To deploy an NGINX application on your AWS-based Kubernetes cluster with a TLS certificate using OpenSSL and expose it via a NodePort service, follow these steps:
- A running Kubernetes cluster on AWS.
kubectlconfigured to access your cluster.opensslinstalled on your system.
First, generate the TLS certificate and private key using OpenSSL.
-
Generate a private key:
openssl genrsa -out tls.key 2048
-
Generate a self-signed certificate (valid for 1 year):
openssl req -new -x509 -key tls.key -out tls.crt -days 365 -subj "/CN=nginx/O=nginx"
This will create a private key (tls.key) and a certificate (tls.crt).
Store the TLS certificate and key in a Kubernetes secret.
- Create the secret:
kubectl create secret tls nginx-tls-secret --cert=tls.crt --key=tls.key
This creates a secret named nginx-tls-secret which will be used by the NGINX deployment.
Now, create a Kubernetes deployment for the NGINX application.
-
Create a file named
nginx-deployment.yamlwith the following content:apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:latest ports: - containerPort: 443 volumeMounts: - name: tls-certs mountPath: /etc/nginx/tls readOnly: true volumes: - name: tls-certs secret: secretName: nginx-tls-secret
This deployment mounts the TLS certificate from the secret as a volume inside the NGINX container, placing it at /etc/nginx/tls.
- Deploy the NGINX application:
kubectl apply -f nginx-deployment.yaml
You need to configure NGINX to use the TLS certificate.
-
Create a file named
nginx-config.yamlwith the following content:apiVersion: v1 kind: ConfigMap metadata: name: nginx-config data: default.conf: | server { listen 443 ssl; server_name _; ssl_certificate /etc/nginx/tls/tls.crt; ssl_certificate_key /etc/nginx/tls/tls.key; location / { root /usr/share/nginx/html; index index.html index.htm; } }
-
Create the ConfigMap:
kubectl apply -f nginx-config.yaml
To access the NGINX service externally, expose it using a NodePort.
-
Create a file named
nginx-service.yamlwith the following content:apiVersion: v1 kind: Service metadata: name: nginx-service spec: type: NodePort selector: app: nginx ports: - port: 443 targetPort: 443 protocol: TCP nodePort: 32000 # You can change this port as needed (between 30000-32767)
-
Deploy the NodePort service:
kubectl apply -f nginx-service.yaml
Now, mount the ConfigMap into the NGINX pod to use the custom TLS configuration.
-
Update the
nginx-deployment.yamlfile to include the ConfigMap as a volume:apiVersion: apps/v1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 1 selector: matchLabels: app: nginx template: metadata: labels: app: nginx spec: containers: - name: nginx image: nginx:latest ports: - containerPort: 443 volumeMounts: - name: tls-certs mountPath: /etc/nginx/tls readOnly: true - name: nginx-config mountPath: /etc/nginx/conf.d volumes: - name: tls-certs secret: secretName: nginx-tls-secret - name: nginx-config configMap: name: nginx-config
-
Apply the updated deployment:
kubectl apply -f nginx-deployment.yaml
-
Get the external IP of one of the Kubernetes nodes:
kubectl get nodes -o wide
-
Access the NGINX service: In your browser or via
curl, access the NGINX service by using the node's external IP and theNodePort(e.g.,https://<NodeIP>:32000).Example:
curl -k https://<NodeIP>:32000
Note: The
-koption is to bypass the certificate verification since this is a self-signed certificate.
You can verify that the connection is using TLS by checking the details with curl:
curl -v -k https://<NodeIP>:32000To avoid the browser warnings, you can manually add the self-signed certificate as a trusted certificate on the machine you're using to access NGINX.
-
Export the Self-Signed Certificate: Ensure you have the
tls.crtfile that was generated by OpenSSL. -
Import the Certificate into the Browser: Here’s how you can add the certificate as trusted in common browsers:
-
Google Chrome (on Windows/Mac):
- Open Chrome and go to Settings → Privacy and Security → Security → Manage certificates.
- In the Authorities tab, click Import.
- Select your self-signed certificate (
tls.crt) and import it. - Restart your browser.
-
Firefox:
- Open Firefox and go to Settings → Privacy & Security.
- Scroll down to Certificates and click View Certificates.
- Under the Authorities tab, click Import.
- Select your
tls.crtfile and check the option Trust this CA to identify websites. - Click OK and restart Firefox.
-
Safari (on macOS):
- Open Keychain Access (search for it using Spotlight).
- Drag and drop your
tls.crtfile into the System or Login keychain. - Double-click the certificate, expand Trust, and set When using this certificate to Always Trust.
- Close the window and enter your password to confirm.
-
Microsoft Edge: Edge uses the same certificate store as Windows, so the steps are similar to Chrome. You can manage certificates via Internet Options in the Control Panel and add the self-signed certificate under Trusted Root Certification Authorities.
-
Once you’ve added the self-signed certificate, your browser will no longer show warnings when accessing the NGINX service over HTTPS.