As we’ve seen in multiple posts of this blog, when we set up an Ingress controller for our K8s cluster we are exposing an endpoint for incoming traffic to get into our mule apps deployed in the Runtime Fabric instance. This is going to be the point (or points, there can be more than one) of access from outside our K8s clusters, all of our apps will sit behind.
Depending on our architecture, that is, what systems and services will be connecting to our RTF instance, we will need to enable HTTPS for our ingress endpoint.
There are multiple options for our Ingress controller - NGINX, Traefik, AWS ALB...
Although it will very similar, each Ingress controller type has its own setup for TLS. In this post, we will see how to setup Traefik to expose the ingress over HTTPS and test it for our mule apps within the RTF cluster.
There are multiple options for our Ingress controller - NGINX, Traefik, AWS ALB...
Although it will very similar, each Ingress controller type has its own setup for TLS. In this post, we will see how to setup Traefik to expose the ingress over HTTPS and test it for our mule apps within the RTF cluster.
Prerequisites
To follow this tutorial, we will need:- A K8s cluster with Traefik as ingress controller installed - The quickest way to get one is using the K3s distribution, which can be installed in seconds and comes with Traefik included in the default installation. Check out this post to see How to get your Kubernetes cluster for Runtime Fabric in 2 mins!
- Runtime Fabric installed - This is a Mule tutorial so we’ll be interested to know how to use HTTPS for our Mule apps in Runtime Fabric. Have a look at this post where we see, step by step, How to Install Mulesoft Runtime Fabric on K3s.
Create a certificate for our Ingress
- If we use HTTPS that means we’ll have to get a certificate for our ingress. To be more specific, we’ll need a private and public keys pair. The private key will be used by the ingress to encrypt the traffic and the public will be send within the certificate during the handshake to anyone connecting to our ingress.
- To do that, we’ll use OpenSSL. Check out My Quick Guide for OpenSSL if you want to know more. Run the following command to create the private key and certificate.
openssl req -x509 -newkey rsa:2048 -keyout private.key -out certificate.crt -sha256 -days 365 --nodesMake sure you include the —nodes flag in your command, otherwise you’ll be prompted to provide a PEM passphrase. Kubernetes cannot create tls secrets if our certificate has a password protected key.
Provide values for the info requested when prompted:
Create a Secret for the Certificate
- K8s uses the Secret primitive to store certificates and private keys. There’s one type of secret, tls secret, specifically designed for this kind of scenarios.
- To create a secret and store the key and cert we created in the previous step run the following:
kubectl create secret tls tls-secret --namespace rtf --key private.key --cert certificate.crt
- Make sure you provide the namespace where your RTF components are installed (typically rtf). Make sure as well that you provide the right path and names for the private key and certificate we created before
- if you get the error error: tls: failed to parse private key make sure you didn’t create your certificate with a passphrase.
Modify the RTF Ingress resource template
- Once our ingress controller is ready to use the certificate we need to modify the ingress resource template that we use every time we deploy an app in RTF, so that the public endpoint that will be exposed is HTTPS.
- For that we need to add the field tls, specifying the dns name that will be exposed as HTTPS and the certificate to use (the tls secret):
tls:
- hosts:
- [YOUR_PUBLIC_HOSTNAME]
secretName: [YOUR_TLS_SECRET]
- We also need to add the following annotations, specifically for Traefik to make it work on HTTPS:
traefik.ingress.kubernetes.io/router.tls: 'true'
traefik.ingress.kubernetes.io/router.entrypoints: websecure
- With that, this is what our ingress will look like (compare it with the ingress resource template we used in our post for Traefik in HTTP). Paste this content in your rtf-ingress.yaml file:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: rtf-ingress
namespace: rtf
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: web
traefik.ingress.kubernetes.io/router.middlewares: rtf-rtf-ks3-replacepath@kubernetescrd
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: 'true'
spec:
tls:
- hosts:
- ec2-3-71-202-114.eu-central-1.compute.amazonaws.com
secretName: tls-secret
ingressClassName: rtf-traefik
rules:
- host: ec2-3-71-202-114.eu-central-1.compute.amazonaws.com
http:
paths:
- pathType: Prefix
path: /rtf/app-name
backend:
service:
name: service-name
port:
name: service-port
- Update the ingress by running
kubectl apply -f rtf-ingress.yaml
- Head back to Anypoint Runtime Manager and you should see now the Inbound traffic for your RTF instance updated:
Test it
Let’s see if we can get to our apps on https:- Go to Runtime Manager > Applications and Deploy Application
- Provide a name and the jar of a simple app (you can take the HelloWorld app provided by Mulesoft in Exchange)
- Choose your RTF instance as Deployment target and review the resources (CPU, memory) that you want to assign.
- In the Ingress tab, make sure that now the Public endpoint is on HTTPS, following the rewrite rule you created in your ingress (in our example, path based)
- Click on deploy and wait for a couple of minutes to get it running on RTF. Once your apps is ready, hit the https endpoint of your app and check that you’re getting the details of your certificate in the response.