Client to controller automatic ssl creation in k8s

Hi all,

I have Boundary setup in k8s as a pod in a custom namespace. I now wanted to set up TLS on the client-to-controller connection.
I have seen that you can set the cert via pem and crt. But before I issue the certificate by hand and upload it :sweat_smile:, is there any guide or recommendation on how to automate the certificate issuing and renewal e.g. with cert-manager or so? I tried to put an nginx-ingress in front but this doesn’t handle good with the ports 9200 and 9202.

Thank you very much
Mark

Client-to-controller TLS is pretty agnostic – the controller doesn’t care where the certs come from, how they get there or what they say, though the Boundary client will of course do the usual TLS validation on the host cert the controller provides (unless you use --tls-insecure… but you wouldn’t do that… right? :slight_smile: )

I would have thought using the usual TLS config options with the nginx ingress would work OK… what issue did you see? (You might need to run the Boundary controller and worker with -tls-server-name so it gives the client a hostname that matches the presented cert if you’re not doing that.)

Thank you very much for your answer. :pray:
The problem was more on the Nginx side, which does not intuitively support exposing other ports than HTTP and HTTPS.
Nevertheless, I got it finally working with Nginx. I am using port 443 forwarded via ingress to boundary port 9200. This connection uses a let’s encrypt certificate.
As the connection to the worker, fortunately, has its own encryption I could just expose it as a TCP service via Nginx https://kubernetes.github.io/ingress-nginx/user-guide/exposing-tcp-udp-services/. :partying_face:

1 Like