I've been following the following tutorial for my AKS setup: https://github.com/Azure/phippyandfriends. But now I'm struggling to get HTTPS working.
I've generated a cert and key via following shell script run it in cmd
bash generate-wildcard-certificate.sh mydomain.somenumbers.westeurope.aksapp.io
That generates 2 files:
mydomain.somenumbers.westeurope.aksapp.io.crtmydomain.somenumbers.westeurope.aksapp.io.keyThen I created a secret with following command:
kubectl create secret tls ingress-crypto-auth --key mydomain.somenumbers.westeurope.aksapp.io.crt --cert mydomain.somenumbers.westeurope.aksapp.io.crt
Added the secret to my ingress.yaml files:
{{ if .Values.ingress.enabled }}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: {{ template "fullname" . }}
labels:
app: {{ template "fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
annotations:
kubernetes.io/ingress.class: addon-http-application-routing
spec:
tls:
- hosts:
- {{ .Values.ingress.basedomain }}
secretName: ingress-crypto-auth
rules:
- host: {{ .Release.Name }}.{{ .Values.ingress.basedomain }}
http:
paths:
- path: /
backend:
serviceName: {{ template "fullname" . }}
servicePort: {{ .Values.service.externalPort }}
{{ end }}And it seems that my certificate is loaded, but I get following error:
This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.
Did I do anything wrong? and even more important, how di I get it to work? I don't care how it's for a temporary project
It is happen because you are using a self-signed certificate.
A self-signed certificate is a certificate that is not signed by a certificate authority (CA). These certificates are easy to make and do not cost money. However, they do not provide all of the security properties that certificates signed by a CA aim to provide. For instance, when a website owner uses a self-signed certificate to provide HTTPS services, people who visit that website will see a warning in their browser.
To solve this issue you could buy a valid certificate from a trusted CA, or use Let's Encrypt to generate it.
cert-manager builds on top of Kubernetes, introducing certificate authorities and certificates as first-class resource types in the Kubernetes API. This makes it possible to provide 'certificates as a service' to developers working within your Kubernetes cluster.
Let's Encrypt is a non-profit certificate authority run by Internet Security Research Group that provides X.509 certificates for Transport Layer Security encryption at no charge. The certificate is valid for 90 days, during which renewal can take place at any time. I'm supossing you already have NGINX ingress installed and working.
Pre-requisites: - NGINX Ingress installed and working - HELM 3.0 installed and working
cert-manager install
Note: When running on GKE (Google Kubernetes Engine), you may encounter a ‘permission denied’ error when creating some of these resources. This is a nuance of the way GKE handles RBAC and IAM permissions, and as such you should ‘elevate’ your own privileges to that of a ‘cluster-admin’ before running the above command. If you have already run the above command, you should run them again after elevating your permissions:
Follow the official docs to install, or just use HELM 3.0 with the followe command:
$ kubectl create namespace cert-manager
$ helm repo add jetstack https://charts.jetstack.io
$ helm repo update
$ kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.14.1/cert-manager-legacy.crds.yamlCreate CLusterIssuer for Let's Encrypt: Save the content below in a new file called letsencrypt-production.yaml:
Note: Replace
<EMAIL-ADDRESS>with your valid email.
apiVersion: certmanager.k8s.io/v1alpha1
kind: ClusterIssuer
metadata:
labels:
name: letsencrypt-prod
name: letsencrypt-prod
spec:
acme:
email: <EMAIL-ADDRESS>
http01: {}
privateKeySecretRef:
name: letsencrypt-prod
server: 'https://acme-v02.api.letsencrypt.org/directory'Apply the configuration with:
kubectl apply -f letsencrypt-production.yaml
Install cert-manager with Let's Encrypt as a default CA:
helm install cert-manager \
--namespace cert-manager --version v0.8.1 jetstack/cert-manager \
--set ingressShim.defaultIssuerName=letsencrypt-prod \
--set ingressShim.defaultIssuerKind=ClusterIssuerVerify the installation:
$ kubectl get pods --namespace cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-5c6866597-zw7kh 1/1 Running 0 2m
cert-manager-cainjector-577f6d9fd7-tr77l 1/1 Running 0 2m
cert-manager-webhook-787858fcdb-nlzsq 1/1 Running 0 2mApply this annotation in you ingress spec:
cert-manager.io/cluster-issuer: "letsencrypt-prod"After apply cert-manager will generate the tls certificate fot the domain configured in Host:.
{{ if .Values.ingress.enabled }}
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: {{ template "fullname" . }}
labels:
app: {{ template "fullname" . }}
chart: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}"
release: "{{ .Release.Name }}"
heritage: "{{ .Release.Service }}"
annotations:
kubernetes.io/ingress.class: addon-http-application-routing
cert-manager.io/cluster-issuer: "letsencrypt-prod"
spec:
tls:
- hosts:
- {{ .Values.ingress.basedomain }}
secretName: ingress-crypto-auth
rules:
- host: {{ .Release.Name }}.{{ .Values.ingress.basedomain }}
http:
paths:
- path: /
backend:
serviceName: {{ template "fullname" . }}
servicePort: {{ .Values.service.externalPort }}
{{ end }}Please let me know if that helped.