Generic Kubernetes configuration¶

Prerequisites¶

running kubernetes cluster with kubectl utility installed

Configuration¶

Helm¶

curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash

Nginx¶

Nginx is the HTTP reverse proxy service which process all external requests. The installation is done with the standard Helm chart:

kubectl create namespace ingress-basic

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

helm upgrade --install nginx-ingress ingress-nginx/ingress-nginx \
    --namespace ingress-basic \
    --set rbac.create=true

Extract the load balancer ip address using the following command (the ip address should be the same as the server):

kubectl --namespace ingress-basic get services -o wide -w nginx-ingress-ingress-nginx-controller

Cert Manager (Let’s Encrypt)¶

Cert Manager is a service that automatically generate certificates with Let’s Encrypt provider. Certificates are rotated automatically within 3 months. Keys are not rotated but are generated automatically on the first request. Here are the steps to install the Cert Manager:

kubectl create namespace cert-manager

helm repo add jetstack https://charts.jetstack.io
helm repo update

helm install \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --set installCRDs=true

Confirm that each pod is in running state:

kubectl get pods --namespace cert-manager

Create the cluster issuer (Cert-Manager configuration)

cat << EOF > cluster-issuer.yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: <EMAIL_ADDRESS>
    privateKeySecretRef:
      name: letsencrypt
    solvers:
    - http01:
        ingress:
          class: nginx
EOF

kubectl apply -f cluster-issuer.yaml

Key rotation and revocation¶

Certificates can be revoked using the certbot application. Tls certificate and private key are required for revoking a certificate. The certificate is rotated simply by deleting the secret. Here are the commands to regenerate and revoke a certificate:

kubectl get secret -n des <secret> -o yaml > certs.yaml
kubectl delete secret -n des <secret>
yq -r '.data["tls.key"]' < certs.yaml | base64 -d > tls.key
yq -r '.data["tls.crt"]' < certs.yaml | base64 -d > tls.crt
certbot revoke --cert-path tls.crt --key-path tls.key