Cloudflare allows us to hide our server IPs, cache our static assets, protect the servers them from some attacks. To do that, they offer a Proxy service for free.
For this article, I consider that we already have an ingress controller in our kubernetes cluster. For instance, my microk8s cluster uses the default nginx controller, which can be installed with the command
FYI, microk8s is a simple kubernetes solution developed by Canonical. It’s powerful and easy to deploy. I deployed mine on a single Vultr VPS instance, for example.
First, sign-up to Cloudflare, their website will guide you through this setup.
If you haven’t any record on your DNS, try to add an A record that points to your own server (mine points to my microk8s cluster).
Cloudflare will automatically create a TLS certificate for connections between the end users and Cloudflare. But we need to setup the encryption between Cloudflare and our servers. It’s optional, but highly recommended. AND, it’s way easier to use this method, than using Let’s encrypt with certbot on our kubernetes cluster.
Follow this guide to create a new “Cloudflare origin CA certificate”.
If we follow the steps from the guide, we should get a certificate and a private key, copy-paste them into two files:
-----BEGIN PRIVATE KEY-----
We’ll store this certificate in a TLS secret. Make sure you create the secret in the namespace that your ingress lives in.
kubectl create secret tls cloudflare-tls --key origin-ca.pk --cert origin-ca.crt
You should get the following response:
Then, make sure you add the correct secretName in your ingress definition file.
Then, go to the TLS/SSL settings from the cloudflare dashboard and make sure it’s configured to use the “Full (strict)” mode. Using this method, we’ll have a certificate that will last for 15 years in between Cloudflare and our servers. In conclusion, it’s way easier than using a certbot, and more secure! 😎