SSL Certificate Setup for Dashboard¶

To secure the Kubernetes Dashboard, SSL/TLS certificates must be generated and configured on the Ingress proxy. This setup ensures that traffic to the dashboard is encrypted, typically via an Nginx proxy terminating SSL for the Traefik Ingress backend^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md].

Certificate Generation¶

The first step involves generating a private key and a Certificate Signing Request (CSR) using OpenSSL^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md].

1. Generate Private Key: Create a 2048-bit RSA key.

   (umask 077; [OpenSSL](<./openssl.md>) genrsa -out dashboard.od.com.key 2048)
   

2. Generate CSR: Create the certificate request file.

   [OpenSSL](<./openssl.md>) req -new -key dashboard.od.com.key -out dashboard.od.com.csr -subj "/CN=dashboard.od.com/C=CN/ST=BJ/L=Beijing/O=ben1234560/OU=ops"
   

3. Sign Certificate: Sign the certificate with a Certificate Authority (CA).

   [OpenSSL](<./openssl.md>) x509 -req -in dashboard.od.com.csr -CA ca.pem -CAkey ca-key.pem -CAcreateserial -out dashboard.od.com.crt -days 3650
   

This process results in a dashboard.od.com.crt certificate file valid for 3650 days^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md].

Nginx Configuration¶

Once the certificates are generated, they must be deployed to the Nginx server (typically the operational node handling Ingress, e.g., hdss7-11^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md]).

1. Deploy Certificates: Copy the certificate and key to the Nginx certificates directory.

   # On Nginx server (e.g., hdss7-11)
   mkdir /etc/nginx/certs
   cd /etc/nginx/certs
   scp hdss7-200:/opt/certs/dashboard.od.com.crt .
   scp hdss7-200:/opt/certs/dashboard.od.com.key .
   

2. Configure Virtual Host: Create a configuration block for the dashboard domain in /etc/nginx/conf.d/dashboard.od.com.conf^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md].

   The configuration should redirect HTTP traffic to HTTPS and define the SSL parameters:

   server {
       listen       80;
       server_name  dashboard.od.com;
       rewrite ^(.*)$ https://${server_name}$1 permanent;
   }
   
   server {
       listen       443 ssl;
       server_name  dashboard.od.com;
   
       ssl_certificate "certs/dashboard.od.com.crt";
       ssl_certificate_key "certs/dashboard.od.com.key";
       ssl_session_cache shared:SSL:1m;
       ssl_session_timeout  10m;
       ssl_ciphers HIGH:!aNULL:!MD5;
       ssl_prefer_server_ciphers on;
   
       location / {
           proxy_pass http://default_backend_traefik;
           proxy_set_header Host       $http_host;
           proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
       }
   }
   

   3. Reload Nginx: Apply the configuration changes.

   nginx -t
   nginx -s reload
   

Verification¶

After applying the configuration, accessing https://dashboard.od.com should present a secure connection, utilizing the generated certificate^[400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md].

Related Concepts¶

• Kubernetes Dashboard
• [[Nginx]]

Sources¶

• 400-devops__06-Kubernetes__k8s-paas__04.dashboard插件及k8s实战交付.md