Configuring Certificate for Path-based Ingress
This section describes how to configure TLS and CA certificates for path-based ingress.
Configuring TLS Certificate
Use the following procedure from cluster deployer to configure the certificates for path-based ingress.
-
Create a secret.
Use the following sample configuration to populate a certificate and its corresponding private key. The provided certificate and private key is stored as K8s TLS secret on the cluster under the mentioned namespace.
cluster cluster_name secrets tls namespace secret_name private-key private_key_content certificate certificate_content exit exit
Example:clusters sample-cluster secrets tls cee-global sample-secret private-key "$8$9n3U7OLEclVQoDpp/4VqkSLkeSmFbjx/ Mt6eEGN4EWoKPY1r9nqSWSZ40advmhDFsPFQZWfM\nhq/wpRzHXBZGp/ dNtNO+wpaQuxsT3CmkmRKFIHviUn4bEwBKfTCCsw7a5+66q3rm5vX4/nSw\ nNy4DrgTu4iFDzVYVKAYzoxWGzCqhKIaSqELjsW7gchEowC\n certificate "-----BEGIN CERTIFICATE-----\nMIID0zCCArugAw IBAgIUPHTzpMTVUNVDQzJ/FM9tfCsAG2AwDQYJKoZIhvcNAQEL \nBQAwaDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQsw \n-----END CERTIFICATE-----\n" exit exit exit
-
Configure path-based ingress secret.
Use the following sample configuration to add the secret name for path-based ingresses.clusters <cluster_name> ops-centers <opscenter_name> <instance_name> initial-boot-parameters path-based-ingress true initial-boot-parameters path-based-ingress-secret <secret_name> exit exit exit
NoteYou must set path-based-ingress to true for getting the option to configure path-based-ingress-secret.
Example:clusters sample-cluster ops-centers cee global initial-boot-parameters path-based-ingress true initial-boot-parameters path-based-ingress-secret sample-secret exit exit exit
-
Run cluster sync to create and configure the secret as well as configure ingress to use the secret.
Verifying the Certificate for Path-based Ingress Configuration
This section describes how to verify the certificate for path-based ingress configuration.
kubectl get ing -n <namespace> <ingress-name> -o yaml
cloud-user@sample-aio-controlplane:~$ kubectl get ing -n cee-global cli-ingress-cee-global-ops-center -o yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
...
spec:
rules:
- host: 10.x.x.x
http:
paths:
- backend:
service:
name: ops-center-cee-global-ops-center
port:
number: 7681
path: /cee-global/cli
pathType: ImplementationSpecific
tls:
- hosts:
- 10.x.x.x.
secretName: sample-secret
cloud-user@satya-aio-controlplane:~$ curl -k -v https://10.x.x.x.nip.io/cee-global/cli
* Trying 10.x.x.x...
* TCP_NODELAY set
* Connected to 10.x.x.x.nip.io (10.x.x.x) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS Unknown, Certificate Status (22):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Client hello (1):
* TLSv1.3 (OUT), TLS Unknown, Certificate Status (22):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use h2
* Server certificate:
* subject: C=US; ST=CA; L=SF; O=sample-signed.cisco.com; CN=10.x.x.x
* start date: Jul 12 04:19:56 2022 GMT
* expire date: Jul 11 04:19:56 2024 GMT
* issuer: C=US; ST=CA; L=SF; O=sample-signed.cisco.com; CN=10.x.x.x
* SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
* Using Stream ID: 1 (easy handle 0x56498909f550)
* TLSv1.3 (OUT), TLS Unknown, Unknown (23):
> GET /cee-global/cli HTTP/2
> Host: 10.x.x.x
> User-Agent: curl/7.58.0
> Accept: */*
Configuring CA Certificate
To configure the CA certificate, use the following configuration in Ops-center:
secrets ca-cert secret_name
certificate certificate_content
exit
To configure the CA certificate, use the following configuration in cluster-manager:
cluster cluster_name
secrets ca-cert namespace secret_name
private-key private_key_content
certificate certificate_content
exit
exit
NOTES:
-
If you add invalid certificate content and expired certificate, you will be prompted to correct the configuration.
-
CA certificate is stored in generic (Opaque) secret type.
-
The secrets are monitored and auto-healed if the user deletes the data by mistake.