Skip to content

Instantly share code, notes, and snippets.

@bprashanth

bprashanth/intermediate.md

Last active August 2, 2019 15:53
Show Gist options
  • Star 2 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save bprashanth/176c76b8f713a1e88bfcff532fd1a5da to your computer and use it in GitHub Desktop.
Save bprashanth/176c76b8f713a1e88bfcff532fd1a5da to your computer and use it in GitHub Desktop.
Download ZIP
Raw
intermediate.md

Generate root/intermediate/end certs

Run https://gist.github.com/bprashanth/d79b9810dea8b07a7bb1ccf467be5b66 (some googling + fiddling of how to generate intermediates with openssl, so don't take this as an authoritative guide). That script will create 3 CSRs, one for the root, one for an intermediate, and the last one for the end user. You probably don't care about most of the fields of the CSR execpt for "Common Name", eg:

If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:rootbitrot
Email Address []:

Create your cert/key pair

$ cd ~/SSLCA/intermediate1/
$ ls
ca.conf  certindex  certindex.attr  certindex.old  certserial  certserial.old  crlnumber  enduser-certs  intermediate1.crt  intermediate1.key
$ cat ./enduser-certs/enduser-example.com.crt intermediate1.crt ../root/rootca.crt > enduser-certs/tls.crt
$ cat enduser-certs/enduser-example.com.key > enduser-certs/tls.key

Clone https://github.com/kubernetes/contrib/tree/master/ingress/controllers/gce/https_example, it's a convenience script for generating secrets in base64 so we don't introduce copy/paste non-determinism.

$ go build make_secret.go
$ ./make_secret -crt /tmp/tls.crt -key /tmp/tls.key -name tls-secret > /tmp/secret.json

Create your secret

$ kubectl create -f /tmp/secret.json

Create the Ingress:https://github.com/kubernetes/contrib/blob/master/ingress/controllers/gce/https_example/tls-app.yaml

Wait for it to get healthy:

Name:			test
Namespace:		default
Address:		107.178.243.149
Default backend:	echoheaders-https:80 (10.245.2.5:8080)
TLS:
  tls-secret terminates 
Rules:
  Host	Path	Backends
  ----	----	--------
Annotations:
  target-proxy:			k8s-tp-default-test--3167254998
  url-map:			k8s-um-default-test--3167254998
  backends:			{"k8s-be-30791--3167254998":"HEALTHY"}
  forwarding-rule:		k8s-fw-default-test--3167254998
  https-forwarding-rule:	k8s-fws-default-test--3167254998
  https-target-proxy:		k8s-tps-default-test--3167254998
  static-ip:			k8s-fw-default-test--3167254998
Events:
  FirstSeen	LastSeen	Count	From				SubobjectPath	Type		Reason	Message
  ---------	--------	-----	----				-------------	--------	------	-------
  29m		29m		1	{loadbalancer-controller }			Normal		ADD	default/test
  28m		28m		1	{loadbalancer-controller }			Normal		CREATE	ip: 107.178.243.149

Test it

Check the certs

$ openssl s_client -showcerts -connect 107.178.243.149:443
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/CN=edgebitrot/ST=Some-State/C=AU/O=Internet Widgits Pty Ltd
   i:/CN=interbitrot/ST=Some-State/C=AU/O=Internet Widgits Pty Ltd
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
 1 s:/CN=interbitrot/ST=Some-State/C=AU/O=Internet Widgits Pty Ltd
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=rootbitrot
...
-----END CERTIFICATE-----
 2 s:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=rootbitrot
   i:/C=AU/ST=Some-State/O=Internet Widgits Pty Ltd/CN=rootbitrot

Access it:

$ curl https://107.178.243.149 -k
CLIENT VALUES:
client_address=10.245.2.1
command=GET
real path=/
query=nil
request_version=1.1
request_uri=http://107.178.243.149:8080/

SERVER VALUES:
server_version=nginx: 1.9.11 - lua: 10001

HEADERS RECEIVED:
accept=*/*
connection=Keep-Alive
host=107.178.243.149
user-agent=curl/7.35.0
via=1.1 google
x-cloud-trace-context=c2682d6c113b980261064a3b0d632661/3739301850467179936
x-forwarded-for=104.132.1.91, 107.178.243.149
x-forwarded-proto=https
BODY:

Troubleshooting

  • Make sure you've read through https://github.com/kubernetes/contrib/blob/master/ingress/controllers/gce/BETA_LIMITATIONS.md, Ingress is still in beta
  • You can figure out what's been created on your behalf by going to the GCE console: networking > loadbalancing > "To see all load balancing resources, go to advanced view"
  • You can check if your cert is valid by pasting it into the ssl-certs creation tab and checking if it validates: advanced view > certificates > create ssl certificate (paste things)
  • You can update certs via gcloud: gcloud compute target-https-proxies update TARGET_HTTPS_PROXY_NAME --ssl-certificate CERT_RESOURCE_NAME
  • The GCE L7 will accept RSA-2048 and ECDSA P-256 certificates
  • You can check logs of the ingress controller via: kubectl --namespace=kube-system get logs (l7-lb-pod-name) -c l7-lb-controller --follow
  • You can deploy an nginx ingress controller instead of GCE L7: https://github.com/kubernetes/contrib/tree/master/ingress/controllers/nginx
  • This should also work through a type=Loadbalancer service running nginx and serving up a .pem
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment