One of the issues I discovered while playing with microk8s Kubernetes setup locally was that many services and tools like
Kubernetes Dashboard uses HTTPS for access and I don't want to use Self-Signed SSL certificates as it would require me installing these certificates in every device I use which would be a pain in the butt. So I was on the journey finding a way to have an SSL Certificate for my internal IP addresses. This article will document my journey of getting automatic SSL certificates for my internal microk8s Kubernetes setup.
SSL Certificate for internal IP address?
My first question was is there a way to get an SSL certificate from Public trusted Certificate Authority after looking at many free services like Let's Encrypt and similar services don't provide certificates to IP addresses, but only to domain names.
After discovering the issue with no way to get an SSL certificate for internal IP I was looking into other options for my problem. After racking my brains for a few minutes I had a question: Could I create a DNS A record for internal IP and would it work? A quick visit to my DNS control panel adding A record to the local IP address and visiting the domain name and seeing my local IP address served website I was amazed that it worked.
Discovering that I can have a domain name for internal IP working I was surprised now I had curiosity if I will be able to use service like Let's Encrypt to generate an SSL Certificate for this domain name but if I remember correctly the Let's Encrypt requires external access to verify domain name ownership. Hmm, maybe there is a way to verify domain name ownership without external access? After some digging around Let's Encrypt documentation, I found that there many ways to verify domain ownership one of them is DNS plugins which have many DNS providers to automatically verify domains by modifying DNS records using API from those providers. In my case it is DigitalOcean.
certbot-dns-digitalocean documentationI tried to generate a certificate for internal IP but I ran into the issue that default macOS
certbot installation from
brew install certbot had no
certbot-dns-digitalocean plugin available.
After a quick search online I found that DNS Plugins are not installed by default with
certbot. I needed to install
certbox-dns-digitalocean plugin using PIP
Afterward, I was able to generate a certificate without many issues:
Applying SSL certificate to local HTTPS server I was able to get HTTPS valid response from the internal IP address using a domain name
Now that I know that I can generate & use an SSL certificate for internal IP address just by using a domain name. Now I can try to migrate this knowledge to integrate this to microk8s local setup.
Integrating Let's Encrypt with DNS challenge into microk8s setup using
I am not going to describe microk8s Kubernetes setup as it is pretty straightforward compared to the plain Kubernetes setup.
The first step is to install
cert-manager I will be using Helm to install it.
Now let's configure Certificate Issuer. I will be using the configuration for DigitalOcean but it should be pretty easy to follow instructions from documentation.
First, we need DigitalOcean API token Base64 encoded to be saved in secrets
You can encode token to base64 using
echo -n "Token" | base64
Now we need to configure Certificate Issuer. (I had to change kind from
ClusterIssuer because of namespace issues)
Now that we configured everything we should use the SSL certificate somewhere for this article I will configure microk8s ingress to allow access to
Now after applying the resources we can check if our certificate resource was created and check if our Let's Encrypt Certificate was created too
Now that everything created we should be able to access
If I understood correctly the Certificate will be automatically renewed when expiration time comes up.
So that's all for this article. I hope this helped other people who had similar ideas like me when started working with Kubernetes.
P.S. I am not a professional Kubernetes engineer and everything mentioned in this article is just my assumptions and trying out practices in the local environment.