In this article, I will describe how to purchase a certificate from namecheap.com and add to your Kubernetes instance. I will also show how to reference the in an
Ingress object to act as the certificate for your website.
First, you will want to find a place to get your SSL certificate. The site I’m going to use for my example is https://www.namecheap.com/.
Next, you will generate a CSR (Certificate Signing Request). In the example below, I’m using the
openssl tool to generate one. You will use the
-out flags to get the key and CSR that we will use later.
openssl req -new -newkey rsa:4096-nodes -keyout mywebsite_com.key -out mywebsite_com.csr
You will be prompted to enter a passphase, it requires it to be at least 4 characters. You will also need to enter in location details and your organization information. For this example, I did not set a challenge password.
# openssl req -new -newkey rsa:4096-nodes -keyout mywebsite_com.key -out mywebsite_com.csr Generating a RSA private key ................................................++++ ..........................................................++++ writing new private key to 'mywebsite_com.key' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:MA Locality Name (eg, city) :Boston Organization Name (eg, company) [Internet Widgits Pty Ltd]:RomaCode Organizational Unit Name (eg, section) : Common Name (e.g. server FQDN or YOUR name) :www.mywebsite.com Email Address :email@example.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password : An optional company name :
If you check your current directory, you should see two new files for the key and CSR:
# ls -l total 8.0K -rw-r--r-- 1 mroma mroma 1.7K Nov 27 11:47 mywebsite_com.csr -rw------- 1 mroma mroma 3.4K Nov 27 11:46 mywebsite_com.key
Now head back over to the SSL certificate site and purchase a certificate. In this case, I used namecheap.com and purchased the PositiveSSL option.
When prompted, paste in the contents of the CSR file that we generated above. This will get the process started.
Next you will need to validate the domain. In this case, I used the DNS validation option and created the
TXT record they requested. This validation can take up to 30 minutes to process.
Once the domain is validated, you will then be able to download your certificate. Specifically, we will be looking for the
Next, we are going to create a new Kubernetes object for the certificate. We will be creating an object of type
Secret. Make sure to have your
.key file available for this. Below is the command to run to create a new Kubernetes
Secret in the current namespace.
kubectl create secret tls tls-mywebsite-com --key mywebsite_com.key --cert www_mywebsite_com.crt
If we query the secrets now, we should see the new one created:
# kubectl get secret NAME TYPE DATA AGE tls-mywebsite-com kubernetes.io/tls 2 28d
Last, we will use this secret in an
Ingress object so it can act as the certificate for your website. Below is an example
Service objects that can be used. The
tls section of the
Ingress object is the main detail here.
apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: ingress annotations: kubernetes.io/ingress.class: nginx spec: tls: - hosts: - www.website.com secretName: tls-website-com rules: - host: www.website.com http: paths: - path: / backend: serviceName: SERVICE_NAME servicePort: 80 --- apiVersion: v1 kind: Service metadata: name: SERVICE_NAME spec: type: ClusterIP ports: - port: 80 name: http protocol: TCP targetPort: 8081 selector: app: APP_NAME