October 24, 2018

An SSL Frontend For The SA Project

To provide connection security we need :

  • Tiller and Helm working
  • An ingress controller
  • Cert-Manager installed
  • A configuration for cert-manager to work with the ingress controller and the domain.

As a side effect the ingress controller reduces/unifies the port used by the application.

Install Helm And Tiller

Since my cluster is RBAC enabled :

From here Helm Tiller And RBAC create a role and role binding that allows tiller to manage objects in namespace sa.

Service account :

kubectl create serviceaccount tiller --namespace kube-system

Bind the service account to the existing cluster-admin role

rolebinding-tiller.yaml

 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
   name: tiller-clusterrolebinding
 subjects:
 - kind: ServiceAccount
   name: tiller
   namespace: kube-system
 roleRef:
   kind: ClusterRole
   name: cluster-admin
   apiGroup: ""
 
kubectl create -f rolebinding-tiller.yaml

Then upgrade Helm :

helm init --service-account tiller --upgrade

Test

helm ls

Then status

helm status

Ingress Controller

On minikube list and if required, enable the ingress controller like :

minikube addons list
minikube addons enable ingress

There should be a controller running, check :

kubectl get po --all-namespaces ->
....
kube-system nginx-ingress-controller-89797c44c-mvztl  1/1 Running 0 3m
....

Create an ingress controller, in my case the following routing is required:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: sa-ingress
spec:
  rules:
  # Default
  - host: sa.softwarebynumbers.com
    http:
      paths:
      - path: /
        backend:
          serviceName: sa-client-server
          servicePort: 80
  # The data store api
  - host: store.sa.softwarebynumbers.com
    http:
      paths:
      - path: /
        backend:
          serviceName: sa-service
          servicePort: 3000
  # The store explorer client
  - host: explorer.sa.softwarebynumbers.com
    http:
      paths:
      - path: /
        backend:
          serviceName: sa-explorer-client-server
          servicePort: 80
  # The sa client
  - host: client.sa.softwarebynumbers.com
    http:
      paths:
      - path: /
        backend:
          serviceName: sa-client-server
          servicePort: 80

CertManager

See https://cert-manager.readthedocs.io/en/latest/getting-started/2-installing.html

Install Cert Manager

helm install \
--name cert-manager \
--namespace kube-system \
stable/cert-manager \
<-f cert-manager-values.yaml>

Remove If Required

helm del --purge cert-manager

Configuration

Ingress Controller

Staging

Tags: ssl kubernetes