Home Explore Blog CI



kubernetes

1st chunk of `content/en/blog/_posts/2015-07-00-Strong-Simple-Ssl-For-Kubernetes.md`
f1a80332e831517720888a2f37bd3f36cf1506e25df248490000000100000a69
---
title: " Strong, Simple SSL for Kubernetes Services "
date: 2015-07-14
slug: strong-simple-ssl-for-kubernetes
url: /blog/2015/07/Strong-Simple-Ssl-For-Kubernetes
author: >
   Evan Brown (Google)
---
Hi, I’m Evan Brown [(@evandbrown](http://twitter.com/evandbrown)) and I work on the solutions architecture team for Google Cloud Platform. I recently wrote an [article](https://cloud.google.com/solutions/automated-build-images-with-jenkins-kubernetes) and [tutorial](https://github.com/GoogleCloudPlatform/kube-jenkins-imager) about using Jenkins on Kubernetes to automate the Docker and GCE image build process. Today I’m going to discuss how I used Kubernetes services and secrets to add SSL to the Jenkins web UI. After reading this, you’ll be able to add SSL termination (and HTTP-\>HTTPS redirects + basic auth) to your public HTTP Kubernetes services.

### In the beginning

In the spirit of minimum viability, the first version of Jenkins-on-Kubernetes I built was very basic but functional:  

- The Jenkins leader was just a single container in one pod, but it was managed by a replication controller, so if it failed it would automatically respawn.
- The Jenkins leader exposes two ports - TCP 8080 for the web UI and TCP 50000 for build agents to register - and those ports are made available as a Kubernetes service with a public load balancer.



Here’s a visual of that first version:

[![](https://1.bp.blogspot.com/-ccmpTmulrng/VaVxOs7gysI/AAAAAAAAAU8/bCEzgGGm-pE/s400/0.png)](https://1.bp.blogspot.com/-ccmpTmulrng/VaVxOs7gysI/AAAAAAAAAU8/bCEzgGGm-pE/s1600/0.png)






This works, but I have a few problems with it. First, authentication isn’t configured in a default Jenkins installation. The leader is sitting on the public Internet, accessible to anyone, until you connect and configure authentication. And since there’s no encryption, configuring authentication is kind of a symbolic gesture. We need SSL, and we need it now!

### Do what you know

For a few milliseconds I considered trying to get SSL working directly on Jenkins. I’d never done it before, and I caught myself wondering if it would be as straightforward as working with SSL on [Nginx](http://nginx.org/), something I do have experience with. I’m all for learning new things, but this seemed like a great place to not invent a new wheel: SSL on Nginx is straightforward and well documented (as are its reverse-proxy capabilities), and Kubernetes is all about building functionality by orchestrating and composing containers. Let’s use Nginx, and add a few bonus features that Nginx makes simple: HTTP-\>HTTPS redirection, and basic access authentication.

Title: Adding SSL to Kubernetes Services
Summary
The author discusses how to add SSL termination, HTTP to HTTPS redirects, and basic authentication to public HTTP Kubernetes services using Kubernetes services and secrets. The initial Jenkins-on-Kubernetes setup lacked authentication and encryption, prompting the need for SSL. The author opted to use Nginx for SSL termination due to its simplicity and well-documented reverse-proxy capabilities, rather than configuring SSL directly on Jenkins.