Requirement:
In order to secure the traffic, we need to deploy TLS certificates into our ingress running in OKE. We are going to use self-signed certificates to demonstrate it.
Solution:
- Generate self-signed certificates via openssl
- openssl req -x509 -nodes -days 3650 -newkey rsa:2048 -keyout tls.key -out tls.crt -config req.conf -extensions 'v3_req'
req.conf: [req] distinguished_name = ingress_tls_prometheus_test x509_extensions = v3_req prompt = no [ingress_tls_prometheus_test] C = US ST = VA L = NY O = BAR OU = BAR CN = www.bar.com [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = prometheus.bar.com DNS.2 = grafana.bar.com DNS.3 = alertmanager.bar.com- To verify it: openssl x509 -in tls.crt -noout -text
- Create Kubernetes TLS secret for that
- kubectl create secret tls tls-prometheus-test --key tls.key --cert tls.crt -n monitoring
- Add TLS section into the ingress yaml file. Example:
apiVersion: extensions/v1beta1 kind: Ingress metadata: name: prometheus-ingress namespace: monitoring annotations: kubernetes.io/ingress.class: "nginx" spec: tls: - hosts: - prometheus.bar.com secretName: tls-prometheus-test - hosts: - grafana.bar.com secretName: tls-prometheus-test - hosts: - alertmanager.bar.com secretName: tls-prometheus-test rules: - host: prometheus.bar.com http: paths: - path: / backend: serviceName: prometheus-k8s servicePort: 9090 - host: grafana.bar.com http: paths: - path: / backend: serviceName: grafana servicePort: 3000 - host: alertmanager.bar.com http: paths: - path: / backend: serviceName: alertmanager-main servicePort: 9093
- Ingress controller would redirect http traffic to https traffic automatically for these 3 domains
- Spoof IP address for DNS names via the below entry and take off www proxy of the browser if necessary.
- 123.123.123.123 prometheus.bar.com grafana.bar.com alertmanager.bar.com
No comments:
Post a Comment