Kubernetes Multi TLS certificate termination with Nginx Ingress

Photo by Viktor Forgacs on Unsplash

What is Multiple TLS certificate termination?

Lets say if we want to use multiple domains using individual TLS/SSL certificates. For example, you have certificate A for *.amralkar.pvt and certificate B for *.abhishekamralkar.pvt. Load Balancer uses Server Name Indication (SNI) to return the certificate to the client request, based on the DNS name. If the DNS name don’t match it will fall back to default K8s SSL.

What is Kubernetes ingress?

Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. Some of the Ingress available are

  1. Nginx Ingress
  2. Ambassador
  3. Traefik

Lets Begin

Prerequisites:

  1. SSL Certificates
  2. Certificates Private Keys
  3. We will assume you are running Nginx Ingress in Kubernetes cluster to route traffic to pods.

Creating Kubernetes TLS Secrets:

With Kubernetes secrets we can store and manage sensitive information, such as passwords, tls , and ssh keys. Its always good to use Kubernetes secrets rather than putting them into Pod definition files.

Kubernetes Secrets are, by default, stored as unencrypted base64-encoded strings. By default they can be retrieved — as plain text — by anyone with API access, or anyone with access to Kubernetes’ underlying data store, etcd. Kubernetes Secrets aren’t only or the most secured way to store secrets in Kubernetes.

base64 Conversion:

  • Convert the SSL certificate file to base64
cat yourSSL.crt | base64
  • Convert the SSL private key file to base64
cat yourSSLKey.crt | base64

Above command will generate a base64 format output. Copy the output and update the Kubernetes tls secrets file.Below is how your Kubernetes TLS secrets file should like like. The output of above commands should be updated in the file respectively.

Depending upon the number of SSL certs you can create Kubernetes secrets.

Note:- Make sure your Private Key is not encrypted

Once you are ready create the secrets

kubectl apply -f yourSSLSecret.yaml -n namespace

Update Ingress:

Below is the example Ingress file

Update the tls section and add the host and respective secretName. This secret must exist beforehand. The cert must also contain the subj-name api.abhishekamralkar.pvt and api.amralkar.pvt.

Add the host and relative information in rules section.

Once done create the ingress.

kubectl apply -f yourIngress.yaml -n myapp

And you should be able to reach your nginx service or http-svc service using a hostname switch.

To verify the you can use below command

curl -k https://api.abhishekamralkar.pvt

Source Article:

https://kubernetes.github.io/ingress-nginx/examples/multi-tls/

 by the author.

--

--

--

DevSecOps Practitioner | DevOps Enthusiast | Clojure | Cloud Automation | Cloud Security Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Floating-Point Rounding Problem

HTB —Registry Machine

Category- and Operad-Theoretic Foundations for a Distributed Mashable Semantic Quantum Internet…

Taking a Go at Gateway and Sub-device Development

5 Keys to being an excellent software developer:

How to Setup WordPress with Nginx and HHVM on Ubuntu 16.04

QuickSwap’s New UI Alpha $50,000 Bug Bounty

Everything About Python List Data Structure: Beginner’s Guide — PyShark

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abhishek Amralkar

Abhishek Amralkar

DevSecOps Practitioner | DevOps Enthusiast | Clojure | Cloud Automation | Cloud Security Enthusiast

More from Medium

Kubernetes in production

What is Kubernetes? Explain like I’m 5

Introduction to Kubernetes

Monitor Services in Istio with Metricbeat