Everyone who has ever dealt with enabling SSL support on their web site to enable that green lock in url bar should be familiar with how frustrating the experience is.
Not only it’s cumbersume to manage certificates and deploying them to the webserver, but it also costs quite a bit of money to get the certificate from so-called CA - Certificate Authority.
CAs are “trusted” entities who issue certificates to website owners with seal of approval on the certificate, that says the certificate owner is verified and are who they claim to be. CAs certificates are installed in every major browser to “trust” implicitly all cerificates signed by them.
If you refused to pay money for the signed certificates, browsers would punish your website by showing distrust to the user who navigates to it.
Everything changed since LetsEncrypt came out. Free of charge signed certificates supported by all major browsers, with API support to programmatically obtain certificates online when they expire.
This opened the Pandora’s Box and in 2017 it’s much easier to have secure website installation with signed certificate.
Let’s explore now we can automate this if we deploy our app with Docker and Kubernetes
This implementation would not be possible without the awesome open source project kube-lego that implements LetsEncrypt API in Kubernetes.
Kubernetes configuration can be tricky sometimes to get right. It’s encouraged to split the declaration in multiple files, with the encapsulated responsibilities.
Kubernetes has the notion of Ingress, an entrance into the app. In ingress we will specify our hostname and path to the challenge file for LetsEncrypt to verify the domain ownership.
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: boards-io-ingress annotations: kubernetes.io/tls-acme: "true" kubernetes.io/ingress.class: "gce" spec: tls: - hosts: - my-app-domain.com secretName: app-tls rules: - host: my-app-domain.com http: paths: - path: /.well-known/acme-challenge backend: serviceName: kube-lego-gce servicePort: 8080 - host: treesie.io http: paths: - path: /* backend: serviceName: svc-name servicePort: 80
Next, we’ll specify kube-lego configuration container. The container will always be running and polling the certificate. If it expired or not configured, it will contact LetsEncrypt and try to obtain the certificate.
Please refer to the example from the reference app
The rest is easy, we’ll only have to configure our service front-end container and deploy that to GCE.
You can follow many of those examples online.
I have created a demo app that used the strategy to enable SSL support. Use that as a reference material on how to enable SSL support on your Kubernetes deployment on Google Cloud Engine and LetsEncrypt.