Solve this question on: ssh cks7262
In Namespace team-pink there is an existing Nginx Ingress resources named secure which accepts two paths /app and /api which point to different ClusterIP Services.
From your main terminal you can connect to it using for example:
HTTP: curl -v http://secure-ingress.test:31080/app
HTTPS: curl -kv https://secure-ingress.test:31443/appRight now it uses a default generated TLS certificate by the Nginx Ingress Controller.
You're asked to instead use the key and certificate provided at /opt/course/15/tls.key and /opt/course/15/tls.crt. As it's a self-signed certificate you need to use curl -k when connecting to it.
First, let's check the current Ingress configuration and verify the endpoints:
➜ ssh cks7262
➜ candidate@cks7262:~# k -n team-pink get ing secure
NAME CLASS HOSTS ADDRESS PORTS AGE
secure secure-ingress.test 192.168.100.12 80 7m11s
➜ candidate@cks7262:~# ping secure-ingress.test
PING cks7262-node1 (192.168.100.12) 56(84) bytes of data.
64 bytes from cks7262-node1 (192.168.100.12): icmp_seq=1 ttl=64 time=0.316 ms Let's test the HTTP endpoints:
➜ candidate@cks7262:~# curl http://secure-ingress.test:31080/app
This is the backend APP!
➜ candidate@cks7262:~# curl http://secure-ingress.test:31080/api
This is the API Server!Now let's check the current HTTPS setup:
➜ candidate@cks7262:~# curl -kv https://secure-ingress.test:31443/api
...
* Server certificate:
* subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
* start date: Sep 8 10:55:34 2024 GMT
* expire date: Sep 8 10:55:34 2025 GMT
* issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
* SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
...Create a Secret using the provided key and certificate:
➜ candidate@cks7262:~# cd /opt/course/15
➜ candidate@cks7262:/opt/course/15$ ls
tls.crt tls.key
➜ candidate@cks7262:/opt/course/15$ k -n team-pink create secret tls tls-secret --key tls.key --cert tls.crt
secret/tls-secret createdBackup the current Ingress configuration and update it to use the new TLS Secret:
➜ candidate@cks7262:~# k -n team-pink get ing secure -oyaml > 15_ing_bak.yaml
➜ candidate@cks7262:~# k -n team-pink edit ing secureAdd the following TLS configuration to the Ingress spec:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
...
generation: 1
name: secure
namespace: team-pink
spec:
tls: # add
- hosts: # add
- secure-ingress.test # add
secretName: tls-secret # add
rules:
- host: secure-ingress.test
http:
paths:
- backend:
service:
name: secure-app
port: 80
path: /app
pathType: ImplementationSpecific
- backend:
service:
name: secure-api
port: 80
path: /api
pathType: ImplementationSpecificCheck the updated Ingress configuration:
➜ candidate@cks7262:~# k -n team-pink get ing
NAME CLASS HOSTS ADDRESS PORTS AGE
secure secure-ingress.test 192.168.100.12 80, 443 25m Test the HTTPS endpoint with the new certificate:
➜ candidate@cks7262:~# curl -k https://secure-ingress.test:31443/api
This is the API Server!
➜ candidate@cks7262:~# curl -kv https://secure-ingress.test:31443/api
...
* Server certificate:
* subject: CN=secure-ingress.test; O=secure-ingress.test
* start date: Sep 25 18:22:10 2020 GMT
* expire date: Sep 20 18:22:10 2040 GMT
* issuer: CN=secure-ingress.test; O=secure-ingress.test
* SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
...