Requirement: To set up a Kubernetes service that is publicly accessible on browser on HTTPS
I browsed through the internet and everywhere I saw nginx-ingress which can give https url.
I have ingress setup and its working as expected
But my doubt is, this ingress will only run on my local, as I make the changes in /etc/hosts file of local? How can I make https url publicly accessible? I want my load balancer service to be accessed publicly with HTTPS. I have my application running on GKE Cluster. Please guide
Related
So I have a load balancer connected to an ec2 instance. The ec2 has a php website running on port 8000 hosted in iis 8.5. Now http health check is passing after adding binding in iis for port 8000, but https health check is failing. But since in iis, I have used URL rewrite to redirect all http into https, thus even if load balancer's https health check is failing I can still access website on https connection.
But I really want to make my health check for https pass.
So for that I figured out, I either run https application inside ec2 on a different port than 8000 and add a binding for it (dropped the idea cause client didnot want) OR,
Redirect https target group to http target group.
Is this possible? If yes, how?
I open Visual Studio 2019 and create a new project (Container application for kubernetes). I tick enable https support and then when I start debugging in Visual Studio; I can browse to the https address.
I then try to go one step further. I have Kubernetes enabled in Docker Desktop on my development PC and follow these instructions (after opening all the .yaml files and changing all references of https to http and all references of port 80 to port 443):
1) cd C:\mvcsecure
2) docker build -t mvcsecure:stable -f c:\mvcsecure\mvcsecure\Dockerfile .
3) cd c:\mvcsecure\mvcsecure\charts
4) helm install mvcsecure ./mvcsecure/
5) kubectl expose deployment mvcsecure --type=NodePort --name=mvcsecure-service
6) kubectl get service
mvcsecure-service NodePort 10.96.128.133 <none> 443:31577/TCP 6s
7) I then try to browse to: https://localhost:31577 and it says:
Cannot securely connect to this page
Notice there is no option to trust a certificate or anything.
What changes must I make to the default Helm charts created by Visual Studio to get https working on my basic service? I cannot find any documentation or examples online. It would be great to see an example of a https service (mvc or api) deployed to Kubernetes using Helm. I could post the .yaml file code if needed,, however there is a lot of it.
I am wanting to use kubernetes cluster root certificate as described here: How to access a kubernetes service through https?
I have checked that all TLS and SSL options are ticked in Internet Options.
In case when Your application accepts HTTP traffic and You want to make is secure (HTTPS); I suggest to try TLS termination with kubernetes ingress.
Kubernetes documentation has great explanation how to configure TLS termination. With ingress object You can make Your HTTP service be accessible via HTTPS from outside of the cluster.
This means that connections made to service will be made in HTTPS and get decrypted to HTTP once internally in Your cluster before reaching the service.
Hope it helps.
I have so far configured servers inside Kubernetes containers that used HTTP or terminated HTTPS at the ingress controller. Is it possible to terminate HTTPS (or more generally TLS) traffic from outside the cluster directly on the container, and how would the configuration look in that case?
This is for an on-premises Kubernetes cluster that was set up with kubeadm (with Flannel as CNI plugin). If the Kubernetes Service would be configured with externalIPs 1.2.3.4 (where my-service.my-domain resolves to 1.2.3.4) for service access from outside the cluster at https://my-service.my-domain, say, how could the web service running inside the container bind to address 1.2.3.4 and how could the client verify a server certificate for 1.2.3.4 when the container's IP address is (FWIK) some local IP address instead? I currently don't see how this could be accomplished.
UPDATE My current understanding is that when using an Ingress HTTPS traffic would be terminated at the ingress controller (i.e. at the "edge" of the cluster) and further communication inside the cluster towards the backing container would be unencrypted. What I want is encrypted communication all the way to the container (both outside and inside the cluster).
I guess, Istio envoy proxies is what you need, with the main purpose to authenticate, authorize and encrypt service-to-service communication.
So, you need a mesh with mTLS authentication, also known as service-to-service authentication.
Visually, Service A is your Ingress service and Service B is a service for HTTP container
So, you terminate external TLS traffic on the ingress controller and it will go further inside the cluster with Istio mTLS encryption.
It's not exactly what you asked for -
terminate HTTPS traffic directly on Kubernetes container
Though it fulfill the requirement-
What I want is encrypted communication all the way to the container
I have a spring boot application that i want to deploy on google compute engine or kubernetes and i want to expose it through https instead of http.
I want to do this because i have an angular frontend that is deployed on google app engine and it needs to access the api through https instead of http.
The api is accessible through port 8080 and it works if i use http. How can i exspose the api through https, can i use a load balancer with https to redirect all incoming traffic to http?
Well, I think the SSL certificate is the key for both (GCE and KE). You must to set a certificate for each option.
On Kubernetes Engine you could deploy the application with a Load Balancer and install a SSL certificate on it. Then you have to modify your ingress configuration to use the SSl certificate. Of course this process is too large to explain here, but you can find the details here [1], to find details about Load Balancer ingress configuration here [2]
For GCE you will require to set a SSL certificate on instance or using a Load balancer. Take a look to this GCP documentation that explain it [3]
[1] https://estl.tech/configuring-https-to-a-web-service-on-google-kubernetes-engine-2d71849520d
[2] https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer#remarks
[3] https://cloud.google.com/solutions/connecting-securely#https-and-ssl
I have implemented SSL on my EC2 Windows instance. As AWS doesn't directly allow to configure SSL on EC2 instance, so I created a Load Balancer with HTTPS and configure my SSL certificate with it. I have selected my EC2 instance for Load Balancer.
Following are the listeners of my Load Balancer:
After this configuration, my domain starts working on http and also on https like http://example.com and https://example.com
Now, I want to redirect http request to https. My domain is on Godaddy. I have successfully change DNS and they are working. But when I place URL rewrite code in web.config file then both of my URLs stop working. It gives HTTP error 503
This link outlines some great options - https://blogs.msdn.microsoft.com/kaushal/2013/05/22/http-to-https-redirects-on-iis-7-x-and-higher/