In this lesson,

we're going to be talking about

Implementing TLS with Ingress.
So here's just a quick overview of what we'll be discussing.
First, we're going to briefly review
the concept of Ingress in Kubernetes,
then we'll talk about the relationship
between Ingress and TLS.
We'll do a quick hands-on demonstration
of how to create an Ingress that is configured for TLS,
and then we'll provide a few exam tips.
So let's just briefly review what Ingress is all about.
An Ingress is simply a Kubernetes object
that manages access to Services from outside the cluster.
Ingresses can provide features on top of Services
such as load balancing and TLS termination.
So what is the relationship
between Ingresses and TLS?
Well, Ingresses can be used to provide TLS
on top of Services.
So we have a Service here and an external user,
and we can put an Ingress in the middle,
which would allow the user
to communicate securely using HTTPS.
So the user is going to communicate securely,
using HTTPS with Ingress,
and then the Ingress
will communicate using plain old HTTP with the Service.
And what that does,
is it prevents you from having to worry about
HTTPS or TLS termination at the Service level.
You can instead abstract that out
and worry about it at the Ingress level.
So let's do a quick hands-on demonstration
of what it looks like
to actually configure an Ingress for TLS.
So I'm logged into my Kubernetes control plane server here,
and I'm going to create a new namespace to work in.
I'm just going to call it ingresstest,
and let's go ahead and create a simple NGINX web server.
So I'm going to call this ingresstest-nginx-dep.
So we'll just create a basic Deployment
that's going to manage our web server here.
And this Deployment isn't doing a whole lot.
We just have a single replica,
and it's just going to run NGINX
and expose container port 80.
So let's go ahead and create that Deployment.
Now Ingresses function on top of Services,
so we're going to need a Service as well,
so I'll create an ingresstest NGINX Service,
and this Service is just going to expose port 80
and then map back to the target port
on our NGINX server, which is also port 80.
And of course we're using our selector here
to select the appropriate Pods.
So I'll go ahead and create the Service,
and if I do, kubectl get service
in my ingresstest
namespace there,
I can see the cluster IP of the Service.
So let's just make sure everything is working so far.
I'll just do a curl right there on the cluster IP,
and because of the way my networking plugin works,
I can actually do that curl
right here from the host and see, Welcome to Nginx.
So it looks like I am able to successfully
communicate with my Service
and with the NGINX Pod that is running underneath it.
So what we're going to do next,
is create an Ingress that is configured
to put TLS on top of that Service.
Now because of the way Ingresses work,
they need special ingress controllers
in order to actually do anything.
Now we're not going to dive
into ingress controllers right now,
so we're really not going to worry about that,
we're just going to talk about how to configure the Ingress
with the appropriate certificates
and supply the certificates
that would allow Ingress to provide TLS termination.
So in order to do TLS termination,
we do need some certificates.
So I'm just going to use OpenSSL
to go ahead and generate some.
And this command is going to generate both a certificate
and a key right here with just one command.
So I'm going to have tls-ingress.key,
that's going to be the file with my key,
and tls-ingress.cert,
that will be my certificate,
and my subject will just be, /CN for common name,
=ingress.test.
And I can see my certificate
and key files have now been generated there.
So in order to pass these certificates to an Ingress,
I need to store them inside a Kubernetes Secret.
So I'm going to create ingress-tls-secret.yml.
This is just going to be the YAML definition
for a Secret,
and it's just a basic Secret
with the type, kubernetes.io/tls,
and I've got tls.crt and tls.key.
Now here, I just have some placeholders.
So of course,
we're going to need to put the real certificate
and key data here,
but the data needs to be Base64 encoded.
So I'll go ahead and save that file,
and then I'll do base64 on tls-ingress.crt.
And there is the Base64 data for my certificate.
So I'm just going to copy all that data,
and then I'll edit ingress-tls-secret.yml again.
And I can go ahead and remove this first placeholder,
and I'll just paste in that Base64 data
for the certificate.
Now, if you're doing this in Vim, like I'm doing right now,
you might notice that the indentation
is all thrown off here on the left.
Every single one of these lines
needs to be indented correctly underneath tls.crt.
So you might want to take this into an external editor
and edit this to get the whitespace
and indentation looking right,
rather than just doing it in Vim.
I'm going to go ahead and jump to the point
where I have done that.
So I've got my Base64-encoded tls.crt
formatted correctly here within the YAML file.
Now I need to do the same thing for tls-ingress.key.
So I'll do base64 tls-ingress.key,
and this one's going to be significantly longer
because the key file is longer.
But I do need to copy this entire string
that is the result of that Base64 command,
and then I'll edit ingress-tls-secret.yml again,
and then I'll paste in my tls.key Base64 data again,
making sure that all of the whitespace and indentation
is formatted correctly.
I'll go ahead and save that file,
and then I'll create my Secret.
Now, my Secret file there does contain sensitive data.
So in a real-world scenario,
you probably want to go ahead and delete that file
once you have created the object,
but since we're just learning,
I'll keep it around in case I want to reference it later.
Now that I have my certificates set up in a Secret,
I can create the Ingress itself.
So I'm going to create this tls-ingress.yml.
And here is my Ingress.
Now, if you learned about Ingresses
perhaps for the CKA,
then this should look pretty familiar.
We have our Ingress rules here,
which basically just maps the slash prefix
to our backend Service.
So this is telling Kubernetes
which Service this Ingress maps to,
and we're going to map to port 80 on that Service.
But what we're doing specifically to handle TLS,
is we're making sure to specify a host here under a rule.
So our host is ingress.test,
and then we have this TLS section here.
So I have TLS, and then one item under there,
and I have a list of hosts,
and I've added that ingress.test host
to this list of hosts,
and then provided my certificate.
So that's how we provide a mapping
between these different hosts
and the certificates that they might use.
So I just have a Secret name,
and I have passed in the name of that Secret
that we just created.
So I'll go ahead and save that file
and create my Ingress,
and then I'll do a quick kubectl
describe on the Ingress,
and I don't have a default backend,
so don't worry about this error.
That's not a problem for us right now
because we have not created
any type of default backend for this Ingress,
but we do want to see
our actual Service backend listed here.
So I can see the name of my Service
followed by :80 here under Backends.
So the Ingress was able to successfully
pick up that backend,
and we can even see the IP address there.
So that was just a quick hands-on demonstration
of how to set up TLS certificates
and essentially pass them into an Ingress
so that that Ingress can provide a TLS configuration
for a Service.
So just some quick exam tips.
You can implement TLS termination
using an Ingress on top of a Service.
You can store TLS certificates using a Secret,
pass the Secret to the Ingress using spec.tls,
and then inside the items in that array, .secretName.
And one more tip,
you might want to bookmark the Ingress TLS documentation.
You can find that in the links for this lesson.
You might want to have that bookmarked
so you can reference that documentation
during the CKS exam,
you are allowed to do that on the exam.
And that documentation basically gives you some examples
of everything that we've talked about in this lesson.
So you can refer to that
and not necessarily have to memorize
all the details of how to set up a manifest for an Ingress
that is configured for TLS.
So that's all for this lesson,
I'll see you in the next one.