|
1 | 1 | # Platform SSL |
2 | 2 |
|
3 | | -TODO (bacongobbler): rewrite for v2 |
| 3 | +SSL/TLS is the standard security technology for establishing an encrypted link between a web server |
| 4 | +and a browser. This link ensures that all data passed between the web server and browsers remain |
| 5 | +private and integral. |
| 6 | + |
| 7 | +To enable SSL for your cluster and all apps running upon it, you can add an SSL key to your load |
| 8 | +balancer. You must either provide an SSL certificate that was registered with a CA or provide |
| 9 | +[your own self-signed SSL certificate](../reference-guide/creating_self_signed_ssl.md). |
| 10 | + |
| 11 | +## Installing SSL on a Load Balancer |
| 12 | + |
| 13 | +On most cloud-based load balancers, you can install a SSL certificate onto the load balancer |
| 14 | +itself. Any communication inbound to the load balancer will be encrypted while the internal |
| 15 | +components of Deis will still communicate over HTTP. |
| 16 | + |
| 17 | +When you install Deis, Kubernetes will provision a load balancer for the routers. To enable SSL, |
| 18 | +you will need to modify the listener settings on the load balancer: |
| 19 | + |
| 20 | + - swap the load balancer protocol on port 443 to use HTTPS |
| 21 | + - swap the backend protocol to use HTTP |
| 22 | + - change the backend port to the same backend port as the listener on port 80 |
| 23 | + - install the certificate on the listener for port 443 |
| 24 | + |
| 25 | +See your vendor's specific instructions on installing SSL on your load balancer. For AWS, see their |
| 26 | +documentation on [installing an SSL cert for load balancing](http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/ssl-server-cert.html). |
| 27 | + |
| 28 | +## Installing SSL on the Deis Routers |
| 29 | + |
| 30 | +You can also use the Deis routers to terminate SSL connections. Use `kubectl` to install the |
| 31 | +certificate and private keys. Open your favorite text editor and create the Kubernetes manifest: |
| 32 | + |
| 33 | + $ $EDITOR deis-router-default-cert.yaml |
| 34 | + |
| 35 | +At this point, you'll want to create a new Kubernetes secret bearing the wildcard certificate. |
| 36 | +The following criteria must be met: |
| 37 | + |
| 38 | + - The name must be deis-router-default-cert |
| 39 | + - The certificate's public key must be supplied as the value of the `cert` key |
| 40 | + - The certificate's private key must be supplied as the value of the `key` key |
| 41 | + - Both the certificate and private key must be base64 encoded |
| 42 | + |
| 43 | +For example: |
| 44 | + |
| 45 | + $ cat deis-router-default-cert.yaml |
| 46 | + apiVersion: v1 |
| 47 | + kind: Secret |
| 48 | + metadata: |
| 49 | + name: deis-router-default-cert |
| 50 | + namespace: deis |
| 51 | + type: Opaque |
| 52 | + data: |
| 53 | + cert: LS0...tCg== |
| 54 | + key: LS0...LQo= |
| 55 | + |
| 56 | +If your certificate has intermediate certs that need to be presented as part of a certificate |
| 57 | +chain, append the intermediate certs to the bottom of the `cert` value before base64 encoding the |
| 58 | +cert chain. |
| 59 | + |
| 60 | +Once you've created the certificate manifest, you can then install the certificate with |
| 61 | +`kubectl create -f deis-router-default-cert.yaml`. The router will pick this up and update its |
| 62 | +configuration on-the-fly. |
0 commit comments