Internal CA and NodePort Example

This section provides an example of how to configure an application to use NodePort to expose its self-managed TLS-based service and to use an Internal CA for signing CERTIFICATEs.

Note that alternatively an External CA could be used with a NodePort-based solution as well.

Prerequisites

This example requires that:

  • Ensure that your StarlingX administrator has enabled use of the cert-manager apiGroups in your RBAC policies.

Procedure

  1. Create an internal RootCA ISSUER in the default namespace by applying the following manifest file.

    # Create a cluster-wide ISSUER for create self-signed certificates
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
    name: system-selfsigning-issuer
spec:
    selfSigned: {}


# Create a Certificate (and key) for my RootCA
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
    name: abccompany-starlingx-rootca-certificate
spec:
    secretName: abccompany-starlingx-rootca-certificate
    duration: 8640h
    commonName: "abccompany-starlingx-rootca"
    isCA: true
    issuerRef:
        name: system-selfsigning-issuer
        kind: ClusterIssuer


# Create the RootCA ISSUER
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
    name: abccompany-starlingx-rootca-issuer
spec:
    ca:
        secretName: abccompany-starlingx-rootca-certificate

  2. Share the public certificate of your internal RootCA to clients such that they can trust certificates signed by this RootCA.

    CERT64=`kubectl get secret abccompany-starlingx-rootca-certificate -n default -o yaml | fgrep tls.crt | fgrep -v "f:tls.crt" | awk '{print $2}'`
echo $CERT64 | base64 --decode > abccompany-starlingx-rootca-certificate.pem

  3. Create a deployment of an example demo application that uses NodePort to expose its service and therefore manages its TLS connection on its own, using a certificate it creates on its own.

    Apply the following manifest.

    Where 10.10.10.45 is the OAM Floating IP of the StarlingX and abccompany-starlingx.mycompany.com is the FQDN for this address.

    (You should substitute with the IP Address and FQDN for the StarlingX installation.)

    apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: abccompany-starlingx.mycompany.com-certificate
spec:
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  secretName: abccompany-starlingx.mycompany.com-certificate
  issuerRef:
    name: abccompany-starlingx-rootca-issuer
    kind: Issuer
  commonName: abccompany-starlingx.mycompany.com
  dnsNames:
  - abccompany-starlingx.mycompany.com
  ipAddresses:
  - 10.10.10.45
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: example-app
spec:
  replicas: 1
  selector:
    matchLabels:
      app: example-app
  template:
    metadata:
      labels:
        app: example-app
    spec:
      containers:
      - name: example-app
        image: example-app         # not a real app, could substitute ‘busybox’ here to look at mounted cert files inside container
        imagePullPolicy: Always
        ports:
        - containerPort: 8443
          protocol: TCP
        volumeMounts:
        - name: mycert
          mountPath: "/etc/mycert"  # the files tls.crt, tls.key and ca.crt will be under /etc/mycert/ in container
          readOnly: true
      volumes:
      - name: mycert
        secret:
          secretName: abccompany-starlingx.mycompany.com-certificate
---
apiVersion: v1
kind: Service
metadata:
  name: example-app
  labels:
    app: example-app
spec:
  type: NodePort
  ports:
    - port: 443
      protocol: TCP
      targetPort: 8443
      nodePort: 31118
  selector:
    app: example-app

  4. If example-app existed, you would access it from your browser with https://abccompany-starlingx.mycompany.com:31118.

    If you are using busybox to look at mounted cert files, attach to container (e.g. kubectl exec busybox-... -it -- sh and cd /etc/mycert; ls).