Kubernetes Multi TLS certificate termination with Nginx Ingress

Photo by Viktor Forgacs on Unsplash

What is Multiple TLS certificate termination?

Lets say if we want to use multiple domains using individual TLS/SSL certificates. For example, you have certificate A for *.amralkar.pvt and certificate B for *.abhishekamralkar.pvt. Load Balancer uses Server Name Indication (SNI) to return the certificate to the client request, based on the DNS name. If the DNS name don’t match it will fall back to default K8s SSL.

What is Kubernetes ingress?

Ingress exposes HTTP and HTTPS routes from outside the cluster to services within the cluster. Traffic routing is controlled by rules defined on the Ingress resource. Some of the Ingress available are

1. Nginx Ingress
2. Ambassador
3. Traefik

Lets Begin

Prerequisites:

1. SSL Certificates
2. Certificates Private Keys
3. We will assume you are running Nginx Ingress in Kubernetes cluster to route traffic to pods.

Creating Kubernetes TLS Secrets:

With Kubernetes secrets we can store and manage sensitive information, such as passwords, tls , and ssh keys. Its always good to use Kubernetes secrets rather than putting them into Pod definition files.

Kubernetes Secrets are, by default, stored as unencrypted base64-encoded strings. By default they can be retrieved — as plain text — by anyone with API access, or anyone with access to Kubernetes’ underlying data store, etcd. Kubernetes Secrets aren’t only or the most secured way to store secrets in Kubernetes.

base64 Conversion:

• Convert the SSL certificate file to base64

cat yourSSL.crt | base64

• Convert the SSL private key file to base64

cat yourSSLKey.crt | base64

Above command will generate a base64 format output. Copy the output and update the Kubernetes tls secrets file.Below is how your Kubernetes TLS secrets file should like like. The output of above commands should be updated in the file respectively.

Depending upon the number of SSL certs you can create Kubernetes secrets.

Note:- Make sure your Private Key is not encrypted

Once you are ready create the secrets

kubectl apply -f yourSSLSecret.yaml -n namespace

Update Ingress:

Below is the example Ingress file

Update the tls section and add the host and respective secretName. This secret must exist beforehand. The cert must also contain the subj-name api.abhishekamralkar.pvt and api.amralkar.pvt.

Add the host and relative information in rules section.

Once done create the ingress.

kubectl apply -f yourIngress.yaml -n myapp

And you should be able to reach your nginx service or http-svc service using a hostname switch.

To verify the you can use below command

curl -k https://api.abhishekamralkar.pvt

Source Article:

https://kubernetes.github.io/ingress-nginx/examples/multi-tls/