Setting TLS endpoints in Kubernetes can be a Sisyphean task. What if you could make it a ‘set and forget’ kind of task instead? Well, now you can.
At Rookout, we use k8s to handle all of our services. We wanted to automate the process of adding new services that require SSL and a custom domain name. As part of our CI/CD process, we also wanted to allow developers to deploy a full env from their branch, which entailed seamlessly creating new domains. For example, a developer working on a branch named “best-feature-ever” should test it at best-feature-ever.rookout-test-domain.com.
TL;DR we documented all of our steps so feel free to jump right in: https://github.com/Rookout/k8s-auto-dns-and-tls-guide
It took me about 2 days to crack the complete process, but this time-saving post should allow you to automate your TLS endpoints in just 15 minutes of work, give or take, with the help of a few open source tools. Once you complete the process described in this guide, fully configuring a new DNS with a SSL certificate in your Kubernetes cluster will take only a few seconds!
* Note: We assume that you're using GKE domains. If not, you might need to change a few things.
Make sure you have --scopes https://www.googleapis.com/auth/ndev.clouddns.readwrite
Helm is a tool that streamlines installation and management of Kubernetes applications. Think of it as apt/yum/homebrew for Kubernetes.
Helm has two parts: a client (Helm) and a server (Tiller). Tiller runs inside of your Kubernetes cluster and manages releases (installations) of your charts*. Helm runs on your laptop, CI/CD, or wherever you want it to run.
*Charts are curated application definitions for Kubernetes Helm
First, install Helm on your laptop:
Next, install Tiller on your cluster:
Verify that you’ve installed it:
And now, really check that it’s up:
To simplify matters, we’ve created another Helm chart for the infra stuff -- the things that should be created just once for each cluster, not the ones that must be deployed for every new service.
An ingress controller is a daemon, deployed as a Kubernetes Pod, that watches the apiserver's /ingresses endpoint for updates to the ingress resource. Its job is to satisfy requests for ingresses. To deploy an Nginx controller for each Helm, deploy just as we added it to requirement.yaml:
helm dependency build hello-world
This step sets up both the ingress and the controller.
cert-manager is a Kubernetes add-on that automates management and issuance of TLS certificates from various issuing sources. It periodically ensures that certificates are valid and up to date, and renews certificates at the appropriate time before they expire.
Once the infra part of the system is deployed (cert manager + external dns + nginx controller), we have all the components needed to create new domains with SSL on the fly. All that’s left to do is to create the certificate and add it to the ingress.
You can add it automatically...
Now you can deploy as many services as you want, each with its own custom DNS and SSL, without repeating this process ever again! I hope you find this useful and the steps are easy to follow. The reward is clear -- using an automated process instead of a manual one is a habit that most people are probably very quick to adopt! :)
Feel free to send me comments or let me know if I missed something — I’d love to hear your feedback.