How to use NSX-T https Ingress Controller for Kubernetes in VMware Enterprise PKS
search cancel

How to use NSX-T https Ingress Controller for Kubernetes in VMware Enterprise PKS

book

Article ID: 316779

calendar_today

Updated On:

Products

VMware

Issue/Introduction

This article contains detailed steps on how to use https ingress in VMware Enterprise PKS environment.


Environment

VMware PKS 1.x

Resolution


In order to create an HTTPS ingress:
  1. Create a server certificate and key by using openssl or any third party CA.
  2. Create a TLS secret by using the above cert and key.
  3. Create the Ingress resource by using the TLS secret.

Create a server certificate and key by using openssl :

  1. Generate CA private key by running the command:
    openssl genrsa -aes256 -out ca.key 4096

    Example:
    root@PKS-client-vm#     openssl genrsa -aes256 -out ca.key 4096
    Generating RSA private key, 4096 bit long modulus
    ..........................................++
    ...............................................................................................................................++e is 65537 (0x10001)
    Enter pass phrase for ca.key: <Enter passphrase>
    Verifying - Enter pass phrase for ca.key: <Enter passphrase>
  2. Generate the CA certificate by running the command:
    openssl req -key ca.key -new -x509 -days 365 -sha256 -extensions v3_ca -out ca.crt

    Example:
    root@PKS-client-vm#     openssl req -key ca.key -new -x509 -days 365 -sha256 -extensions v3_ca -out ca.crt
    Enter pass phrase for ca.key: <Enter the passphrase>
    You are about to be asked to enter information that will be incorporated into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:
    State or Province Name (full name) [Some-State]:
    Locality Name (eg, city) []:
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:
    Email Address []:
  3. Generate server certificate request and private key:
    openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key

    Example:
    root@PKS-client-vm#     openssl req -out server.csr -new -newkey rsa:2048 -nodes -keyout server.key
    Generating a 2048 bit RSA private key
    ..................................................................+++.........+++
    writing new private key to 'server.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:
    State or Province Name (full name) [Some-State]:
    Locality Name (eg, city) []:
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:
    Organizational Unit Name (eg, section) []:
    Common Name (e.g. server FQDN or YOUR name) []:
    Email Address []:

    Please enter the following 'extra' attributes to be sent with your certificate request
    A challenge password []: [optional]
    An optional company name []: [optional]
  4. Sign the CSR with CA certificate:
    openssl x509 -req -days 360 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial  -out server.crt -sha256

    Example:
    root@PKS-client-vm#     openssl x509 -req -days 360 -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out server.crt -sha256
    Signature ok
    subject=/C=XX/ST=XX/L=XXX XXX/O=XXXX/OU=XXXX
    Getting CA Private Key
    Enter pass phrase for ca.key: <Enter the pass phrase!>
 

Create a TLS secret by using cert and key:

  1. You need to create the TLS secret by using the cert and key generated by openssl or custom CA.
    kubectl create secret tls cafe-secret --key server.key --cert server.crt

    Example:
    root@PKS-client-vm#     kubectl create secret tls cafe-secret --key server.key --cert server.crt
    secret/cafe-secret created
  2. Verifiy the secret by running the command:
    root@PKS-client-vm #     kubectl describe secret cafe-secret
    Name:         cafe-secret
    Namespace:    default
    Labels:       <none>
    Annotations:  <none>

    Type:  kubernetes.io/tls
    Data
    ====
    tls.crt:  1655 bytes
    tls.key:  1704 bytes

Create the Ingress resource by using the TLS secret:

  1. Create the ingress resource by running the command:
    kubectl create -f cafe-ingress-https.yml

    Sample configuration file with TLS secret:
    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: cafe-ingress
    spec:
      tls:
      - hosts:
        - cafe.example.com
        secretName: cafe-secret
      rules:
      - host: cafe.example.com
        http:
          paths:
          - path: /tea
            backend:
              serviceName: tea-svc
              servicePort: 80
          - path: /coffee
            backend:
              serviceName: coffee-svc
              servicePort: 80
     
  2. Verify that ingress resource has been created:
    root@PKS-client-vm#     kubectl get ingress
    NAME           HOSTS              ADDRESS                     PORTS     AGE
    cafe-ingress   cafe.example.com   10.40.14.96,100.64.112.35   80, 443   1m
     
  3. Navigate to NSX-T Manager  > PKS Cluster Load Balancer > HTTPS ingress controller > LB Profiles and verify that you see the certificate under Client Side SSL section.


Powered by Wolken Software