have a warning page and we have a gray or if you use firefox there will be a green lock in the uh the left side of your domain it is https as you can see here nothing is red and if we click on the certificate then it's a valid one it's issued by r3 which is a certificate authority which is trusted worldwide and it's issued to our domain with the ending traffic.me this time not in the bio so success we did it yeah everything worked okay we're done so if this video helped you to understand how you can obtain certificates in a k3s cluster on your own let me know in the comments down below and if it didn't help at all and there are some blind spots i did not cover please let me know as well because then i can cover them in one of the next videos and of course if you really liked the video please hit the like and subscribe button down below and follow me in the social media and if you have any requests regarding the next video and the topic of the next video then let me know in the comments down below please as well yeah have a good day [Music] you

Info

Channel: CloudVersity

Views: 1,682

Rating: undefined out of 5

Keywords: devops, docker, kubernetes, k8s, ci, cd, cicd, dockerize, container, application, gitlab, deployment, production, microservice, monolith, kubectl, docker-swarm, openshift mesos, cri-o, crio, master, nodes, rancher, k3s, k3d, containerd, cert-manager, ssl, tls, certificates, letsencrypt, certificate-manager, https

Id: deLW2h1RGz0

Channel Id: undefined

Length: 30min 41sec (1841 seconds)

Published: Fri Sep 24 2021