LAB13: TLS Implementation

LAB101: TLS Implementation - NGINX

PART 1 — Create Your Own CA and TLS Certificates

We’ll generate:

CA private key
CA certificate
Server private key
Server CSR
Server certificate signed by CA (for nginx.example.com)

Step 1 — Create CA Private Key

openssl genrsa -out ca.key 4096

Step 2 — Create CA Certificate

openssl req -x509 -new -nodes \
  -key ca.key \
  -sha256 -days 3650 \
  -out ca.crt \
  -subj "/C=NP/ST=Bagmati/L=Kathmandu/O=MyCA Ltd/CN=My-Root-CA"

This is your root certificate authority.

Step 3 — Generate Server Private Key

openssl genrsa -out tls.key 2048

Step 4 — Create CSR (Certificate Signing Request)

openssl req -new \
  -key tls.key \
  -out tls.csr \
  -subj "/C=NP/ST=Bagmati/L=Kathmandu/O=MyServer/CN=nginx.example.com"

Step 5 — Create SAN Config File (Recommended)

Create san.cnf:

subjectAltName = @alt_names

[alt_names]
DNS.1 = nginx.example.com
DNS.2 = nginx

Step 6 — Sign Server Certificate With Your CA

openssl x509 -req \
  -in tls.csr \
  -CA ca.crt \
  -CAkey ca.key \
  -CAcreateserial \
  -out tls.crt \
  -days 365 \
  -sha256 \
  -extfile san.cnf

Resulting files:

tls.key → Server private key
tls.crt → Server certificate
ca.crt → CA certificate

PART 2 — Create Kubernetes TLS Secret

You can create it using kubectl command or YAML.

A. Using kubectl command

kubectl create secret tls nginx-tls-secret \
  --cert=tls.crt \
  --key=tls.key

B. Using YAML (base64 required)

Encode the files:

cat tls.crt | base64 -w 0
cat tls.key | base64 -w 0

Create nginx-tls-secret.yaml:

apiVersion: v1
kind: Secret
metadata:
  name: nginx-tls-secret
type: kubernetes.io/tls
data:
  tls.crt: <base64_of_tls.crt>
  tls.key: <base64_of_tls.key>

Apply:

kubectl apply -f nginx-tls-secret.yaml

PART 3 — Nginx TLS VIRTUAL HOST CONFIG (ConfigMap)

This ConfigMap creates a virtual host listening on port 443 with TLS:

apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-tls-conf
data:
  default.conf: |
    server {
      listen 443 ssl;
      server_name nginx.example.com;

      ssl_certificate     /etc/nginx/tls/tls.crt;
      ssl_certificate_key /etc/nginx/tls/tls.key;

      # Optional Hardening
      ssl_protocols TLSv1.2 TLSv1.3;
      ssl_ciphers HIGH:!aNULL:!MD5;

      location / {
        return 200 "Welcome to secure NGINX over TLS 🚀\n";
      }
    }

PART 4 — Nginx Pod Using TLS + ConfigMap

apiVersion: v1
kind: Pod
metadata:
  name: nginx-tls-pod
spec:
  containers:
    - name: nginx
      image: nginx
      ports:
        - containerPort: 443
      volumeMounts:
        - name: tls
          mountPath: /etc/nginx/tls
        - name: nginx-conf
          mountPath: /etc/nginx/conf.d

  volumes:
    - name: tls
      secret:
        secretName: nginx-tls-secret
    - name: nginx-conf
      configMap:
        name: nginx-tls-conf

TESTING

If using port-forward:

kubectl port-forward pod/nginx-tls-pod 8443:443

Then:

curl -k https://localhost:8443

Output:

Welcome to secure NGINX over TLS 🚀

PART 1 — NGINX DEPLOYMENT (HTTPS-READY)

The Deployment mounts:

TLS Secret → /etc/nginx/tls
Virtual Host ConfigMap → /etc/nginx/conf.d

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-http-deploy
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-http
  template:
    metadata:
      labels:
        app: nginx-http
    spec:
      containers:
        - name: nginx
          image: nginx
          ports:
            - containerPort: 80
          volumeMounts:
            - name: nginx-conf
              mountPath: /etc/nginx/conf.d/
      volumes:
        - name: nginx-conf
          configMap:
            name: nginx-http-conf

Apply:

kubectl apply -f nginx-deploy.yaml

Updated NGINX Virtual host config

apiVersion: v1
kind: ConfigMap
metadata:
  name: nginx-http-conf
data:
  default.conf: |
    server {
      listen 80;
      server_name nginx.example.com;

      location / {
        return 200 "Serving from backend HTTP NGINX 🌿\n";
      }
    }

kubectl apply -f nginx-conf.yaml

🌐 PART 2 — SERVICE (EXPOSE DEPLOYMENT)

A ClusterIP is enough if you’re using an Ingress.

apiVersion: v1
kind: Service
metadata:
  name: nginx-http-svc
spec:
  selector:
    app: nginx-http
  ports:
    - name: http
      port: 80
      targetPort: 80

Apply:

kubectl apply -f nginx-svc.yaml

PART 3 — INGRESS WITH TLS TERMINATION

Here your TLS certificate is used at the Ingress layer, not inside Nginx. (You can choose to keep TLS inside Nginx too — but this example is for Ingress TLS.)

Works with:

NGINX Ingress Controller
HAProxy
Traefik
Istio Gateway (with tweaks)

✔ Ingress + TLS using your Secret

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nginx-http-ingress
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - nginx.example.com
      secretName: nginx-tls-secret
  rules:
    - host: nginx.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: nginx-http-svc
                port:
                  number: 80

Apply:

kubectl apply -f nginx-ingress.yaml

Test Your HTTPS Endpoint

Update /etc/hosts:

<INGRESS_CONTROLLER_IP>  nginx.example.com

Then test:

curl -k https://nginx.example.com

Expected output:

Welcome to secure NGINX over TLS 🚀

If you're using NGINX ingress controller:

kubectl get svc -n ingress-nginx

Use the external IP if on a cloud platform.

OPTIONAL: MULTI-DOMAIN OR WILDCARD CERTS

Wildcard Example (*.example.com)

san.cnf:

subjectAltName = @alt_names

[alt_names]
DNS.1 = *.example.com
DNS.2 = example.com

Same process:

openssl x509 -req -in tls.csr -CA ca.crt -CAkey ca.key \
  -CAcreateserial -out tls.crt -days 365 -sha256 -extfile san.cnf

Ingress:

tls:
  - hosts:
      - "*.example.com"
      - "example.com"
    secretName: wildcard-tls

PreviousLAB12a: More ConfigMap & Secret NextLAB13a: Network Policy, RBAC

Last updated 1 month ago

Good night

hashtagLAB101: TLS Implementation - NGINX

hashtagPART 1 — Create Your Own CA and TLS Certificates

hashtagStep 1 — Create CA Private Key

hashtagStep 2 — Create CA Certificate

hashtagStep 3 — Generate Server Private Key

hashtagStep 4 — Create CSR (Certificate Signing Request)

hashtagStep 5 — Create SAN Config File (Recommended)

hashtagStep 6 — Sign Server Certificate With Your CA

hashtagPART 2 — Create Kubernetes TLS Secret

hashtagA. Using kubectl command

hashtagB. Using YAML (base64 required)

hashtagPART 3 — Nginx TLS VIRTUAL HOST CONFIG (ConfigMap)

hashtagPART 4 — Nginx Pod Using TLS + ConfigMap

hashtagTESTING

hashtagPART 1 — NGINX DEPLOYMENT (HTTPS-READY)

hashtagUpdated NGINX Virtual host config

hashtag🌐 PART 2 — SERVICE (EXPOSE DEPLOYMENT)

hashtagPART 3 — INGRESS WITH TLS TERMINATION

hashtag✔ Ingress + TLS using your Secret

hashtagTest Your HTTPS Endpoint

hashtagOPTIONAL: MULTI-DOMAIN OR WILDCARD CERTS

hashtagWildcard Example (*.example.com)

LAB101: TLS Implementation - NGINX

PART 1 — Create Your Own CA and TLS Certificates

Step 1 — Create CA Private Key

Step 2 — Create CA Certificate

Step 3 — Generate Server Private Key

Step 4 — Create CSR (Certificate Signing Request)

Step 5 — Create SAN Config File (Recommended)

Step 6 — Sign Server Certificate With Your CA

PART 2 — Create Kubernetes TLS Secret

A. Using kubectl command

B. Using YAML (base64 required)

PART 3 — Nginx TLS VIRTUAL HOST CONFIG (ConfigMap)

PART 4 — Nginx Pod Using TLS + ConfigMap

TESTING

PART 1 — NGINX DEPLOYMENT (HTTPS-READY)

Updated NGINX Virtual host config

🌐 PART 2 — SERVICE (EXPOSE DEPLOYMENT)

PART 3 — INGRESS WITH TLS TERMINATION

✔ Ingress + TLS using your Secret

Test Your HTTPS Endpoint

OPTIONAL: MULTI-DOMAIN OR WILDCARD CERTS

Wildcard Example (*.example.com)