I am using Google Kubernetes Engine and have the Google HTTPS Load Balancer as my ingress.
Right now the load balancer uses Let's Encrypt certificates. However, is there a simple way to ensure that the certificates are automatically renewed prior to their 90 day expiry?
You can now use "Google-managed SSL certificates" which is currently in beta: https://cloud.google.com/load-balancing/docs/ssl-certificates#managed-certs
You have not specified how you configured Let's Encrypt for your load balancer. Right now Google does not offer this for you, so I assume you mean you set the Let's Encrypt certificate yourself. In this case, Google can't renew your certificate.
Until there's an official support you can install a third-party add-on like cert-manager to automate certificate configuration and renewal. There's a GKE tutorial for doing this at https://github.com/ahmetb/gke-letsencrypt.
Related
My service (with no ingress) is running in the amazon EKS cluster and I was asked to provide a CA signed cert for a third party that consumes the API hosted in the service. I have tried provisioning my cert using certificates.k8s.io API but it is still self-signed I believe. Is there a CA that provides certification for services in the Kubernetes cluster?
Yes, Certificates created using the certificates.k8s.io API are signed by a dedicated CA. It is possible to configure your cluster to use the cluster root CA for this purpose, but you should never rely on this. Do not assume that these certificates will validate against the cluster root CA.
Refer this Certificate Signing Request Process
I have four kubernetes clusters, and I want to check the expiration time of them with kubernetes-python-client.
I am following this page: https://github.com/kubernetes-client/python
Is there anyone know how to get it?
The apiserver certificate is generally handled out of band, either by your Kubernetes installer tool (kubeadm, rancher, talos, etc) or off-cluster in a load balancer layer. As such the K8s API won't help you with this.
That said, you can get the certificate of any HTTPS server in Python using ssl.get_server_certificate() (https://docs.python.org/3/library/ssl.html#ssl.get_server_certificate) along with other functions in the ssl module to parse the cert data and then look at the Not After timestamp.
I am building an app (API) that will be running on the Google Kubernetes engine. I will add a NGINX Proxy (Cloud Endpoints) with SSL such that all external API requests will go through the Cloud Endpoints instance.
Question is, since I already have SSL enabled on the external open interface, do i need to add SSL cvertificates to the Kubernetes engine as well?
In Google Kubernetes Engine, you can use Ingresses to create HTTPS load balancers with automatically configured SSL certificates. Google-managed SSL certificates are provisioned, renewed, and managed for your domain names. Read more about Google-managed SSL certificates here.
No, “You have the option to use Google-managed SSL certificates (Beta) or to use certificates that you manage yourself.”
You added a NGINX Proxy (Cloud Endpoints) with SSL, then you do not need to add SSL certificates to the Kubernetes engine as well.
We have a simple system with a REST service (WebAPI) that will be hosted on one machine (hosted on IIS on a custom port, port numer 3031) and with a website hosted on another machine that will be talking to the service.
We want both to use SSL, so as I understand we will need to purchase two separate SSL certificates for the production deployment on the Internet.
Does that sound right?
If so, then I don't know how do I request and purchase a certificate for the WebAPI REST service... The service will be hosted on a custom port 3031, should I purchase a normal certificate for the domain name of the machine where the service will be hosted? And then should I basically install the certificate on the IIS on that machine (like it's described here: https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/working-with-ssl-in-web-api).
How will I be able to perform a verification of the domain for the purchased certificate if I'm going to use the certificate for a REST service on a custom port? (not for a regular website).
Apologies for my ignorance, I have searched the forum to find an answer to my issue, but I didn't find one, maybe it's because my very limited knowledge about certificates and security.
We're rolling out some simple static web sites onto the Swisscom CloudFoundry cloud, and want to enable SSL for the sites.
Our product manager is not happy with the scapp.io or applicationweb.io names, and we want to be able to add SSL certificates for our domain, e.g "www.swisscom.io".
How do achieve this, given the fact that we're users and not administrators and don't have access to the "Operations Manager" tool? This question is specifically about the Certificate: The setting up of the domain and DNS is clear.
SSL certificates from Let’s Encrypt are now available on the Swisscom Application Cloud: SSL Secure Routes
The cloud guys can probably help you out more here, but one option would be to use: https://www.cloudflare.com/
I was able to use the cloudflare SSL certificate to secure the traffic to and from my application without having to upload a certificate or use the "Operations Manager" tool.
Cheers,
Allan.
I'm currently using an existing VM on https://www.digitalocean.com to serve as a reverse proxy (see https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension#enabling-ssl-reverse-proxy-support, e.g.). It works, but it's not very elegant.