WEBVTT 00:00.810 --> 00:03.510 -: Last thing we have to do to set up HTTPS traffic 00:03.510 --> 00:07.830 with our cluster is to reconfigure our NGINX Ingress. 00:07.830 --> 00:09.300 Inside my code editor, 00:09.300 --> 00:12.540 I'm gonna find the Ingress service config file. 00:12.540 --> 00:14.550 So we're gonna make a couple changes to this file 00:14.550 --> 00:16.890 just to tell it, "Yep, here's how things are working out. 00:16.890 --> 00:20.670 You are now serving up HTTPS traffic." 00:20.670 --> 00:22.080 The first change that we're going to make 00:22.080 --> 00:25.860 is going to be to update the annotation section. 00:25.860 --> 00:28.230 Underneath the existing two annotations, 00:28.230 --> 00:29.640 we're going to add on a rule 00:29.640 --> 00:34.640 of certmanager.k8s.io/clusterissuer is letsencrypt prod. 00:41.580 --> 00:43.380 So this little piece of configuration right here 00:43.380 --> 00:45.780 is just going to inform our Ingress service 00:45.780 --> 00:47.190 that we are going to be making use 00:47.190 --> 00:49.260 of a Let's Encrypt certificate. 00:49.260 --> 00:50.580 And you know, I'm looking at this now, 00:50.580 --> 00:52.140 and I noticed I just made a small typo. 00:52.140 --> 00:55.230 It should be letsencrypt-prod like so. 00:55.230 --> 00:57.079 Okay, so again, this is gonna make a little change 00:57.079 --> 00:59.917 to the NGINX server and it's going to essentially tell it, 00:59.917 --> 01:02.198 "Hey, you should be expecting to get a certificate 01:02.198 --> 01:04.380 from this issuer, 01:04.380 --> 01:07.107 the issuer designated by let's encrypt prod." 01:08.010 --> 01:09.360 The next thing that we're going to do 01:09.360 --> 01:11.730 is we're going to make sure that the NGINX server 01:11.730 --> 01:16.470 always forces users to make use of HTTPS traffic. 01:16.470 --> 01:18.750 So we do not want any users accidentally 01:18.750 --> 01:21.870 going to the HTTP version of our website, 01:21.870 --> 01:23.850 because that's not a secure connection. 01:23.850 --> 01:26.970 So to make sure that our users always get redirected over, 01:26.970 --> 01:29.700 we're going to add on another annotation here 01:29.700 --> 01:34.700 of nginx.ingress.kubernetes.io/ssl 01:39.360 --> 01:42.060 redirect is going to be true. 01:42.060 --> 01:43.830 And remember True goes into a string, 01:43.830 --> 01:46.590 because the value true is interpreted differently 01:46.590 --> 01:48.033 inside of a YAML file. 01:49.050 --> 01:51.720 So like I said, this is going to reconfigure NGINX, 01:51.720 --> 01:53.760 and tell it to always make sure that if someone 01:53.760 --> 01:55.470 is trying to access our service, 01:55.470 --> 01:58.653 they must be using a HTTPS connection. 01:59.760 --> 02:00.930 So now the next thing we're going to do 02:00.930 --> 02:03.420 is to update our spec section down here, 02:03.420 --> 02:07.470 and tell NGINX that it should be serving up HTTPS traffic, 02:07.470 --> 02:10.800 and also tell it where it can get our certificate from. 02:10.800 --> 02:14.670 So to set up the initial HTTPS side of things, 02:14.670 --> 02:18.033 under spec I'm going to add on a TLS section. 02:19.380 --> 02:22.680 I'll then put down a dash and I'll say hosts. 02:22.680 --> 02:25.230 And then another dash 'cause this is going to be a list 02:25.230 --> 02:27.483 of different hosts that users can connect on. 02:28.470 --> 02:32.853 And I'll put in W or say k8smulti.com, 02:33.690 --> 02:37.653 and www.k8smulti.com. 02:39.180 --> 02:41.970 And then on the same level as the host indentation, 02:41.970 --> 02:43.950 I'll put down a secret name. 02:43.950 --> 02:46.920 Notice how this does not have a dash in front of it. 02:46.920 --> 02:48.900 And then the name that we're going to put in here 02:48.900 --> 02:51.120 is the name of the secret that we had stored 02:51.120 --> 02:52.680 our certificate in. 02:52.680 --> 02:54.150 So to get that, I'm gonna go back over 02:54.150 --> 02:56.163 to my certificate.yml file. 02:57.090 --> 03:01.293 Here's the secret name that I used, k8s-multi.com. 03:02.130 --> 03:06.513 So back over here, I'll do k8s-multi.com, like so. 03:08.550 --> 03:10.680 Oh, it looks like I might have made a little typo there. 03:10.680 --> 03:13.050 So to correctly create the YAML array, 03:13.050 --> 03:15.780 looks like we wanted two indentations off of hosts. 03:15.780 --> 03:16.923 I apologize for that. 03:18.510 --> 03:20.400 All right, so again, this is going to tell NGINX 03:20.400 --> 03:22.740 that we want to serve up HTTPS traffic. 03:22.740 --> 03:24.180 We want it to be served up on 03:24.180 --> 03:26.100 these two different host names, 03:26.100 --> 03:28.230 and the certificate or the secret 03:28.230 --> 03:31.333 that holds the certificate to allow for HTTPS traffic 03:31.333 --> 03:36.003 is served or stored inside the secret of name k8smulti.com. 03:37.440 --> 03:39.390 Now the last thing we have to do is a little bit 03:39.390 --> 03:42.150 of a reconfiguration of our rules down here. 03:42.150 --> 03:43.140 And I'm gonna tell you right now 03:43.140 --> 03:44.850 that the little reconfiguration we're going 03:44.850 --> 03:47.460 to do is gonna be a little bit over the top. 03:47.460 --> 03:49.620 Unfortunately, this is stuff that is, 03:49.620 --> 03:50.970 just has to be done this way, 03:50.970 --> 03:53.430 because of the way that the NGINX Ingress 03:53.430 --> 03:54.390 is currently written. 03:54.390 --> 03:55.920 So hopefully at some point in the future, 03:55.920 --> 03:57.660 we don't have to do this little reformatting 03:57.660 --> 03:58.500 that you're gonna see, 03:58.500 --> 04:01.283 but at least for right now it's just what we have to do. 04:02.520 --> 04:04.110 Okay, so on the real section, 04:04.110 --> 04:09.110 I'm gonna put a new line right above HTTP like so, 04:09.480 --> 04:14.460 and then I'll designate a host of k8s-multi.com. 04:14.460 --> 04:16.050 So this is essentially saying that 04:16.050 --> 04:18.721 if someone comes to k8smulti.com, 04:18.721 --> 04:20.790 here is the set of rules that we want 04:20.790 --> 04:23.040 to be applied to that request. 04:23.040 --> 04:24.492 Now, the part that's funky about this 04:24.492 --> 04:28.950 is that if a user comes to you at www.k8smulti.com, 04:28.950 --> 04:32.550 the entire rule set that we have right here, 04:32.550 --> 04:36.030 this does not apply to someone coming to WWW. 04:36.030 --> 04:39.090 WWW is recognized as a separate host 04:39.090 --> 04:40.770 from the host name that we listed right here 04:40.770 --> 04:42.570 of k8smulti.com. 04:42.570 --> 04:45.330 So essentially, if someone comes in on this address, 04:45.330 --> 04:48.300 great, we've got a set of rules to be applied to. 04:48.300 --> 04:50.610 However, if someone comes in on this address, 04:50.610 --> 04:53.520 the same exact rule sets do not apply. 04:53.520 --> 04:55.170 So the part about this that is funky 04:55.170 --> 04:56.370 is that we essentially have to take 04:56.370 --> 05:00.750 this entire block right here and copy-paste it down. 05:00.750 --> 05:02.760 We have to duplicate this entire block. 05:02.760 --> 05:03.930 And then on the second block, 05:03.930 --> 05:07.953 we're going to change the host to be www.k8s. 05:08.970 --> 05:12.074 So I'm going to do my copy and then I'll paste. 05:12.074 --> 05:14.400 So here's the second block right here. 05:14.400 --> 05:17.130 I've got block one, block two, 05:17.130 --> 05:19.890 and the only thing we need to change in block two 05:19.890 --> 05:23.130 is to add on the WWW like so. 05:23.130 --> 05:26.760 Again, this is a really unfortunate part of NGINX Ingress. 05:26.760 --> 05:28.860 You can look on the GitHub issues board, 05:28.860 --> 05:30.420 and see a couple threads around this issue, 05:30.420 --> 05:31.800 because right now, essentially, 05:31.800 --> 05:33.690 yeah, we've gotta list out the two separate hosts, 05:33.690 --> 05:36.090 and it's just a little bit... 05:36.090 --> 05:38.430 It doesn't feel very dry, I guess is what I'm saying. 05:38.430 --> 05:39.263 Right? 05:39.263 --> 05:40.096 Don't repeat yourself. 05:40.096 --> 05:41.610 Well, we're definitely repeating the heck out 05:41.610 --> 05:42.510 of ourselves here. 05:43.740 --> 05:45.210 All right, so that's pretty much it. 05:45.210 --> 05:46.920 So let's now review what's going to happen. 05:46.920 --> 05:50.730 We made changes to the Ingress service config file. 05:50.730 --> 05:53.774 So when we deploy this thing or apply it to our cluster, 05:53.774 --> 05:56.220 the Ingress controller is going 05:56.220 --> 05:58.590 to see a change our Ingress resource. 05:58.590 --> 06:02.010 It's then going to create a new NGINX config file 06:02.010 --> 06:03.660 out of everything we put inside of here, 06:03.660 --> 06:07.500 and then reload the NGINX pod with this new config 06:07.500 --> 06:11.190 that should start serving up HTTPS traffic. 06:11.190 --> 06:13.920 So last thing we have to do is save the file. 06:13.920 --> 06:15.570 I'll go back over to my terminal, 06:16.740 --> 06:18.840 I'll do a git add, 06:18.840 --> 06:23.730 I'll do a commit and I'll say updated Ingress, 06:23.730 --> 06:27.603 and then I'll push to Origin Master again. 06:28.500 --> 06:30.240 All right, that's pretty much it. 06:30.240 --> 06:31.800 So now, again, we're gonna sit around, 06:31.800 --> 06:33.300 and wait for a couple minutes. 06:33.300 --> 06:34.620 After this deploy goes in, 06:34.620 --> 06:38.250 we should then eventually be able to test out our browser 06:38.250 --> 06:41.580 going to HTTPS, 06:41.580 --> 06:42.480 your domain name, 06:42.480 --> 06:43.920 and we should see our page load 06:43.920 --> 06:46.350 without any error message like this right here. 06:46.350 --> 06:47.370 So let's take a quick pause, 06:47.370 --> 06:49.170 and we'll continue in just a minute.