What are trusted providers that offer wildcard certificates and associated costs to be used in an Orchestration Platform like Kubernetes?

Question

Currently, certbot and nginx are used to create a trusted webpage. Recently, an attempt was made to move the images to a kubernetes cluster on google cloud platform. A guide was found to configure an SSL loadbalancer. It was tried and it shows multiple textboxes to insert a key, cert and chain.

An attempt was made to see whether Google offers wildcard certs as well, but no information was found. Certbot itself announced last year that they will support wildcard certs, but that does not seem to be the case as well. First impression is that using certbot in the google loadbalancer will not be possible or will be cumbersome as the certs have to be renewed every three months.

When one Googles: cheap wildcard ssl then a lot of results are shown. The questions are which of these providers can be considered as safe, what are the costs and what providers do you use and why?

Answer 1

Have a look at "Ingress" and "Cert-Manager":

• With a Kubernetes Ingress you can configure the load balancer, see e.g. https://cloud.google.com/kubernetes-engine/docs/tutorials/http-balancer

• With "Cert-Manager" you can get certificates from Let's Encrypt (like certbot does), and it handles renewing automatically. See https://github.com/jetstack/cert-manager

Answer 2

For using kube-lego you can follow this step:

Visit https://github.com/jetstack/kube-lego/tree/master/examples/gce and follow instructions to have a kube-lego namespace working.

Create an ingress like this:

    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata:
      name: app-ingress
      annotations:
        kubernetes.io/tls-acme: "true"
        kubernetes.io/ingress.class: "gce"
    spec:
      backend:
        serviceName: backend-service
        servicePort: 80
      tls:
      - hosts:
        - example.com
        - api.example.com
        secretName: app-ingress-tls
      rules:
      - host: example.com
        http:
          path:
          - path: /*
            backend:
              serviceName: backend-service
              servicePort: 443
      - host: api.example.com
        http:
          path:
          - path: /*
            backend:
              serviceName: backend-service
              servicePort: 443

remember to replace backend-service with your own service name and exampl.com with your domain.

You can put as more host sections as you need, each host section should be associated with a domain on the tls section.

Use the app-ingress-tls secret to mount as a volume on your service.

Answer 3

Let's Encrypt is a free TLS/SSL service you can use with your Kubernetes cluster and a lot of the work is automated. You can setup Kubernetes Cluster to reach out to Let's Encrypt and confirm you are the owner of the domain name and to issue you a cert.

Let's Encrypt will not take the word of your Kubernetes Cluster, but instead make a request to that domain name you supposedly own and if you truly do own it, you will reply. When you respond to that route, you will automatically get a certificate from Let's Encrypt thats going to save it into a secret and make it available to your application. Typically, its good for 90 days and then it will automatically go through this process again.

The challenge for you is setting up the infrastructure to make this happen.

Step 1. You need to purchase a domain name. You can use many different services out there, but I would recommend domains.google.com.

Step 2. You want to set up your domain name by going to your Kubernetes Cluster dashboard in Services and then finding the Ingress service and thats the IP you will use for your domain name to point to. You are going to click on the DNS of the domain name you purchased, look for Custom resource records and setup to custom records. The first one will ensure a user who goes to mycluster.com gets forwarded to the IP specified, the second one ensures that a user who goes to www.mycluster.com gets forwarded to the same IP specified.

So you add the @ symbol with an A record and a 1 hour time to life which is how long it takes for the record to take effect and the IP address assigned to your Load balancer. No port, just the IP address.

The second record type is C name with www, 1 hour time to life and obviously thats for your www.mycluster.com and thats pretty much it for that.

Step 3. Is setting up your Kubernetes cluster to obtain a TLS certificate.

Step 4. You will have to complete an issuer and certificate config files

Step 5. Deploy your new changes

Step 6. verify the certificate