Configuring SSL on my NodeBalancer that
I have a domain registered with SquareSpace. The DNS record is configured to point at the IP of my NodeBalancer and the DNS has propagated.
For context:
- The Nodes are running off a K8S cluster which pulls from my Docker image. Each of the nodes are open on port 80 (this is default).
- "kubectl apply" is done through a CI/CD pipeline.
- The K8S deployment also creates the NB service by default :: port:80 & targetPort:80.
- The NodeBalancer is open on port 80. I can reach my site via the IP of the NB and HTTP but not HTTPS.
I understand that I need to obtain an SSL cert for my domain. I also know that I cannot SSH into the NB itself so I'm assuming that I will have to SSH into one (or all) of the nodes to obtain the cert.
I have many questions…
- Once I obtain a cert, do I have to reconfigure all my nodes' nginx.conf?
- Do I need to change the NB port to 443, keep it at 80, or open both?
- How do I adjust my K8S deployment to ensure that the NB stays open on the correct port(s).
- Do I need to switch my NameServesr to linode?
I'm a little stuck here and could use some guidance. It's also entirely possible that I'm looking at the wrong thing(s). Any guidance would be greatly appreciated, please and thank you.
1 Reply
jhartman
Linode Staff
Going a little out of order based on your questions;
Do I need to switch my NameServesr to linode?
No, although hosting your DNS records through Cloud Manager/Domains provides our Support Team with more insight into your general configuration. Where you manage your domains generally comes down to personal preference and available features, so as long as your name servers and records are configured correctly, you can use either their or our NS (not both).
Do I need to change the NB port to 443, keep it at 80, or open both?
As I understand HTTPS and security protocols such as HSTS, even if you are forcing HTTPS, you should still leave both 80 & 443 open to facilitate redirections. This StackOverflow post goes into more detail about this:
How do I adjust my K8S deployment to ensure that the NB stays open on the correct port(s).
When you expose a service using an LKE Load Balancer/NodeBalancer, your configuration maps the following spec paramaters:
Pod:
apiVersion: apps/v1
kind: Deployment
...
spec:
template:
spec:
containers:
- name: nginx
ports:
- containerPort: 80
Service:
spec:
type: LoadBalancer
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
The LoadBalancer port is the port that is externally accessible when navigating to the NodeBalancer (e.g. http://example.com:80), while targetPort and the container port must match to map the service to the pod. Depending on your needs, these can be changed to different values than 80 as long as they are paired correctly on the backend.
Once I obtain a cert, do I have to reconfigure all my nodes' nginx.conf?
It will ultimately depend on your configuration of the NodeBalancer, but this StackOverflow post suggests that this will not be necessary unless you terminate SSL via TCP. This is further confirmed in our own documentation:
If you wish to use TLS/SSL pass-through and terminate the HTTPS connection on the backend nodes, select the TCP protocol instead of HTTPS.
For more information about SSL generation and management for NodeBalancers and for ways to automatically renew SSL certificates, be sure to review the following Docs guide, Community Post, and Github page: