Generate a certificate for Traefik Ingress Controller in Kubernetes
This post follows the previous one: Install Kubernetes Cert-Manager.
Prerequisites
Before you get started, you’ll need to have these things:
- A kubernetes cluster
- A DNS domanin name
- Certmanager installed
Generate a certificate
When creating a new certificate, make sure you create one on a named namespace. It will be verified by cert-manager even if it exists on a different namespace since we are referring to a ClusterIssuer.
Create a namespaced X.509 certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kub.techlabnews-com-cert
namespace: traefik
spec:
secretName: kub.techlabnews-com-cert-secret
isCA: true
privateKey:
algorithm: RSA
encoding: PKCS1
size: 2048
commonName: '*.kub.techlabnews.com'
subject:
organizations:
- kub.techlabnews
dnsNames:
- kub.techlabnews.com
- '*.kub.techlabnews.com'
issuerRef:
name: kub.techlabnews-ca-issuer
kind: ClusterIssuer
Replace traefik NAMESPACE with the namespace of your choise and kub.techlabnews with your domaine
$:> kubectl apply -f https://raw.githubusercontent.com/colussim/terraform-kubic/main/Traefik/certificate.yaml
certificate.cert-manager.io/kub.techlabnews.com-cert created
$:>
Check certificate status is Issued :
$:> kubectl describe certificate kub.techlabnews-com-cert -n traefik
Name: kub.techlabnews-com-cert
Namespace: traefik
Labels: <none>
Annotations: <none>
API Version: cert-manager.io/v1
Kind: Certificate
Metadata:
................
$:>
Check that secret MY_DOMAIN-com-cert-secret was created successfully :
$:> kubectl get secret -n traefik|grep kub.techlabnews-com-cert-secret|awk '{ print $1}'
kub.techlabnews-com-cert-secret
$:>
$:>kubectl get secret kub.techlabnews-com-cert-secret -o yaml -n traefik
apiVersion: v1
data:
ca.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURlRENDQW1....
kind: Secret
metadata:
annotations:
cert-manager.io/alt-names: kub.techlabnews.com,*.kub.techlabnews.com
cert-manager.io/certificate-name: kub.techlabnews-com-cert
cert-manager.io/common-name: '*.kub.techlabnews.com'
cert-manager.io/ip-sans: ""
cert-manager.io/issuer-group: ""
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: kub.techlabnews-ca-issuer
cert-manager.io/uri-sans: ""
creationTimestamp: "2022-05-17T22:13:47Z"
name: kub.techlabnews-com-cert-secret
namespace: traefik
resourceVersion: "1096260"
uid: 24e38926-fd35-429a-8042-519647a21506
type: kubernetes.io/tls
$:>
Sometimes it is necessary to use secret values from outside the Kubernetes cluster. One such example is setting the cert_file as a trusted certificate on a client machine (laptop or desktop), especially when using a self-signed certificate.
Create a local destination folder :
$:> mkdir -p $HOME/MY_NAMESPACE/cert-secrets
export MY_DOMAIN=<insert-domain-name-here>
export MY_NAMESPACE=<insert-namespace-here>
$:>
Export the certificate secrets **cert_file ** : client certificate path used for authentication:
$:> kubectl get secret ${MY_DOMAIN}-com-cert-secret \
-n ${MY_NAMESPACE} \
-o jsonpath='{.data.tls\.crt}' | base64 -D \
> $HOME/${MY_NAMESPACE}/cert-secrets/cert_file.crt
$:>
key_file : client key path used for authentication
$:> kubectl get secret ${MY_DOMAIN}-com-cert-secret \
-n ${MY_NAMESPACE} \
-o jsonpath='{.data.tls\.key}' | base64 -D \
> $HOME/${MY_NAMESPACE}/cert-secrets/key_file.key
$:>
ca_file : CA certificate path used to verify the remote server cert file
$:>kubectl get secret ${MY_DOMAIN}-com-cert-secret \
-n ${MY_NAMESPACE} \
-o jsonpath='{.data.ca\.crt}' | base64 -D \
> $HOME/${MY_NAMESPACE}/cert-secrets/ca_file.crt
$:>
Check that secrets exported successfully
$:>ls -la $HOME/${MY_NAMESPACE}/cert-secrets
$:>
Next (In soon)
Access our kubernetes dashboard with Ingress Controller
Conclusion
We generated a certificate and exported in files the secret values to allow a client machine to access from outside the Kubernetes cluster. We will use this certificate to expose the access to the Traefik dashboard.