Add user guide for TLS ingress #6861
Conversation
| kubectl get ingress -n nessie-ns | ||
| ``` | ||
|
|
||
| Add an entry in the local hosts file (e.g. `/etc/hosts`) mapping that IP address to `nessie.local`, for example: |
There was a problem hiding this comment.
While this works, you could avoid fiddling with /etc/hosts by using one or both of the methods below:
- for curl only: use the
--resolveoption, e.g.
curl --resolve "nessie.local:443:$(minikube ip)" https://nessie.local/api/v2/config- for all tools and browsers: use a nip.io hostname, e.g.
nessie.$(minikube ip).nip.io: such a host name will resolve to whatever IPminikube ipindicates. E.g.
ping nessie.$(minikube ip).nip.io
PING nessie.192.168.49.2.nip.io (192.168.49.2): 56 data bytes
64 bytes from 192.168.49.2: icmp_seq=0 ttl=64 time=0.108 msThen you would use nessie.192.168.49.2.nip.io as the hostname for your certificates and ingress rules.
There was a problem hiding this comment.
Yeah, but the certificate must have the exact host name, which is not known until we start / configure ingress... I guess that would create a chicken and egg problem. Even if adding the TLS cert after startup works, it might be too complex for a guide... WDYT?
Also, the java client still depends on OS-level host name resolution (although I did not put and example for it).
| Use `curl` to verify that the server is accessible: | ||
|
|
||
| ```shell | ||
| $ curl https://nessie.local/api/v2/config |
There was a problem hiding this comment.
I finally got this to work on macOS, so I'm approving the PR, but it required many changes:
- First, ingress ports are not exposed on macOS, see docker: Ingress not exposed on MacOS kubernetes/minikube#7332 for background. So mac users must run the following command after installing the ingress:
minikube tunnelThis will detect the ingress rule and open ports for it:
✅ Tunnel successfully started
📌 NOTE: Please do not close this terminal as this process must stay alive for the tunnel to be accessible ...
❗ The service/ingress nessie requires privileged ports to be exposed: [80 443]
🔑 sudo permission will be asked for it.
🏃 Starting tunnel for service nessie.
Password:
- Once this is done, the service is accessible, but under 127.0.0.1, not
$(minikube ip). So you need to change all the commands above, e.g.
curl --resolve "nessie.local:443:127.0.0.1" https://nessie.local/api/v2/config
{
"defaultBranch" : "main",
"minSupportedApiVersion" : 1,
"maxSupportedApiVersion" : 2,
"actualApiVersion" : 2,
"specVersion" : "2.0.0",
"noAncestorHash" : "2e1cfa82b035c26cbbbdae632cea070514eb8b773f616aaeaf668e2f0be8f10d",
"repositoryCreationTimestamp" : "2023-05-26T10:28:53.462334804Z",
"oldestPossibleCommitTimestamp" : "2023-05-26T10:28:53.462334804Z"
}There was a problem hiding this comment.
@adutra : Could you update with Mac specifics after merging? I do not have a Mac to play with :)
Co-authored-by: Alexandre Dutra <adutra@users.noreply.github.com>
Co-authored-by: Alexandre Dutra <adutra@users.noreply.github.com>
No description provided.