As we’ve seen in multiple posts of this blog, when we set up an Ingress controller for our K8s cluster we are exposing an endpoint for incoming traffic to get into our mule apps deployed in the Runtime Fabric instance.
This is going to be the point (or points, there can be more than one) of access from outside our K8s clusters, all of our apps will sit behind. Depending on our architecture, that is, what systems and services will be connecting to our RTF instance, we will need to enable HTTPS for our ingress endpoint.
There are multiple options for our Ingress controller - NGINX, Traefik, AWS ALB...
Although it will very similar, each Ingress controller type has its own setup for TLS. In this post, we will see how to setup NGINX to expose the ingress over HTTPS and test it for our mule apps within the RTF cluster.
Although it will very similar, each Ingress controller type has its own setup for TLS. In this post, we will see how to setup NGINX to expose the ingress over HTTPS and test it for our mule apps within the RTF cluster.
Prerequisites
To follow this tutorial, we will need:
- A K8s cluster with NGINX Ingress controller- There are multiple options to get a K8s cluster, and we’ve seen a few of them in this blog (EKS, AKS, GKE, OpenShift...). The quickest way to get one is using the K3s distribution, which can be installed in seconds. K3s distro comes with Traefik included in the default installation, but we can customize the installation to skip Traefik. Check out this post to see How to install K3 with NGINX as Ingress Controller
- Runtime Fabric installed on that cluster- This is a Mule tutorial so we’ll be interested to know how to use HTTPS for our Mule apps in Runtime Fabric. Have a look at this post where we see, step by step, How to Install Mulesoft Runtime Fabric on K3s.
Once we’ve got this, we’ll follow the next steps:
Create a certificate for our Ingress
- If we use HTTPS that means we’ll have to get a certificate for our ingress. To be more specific, we’ll need a private and public keys pair. The private key will be used by the ingress to encrypt the traffic and the public will be send within the certificate during the handshake to anyone connecting to our ingress.
- To do that, we’ll use OpenSSL. Check out My Quick Guide for OpenSSL if you want to know more. Run the following command to create the private key and certificate.
openssl req -x509 -newkey rsa:2048 -keyout private.key -out certificate.crt -sha256 -days 365 --nodes
Make sure you include the —nodes flag in your command, otherwise you’ll be prompted to provide a PEM passphrase. Kubernetes cannot create tls secrets if our certificate has a password protected key.
Provide values for the info requested:
Create a Secret for the Certificate
- K8s uses the Secret primitive to store certificates and private keys. There’s one type of secret, tls secret, specifically designed for this kind of scenarios.
- To create a secret and store the key and cert we created in the previous step run the following:
kubectl create secret tls tls-secret --namespace rtf --key private.key --cert certificate.crt
- Make sure you provide the namespace where your RTF components are installed (typically rtf). Make sure as well that you provide the right path and names for the private key and certificate we created before
- if you get the error error: tls: failed to parse private key make sure you didn’t create your certificate with a passphrase.
Modify the RTF Ingress
- Once our ingress controller is ready to use the certificate we need to modify the ingress resource template that we use every time we deploy an app in RTF, so that the public endpoint that will be exposed is HTTPS.
- First, get the name of the ingress resource template by running
kubectl get ingress -n rtf
- To modify our template, copy the name of the ingress resource template and run the command below to modify it:
kubectl edit ingress -n rtf [YOUR_INGRESS_TEMPLATE]
- Modify the rtf-ingress.yaml file and add:
tls:
- hosts:
- [YOUR_PUBLIC_HOSTNAME]
secretName: [YOUR_TLS_SECRET]
- Save it and verify it by running the previous command
kubectl get ingress -n rtf
- Head back to Anypoint Runtime Manager and you should see the Inbound traffic for your RTF instance updated:
Test it
Let’s see if we can get to our apps via https.- Go to Runtime Manager > Applications and Deploy Application
- Provide a name and the jar of a simple app (you can take the HelloWorld app provided by Mulesoft in Exchange)
- Choose your RTF instance as Deployment target and review the resources (CPU, memory) that you want to assign.
- In the Ingress tab, make sure that now the Public endpoint is on HTTPS, following the rewrite rule you created in your ingress (in our example, path based)
- Click on deploy and wait for a couple of minutes to get it running on RTF. Once your apps is ready, hit the https endpoint of your app and check that you’re getting the details of your certificate in the response.