Exposing KubeApps with Contour Ingress and TLS Encryption
As more and more organizations adopt cloud-native technologies, the need for secure and scalable application delivery has become increasingly important. One popular solution is to use Kubernetes-based platforms like Tanzu Kubernetes, which provide a highly-scalable and flexible infrastructure for deploying modern applications. However, securing these applications can be a challenge, especially when it comes to exposing them outside of the Kubernetes cluster. In this blog post, we’ll explore how to use Contour ingress and TLS encryption to securely expose KubeApps to the internet.
Background on KubeApps and Contour
———————————–
KubeApps is a cloud-native application delivery platform that provides a simple and consistent way to deploy, manage, and secure applications on a Kubernetes cluster. It uses a declarative configuration file to define the desired state of the application and its dependencies, making it easy to manage complex application stacks. Contour is an open-source ingress controller that provides a scalable and highly-available infrastructure for delivering applications to the internet. It supports a wide range of protocols and load balancing algorithms, making it a popular choice for large-scale application deployments.
Exposing KubeApps with Contour Ingress
—————————————-
By default, KubeApps does not expose the application outside of the Kubernetes cluster, as the default service type is ClusterIP. This means that the application can only be accessed from within the cluster. To expose the application to the internet, we can use a LoadBalancer service, but this will result in a self-signed certificate. A better solution is to use Contour ingress to securely expose the application and provide a TLS certificate.
To expose KubeApps with Contour ingress, we’ll need to have Contour installed before installing KubeApps. We can then deploy KubeApps as normal using Helm, and create a demo credential to access KubeApps. Next, we’ll create a kubernetes-tls secret and an httpproxy to use with Contour. We’ll paste the tls.crt and tls.key in base64 format into the manifest and update the fqdn. Here’s the manifest to create the secret and httpproxy:
“`
apiVersion: v1
kind: Secret
metadata:
name: kubeapps-tls
type: kubernetes-tls
data:
tls.crt:
tls.key:
—
apiVersion: v1
kind: ConfigMap
metadata:
name: kubeapps-config
data:
fqdn:
“`
Once we have created the manifest, we can apply it to create the secret and httpproxy with kubectl apply -f kubeapps-contour.yaml. Finally, we’ll update the DNS records for the FQDNs to point to the IP address of the envoy service.
Obtaining the Token and Logging into KubeApps
———————————————-
To log into KubeApps, we’ll need to obtain a token from the Kubernetes cluster. We can do this by running kubectl get –namespace default secret kubeapps-operator-token -o go-template='{{.data.token | base64decode}}’. This will output the token in base64 format, which we can then use to log into KubeApps.
Opening a browser session and entering the FQDN of the virtual host should now allow us to access KubeApps securely over TLS. We’ve successfully exposed KubeApps with Contour ingress and secured it with a TLS certificate, providing a secure and scalable application delivery platform for our cloud-native applications.
Conclusion
———-
In this blog post, we explored how to use Contour ingress and TLS encryption to securely expose KubeApps to the internet. We saw how to create a kubernetes-tls secret and an httpproxy to use with Contour, and how to update the DNS records for the FQDNs to point to the IP address of the envoy service. By following these steps, we can provide a secure and scalable application delivery platform for our cloud-native applications, using KubeApps and Contour ingress.