I'm working with a Kubernetes cluster that's exposed through an internal load balancer with a private IP. I've deployed a Gateway application (like NGINX or Spring Cloud Gateway) to help route traffic to the cluster, which is currently running on HTTP. I'm considering switching to HTTPS using a self-signed certificate. My main questions are: 1) Should I just enable HTTPS on the Gateway (the front end) or should I also implement it between the Gateway and my cluster (the back end)? 2) Given that my load balancer's IP is private, will I need to create a fictitious DNS pointing to that IP to make my HTTPS certificate work, or is that unnecessary?
4 Answers
I’d recommend enabling HTTPS on the Gateway. For proper management of certificates, consider buying a domain and setting up Cert Manager. This solution can auto-renew your certificates, making things easier for you.
Definitely look into using DNS that’s mapped to your internal setup. You can set up Cert Manager with a DNS challenge which is super effective for internal IPs.
It’s a good practice to use HTTPS on the Gateway, especially if you’re exposing services publicly. If your internal network is secure, you might not need that level of encryption internally, but it doesn’t hurt. You can skip the fictitious DNS as long as you handle the certificate directly on the Gateway.
Encryption within your cluster is important if you're dealing with sensitive data. Using mTLS with a service mesh is a solid approach rather than manually handling HTTPS everywhere. Just keep in mind that a certificate requires a domain, so you'll need some form of DNS.
Related Questions
Cloudflare Origin SSL Certificate Setup Guide
How To Effectively Monetize A Site With Ads