When you expose applications running within your cluster to the outside world, you're going to want to protect these with SSL certificates. Typically, this'll be SSL certificates used by browsers to access your Ingress resources over HTTPS, but SSL certificates would be used for other externally-facing services, for example OpenLDAP, docker-mailserver, etc.
Why do I need SSL if it's just internal?
It's true that you could expose applications via HTTP only, and not bother with SSL. By doing so, however, you "train yourself"1 to ignore SSL certificates / browser security warnings.
One day, this behaviour will bite you in the ass.
If you want to be a person who relies on privacy and security, then insist on privacy and security everywhere.
Plus, once you put in the effort to setup automated SSL certificates once, it's literally no extra effort to use them everywhere!
I've split this section, conceptually, into 3 separate tasks:
- Setup Cert Manager, a controller whose job it is to request / renew certificates
- Setup "Issuers" for LetsEncrypt, which Cert Manager will use to request certificates
- Setup a wildcard certificate in such a way that it can be used by Ingresses like Traefik or Ngnix
Chef's notes 📓¶
I had a really annoying but smart boss once who taught me this. Hi Mark! ↩
Tip your waiter (sponsor) 👏¶
Did you receive excellent service? Want to compliment the chef? (..and support development of current and future recipes!) Sponsor me on Github / Patreon, or see the contribute page for more (free or paid) ways to say thank you! 👏
Employ your chef (engage) 🤝¶
Is this too much of a geeky PITA? Do you just want results, stat? I do this for a living - I provide consulting and engineering expertise to businesses needing short-term, short-notice support in the cloud-native space, including AWS/Azure/GKE, Kubernetes, CI/CD and automation.
Learn more about working with me here.
Flirt with waiter (subscribe) 💌¶
Want to know now when this recipe gets updated, or when future recipes are added? Subscribe to the RSS feed, or leave your email address below, and we'll keep you updated.