We are going to discuss how to set up a Kubernetes environment where components can run using HTTPS without pain.

Premise

Usually, people either generate certificates outside the cluster using either openssl, or mkcert, then mount them in or
use those as seeds for further generation. This poses a number of problems during testing and distribution of these
certificates. And then, switching to production, it proves that local certs will either no longer work or pose even
more problems in getting them properly distributed again.

Proposition

Start with cert-manager from the begin. This will give the flexibility needed to move into production immediately, and
the ability to set up a local testing environment quickly and efficiently. I will demonstrate how to achieve this with
minimal pain and no interaction needed aside from a password confirm when starting the test. I will also show how to set
all this up using a Github Action for e2e testing on CI environment.

Breakdown

First, let’s take a look at two deployments to demonstrate this set up. The first deployment we’ll be using is a plain
docker registry. It requires some certs to be mounted in so it can run using HTTPS.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: registry
spec:
  replicas: 1
  selector:
    matchLabels:
      app: curl
  template:
    metadata:
      labels:
        app: registry
    spec:
      containers:
        - name: registry
          image: registry:2
          ports:
            - containerPort: 5000
          env:
            - name: REGISTRY_STORAGE_DELETE_ENABLED
              value: "true"
            - name: REGISTRY_HTTP_TLS_CERTIFICATE
              value: "/certs/cert.pem"
            - name: REGISTRY_HTTP_TLS_KEY
              value: "/certs/key.pem"
            - name: REGISTRY_HTTP_TLS_CLIENTCAS_0
              value: "/certs/ca.pem"
          volumeMounts:
            - mountPath: "/certs"
              name: "root-certs"
      volumes:
        - name: registry
          emptyDir: {}
        - name: "root-certs"
          secret:
            secretName: "root-certs"
            items:
              - key: "tls.crt"
                path: "cert.pem"
              - key: "tls.key"
                path: "key.pem"
              - key: "ca.crt"
                path: "ca.pem"

Nothing too fancy.

The second pod will be a plain ubuntu that runs a curl to this service to verify that it is indeed HTTPS.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: curl-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: curl
  template:
    metadata:
      labels:
        app: curl
    spec:
      containers:
      - name: curl-container
        image: curlimages/curl:latest
        command: ["curl", "https://registry.default.svc.cluster.local:5000"]

Now, let’s assume that the registry already has the certificate, this deployment now would fail with something like this:

kubectl logs "$(kubectl get pods --template '{{range .items}}{{.metadata.name}}{{end}}' --selector=app=curl)"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0
curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

Because the pod is lacking the root certificate for our registry. So far so good. Now, let’s see how we can make this
work automatically.

Setting up

First, we need to configure cert-manager to create a root certificate for us. Now, cert-manager creates root certificates
by the means of marking a certificate as a CA. This, sometimes, does not work well with certain browsers. For example,
Firefox doesn’t like certificates that are also root CAs. I’m willing to accept this sacrifice in the test environment.

To prime cert-manager to generate a root certificate for us, all we need to apply this combo:

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-selfsigned-ca
  namespace: cert-manager
spec:
  isCA: true
  commonName: my-selfsigned-ca # deprecated but still requires in iOS environment
  secretName: root-secret
  subject: # needed later for local trust store
    organizations:
      - example.com
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned-issuer
    kind: ClusterIssuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: my-ca-issuer
spec:
  ca:
    secretName: root-secret

We are going to start to put this into a setup script at this point. This script will work for us to prime a test
cluster.

#!/usr/bin/env bash

# cleanup
rm -fr rootCA.pem

# install cert-manager with a specific version.
CERT_MANAGER_VERSION=${CERT_MANAGER_VERSION:-v1.13.1}

# if the manifest hasn't been downloaded yet, download it.
if [ ! -e 'cert-manager.yaml' ]; then
  echo "fetching cert-manager manifest for version ${CERT_MANAGER_VERSION}"
  curl -L https://github.com/cert-manager/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.yaml -o cert-manager.yaml
fi

# create a test cluster -- use any configuration here for kind
kind create cluster --name=e2e-test-cluster

echo -n 'installing cert-manager'
# apply the downloaded manifest then wait for all the deployments to become ready.
kubectl apply -f cert-manager.yaml
kubectl wait --for=condition=Available=True Deployment/cert-manager -n cert-manager --timeout=60s
kubectl wait --for=condition=Available=True Deployment/cert-manager-webhook -n cert-manager --timeout=60s
kubectl wait --for=condition=Available=True Deployment/cert-manager-cainjector -n cert-manager --timeout=60s
echo 'done'

# apply the cluster_issuer combination that was defined above this.
echo -n 'applying root certificate issuer'
kubectl apply -f cluster_issuer.yaml
echo 'done'

# wait for the certificate to be generated.
echo -n 'waiting for root certificate to be generated...'
kubectl wait --for=condition=Ready=true Certificate/mpas-bootstrap-certificate -n cert-manager --timeout=60s
echo 'done'

Now, when running our e2e test from a Makefile for example, we can easily use this script as a primer. Consider the
following target for a Go project:

.PHONY: e2e
e2e: prime-test-cluster ## Runs e2e tests
	go test -count=1 -tags=e2e ./e2e

.PHONY: prime-test-cluster
prime-test-cluster:
	./prime_test_cluster.sh

Simple Makefile dependency so it primes the test cluster first, than executes our e2e tests.

We aren’t done yet. We do have a certificate root, but we don’t have a certificate. We could use the rootCA, but I
would rather create a new certificate with the rootCA so each has its own access. To generate a new certificate we apply
a Certificate:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: curl-certs
spec:
  secretName: curl-certs
  dnsNames:
    - registry.default.svc.cluster.local
    - localhost
  ipAddresses:
    - 127.0.0.1
    - ::1
  privateKey:
    algorithm: RSA
    encoding: PKCS8
    size: 2048
  issuerRef:
    name: my-ca-issuer
    kind: ClusterIssuer
    group: cert-manager.io

With this, we have our certificate and we can mount it into our CURL deployment:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: curl-test
spec:
  replicas: 1
  selector:
    matchLabels:
      app: curl
  template:
    metadata:
      labels:
        app: curl
    spec:
      containers:
      - name: curl-container
        image: curlimages/curl:latest
        env:
          - name: CURL_CA_BUNDLE
            value: "/etc/ssl/certs/registry-root.pem"
        command: ["curl", "https://registry.default.svc.cluster.local:5000"]
        volumeMounts:
        - mountPath: "/etc/ssl/certs/registry-root.pem"
          subPath: "registry-root.pem"
          name: "certificates"
      volumes:
      - name: "certificates"
        secret:
          secretName: "curl-certs"
          items:
            - key: "ca.crt"
              path: "registry-root.pem"

A small trick in case of this curl container we do here is using CURL_CA_BUNDLER env. But normally, running something
like alpine, or the likes, you would install ca-certificate package. For gcr.io/distroless/static:nonroot this is
not needed at all. The certificate will be loaded automatically after start.

Running this deployment now should result in a passing container:

curl-test-6589849f47-9f57h                               1/1     Completed          0                4s

This is all fine and good, however, what if you would like to have access to the container using https from localhost?
Maybe you want to prime some test data, push some data into the registry and you don’t want to use insecure. There
are a number of reasons to not use insecure. And we don’t want an if case in our code to detect if we are running in a
test environment and inject stuff into our product code either.

Don’t worry. mkcert got you covered.

Trusting the certificate locally using mkcert

What we get from priming this cluster is that we have access to the certificate that we bootstrapped. We can download
and decode that rootCA and use mkcert to install it locally. We’ll put in some guards to make sure mkcert is installed
and then run it in the prime script to install the download rootCA into the local trust stores.

Altered Makefile:

## Location to install dependencies to
LOCALBIN ?= $(shell pwd)/bin
$(LOCALBIN):
	mkdir -p $(LOCALBIN)

MKCERT ?= $(LOCALBIN)/mkcert
MKCERT_VERSION ?= v1.4.4

## Make sure mkcert exists
.PHONY: mkcert
mkcert: $(MKCERT)
$(MKCERT): $(LOCALBIN)
	curl -L "https://github.com/FiloSottile/mkcert/releases/download/$(MKCERT_VERSION)/mkcert-$(MKCERT_VERSION)-$(UNAME)-amd64" -o $(LOCALBIN)/mkcert
	chmod +x $(LOCALBIN)/mkcert

.PHONY: e2e
e2e: prime-test-cluster ## Runs e2e tests
	go test -count=1 -tags=e2e ./e2e

.PHONY: prime-test-cluster
prime-test-cluster: mkcert ## mkcert added as a dependency
	./prime_test_cluster.sh

Then we add a tiny bit at the end of our primer:

#!/usr/bin/env bash

# cleanup
rm -fr rootCA.pem

# install cert-manager with a specific version.
CERT_MANAGER_VERSION=${CERT_MANAGER_VERSION:-v1.13.1}

# if the manifest hasn't been downloaded yet, download it.
if [ ! -e 'cert-manager.yaml' ]; then
  echo "fetching cert-manager manifest for version ${CERT_MANAGER_VERSION}"
  curl -L https://github.com/cert-manager/cert-manager/releases/download/${CERT_MANAGER_VERSION}/cert-manager.yaml -o cert-manager.yaml
fi

# create a test cluster -- use any configuration here for kind
kind create cluster --name=e2e-test-cluster

echo -n 'installing cert-manager'
# apply the downloaded manifest then wait for all the deployments to become ready.
kubectl apply -f cert-manager.yaml
kubectl wait --for=condition=Available=True Deployment/cert-manager -n cert-manager --timeout=60s
kubectl wait --for=condition=Available=True Deployment/cert-manager-webhook -n cert-manager --timeout=60s
kubectl wait --for=condition=Available=True Deployment/cert-manager-cainjector -n cert-manager --timeout=60s
echo 'done'

# apply the cluster_issuer combination that was defined above this.
echo -n 'applying root certificate issuer'
kubectl apply -f cluster_issuer.yaml
echo 'done'

# wait for the certificate to be generated.
echo -n 'waiting for root certificate to be generated...'
kubectl wait --for=condition=Ready=true Certificate/mpas-bootstrap-certificate -n cert-manager --timeout=60s
echo 'done'

#### New segment from here ####

# download the certificate and decode it using base64.
kubectl get secret ocm-registry-tls-certs -n cert-manager -o jsonpath="{.data['tls.crt']}" | base64 -d > rootCA.pem
echo -n 'installing root certificate into local trust store...'
CAROOT=. ./bin/mkcert -install
rootCAPath="./rootCA.pem"

# if the local environment as a ca-certificates store, append our certificate to it. This will come in handy later
# when using a github action to set this all up.
if [ -e '/etc/ssl/certs/ca-certificates.crt' ]; then
  echo "updating root certificate"
  sudo cat "${rootCAPath}" | sudo tee -a /etc/ssl/certs/ca-certificates.crt || echo "failed to append to ca-certificates. Ignoring the failure"
fi

echo 'done'

And this is it. Running this script will prompt the user for a root password so mkcert can install the downloaded rootCA.
The name is important here rootCA.pem. This is the name mkcert expects to find when running -install.

Github Action

All that remains now is to put this all together so it can run in a github action:

name: e2e

on:
  pull_request:
    paths-ignore:
      - 'CODE_OF_CONDUCT.md'
      - 'README.md'
      - 'Contributing.md'
    branches:
      - main

permissions:
  contents: read # for actions/checkout to fetch code

jobs:
  run-e2e-suite:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Setup Go
        uses: actions/setup-go@v4
        with:
          go-version-file: '${{ github.workspace }}/go.mod'
      - name: Restore Go cache
        uses: actions/cache@v3
        with:
          path: /home/runner/work/_temp/_github_home/go/pkg/mod
          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
          restore-keys: |
            ${{ runner.os }}-go-            
      - name: Setup Kubernetes
        uses: helm/kind-action@v1.5.0
        with:
          install_only: true
      - name: Run E2E tests
        id: e2e-tests
        run: make e2e-verbose

That’s it! Because of our little hack at the end of our script in prime, it will update the ca-certificate with the root
certificate on an Ubuntu environment. If you are running a different environment, you might have to put this root ca
elsewhere. That depends on your configuration.

Conclusion

We’ve seen how to use cert-manager to easily generate a root certificate in cluster. This will alieviate the point of
having to:

  • locally generate them
  • create secret(s) for them
  • rotate certificates when they expire
  • deal with switching code between development and prod environments
  • using insecure

We are now using cert-manager which is an industry standard for generating certificates. This setup will also make it a
lot easier to switch to a prod environment since we already installed cert-manager and we already have a means of
mounting and distributing certificates amongst pods that need them.

Read More