Encrypting traffic between Cloudflare and Kubernetes cluster
I noticed that some Kubernetes admins/developers do not configure encrypted communication between Cloudflare and their Kubernetes cluster because they consider that as not necessary. But I wouldn’t take Cloudflare’s proxy for granted, it always better to secure as much as you can. So I have written this article to guide you to encrypt the communication between Cloudflare and your Kubernetes cluster and also make it simpler.
Objective
We are going to take the following setup, where traffic between the Cloudflare and the cluster is unencrypted.
And implement the following setup, where the traffic is encrypted between the Cloudflare and the cluster.
Steps to do it
Login to your Cloudflare Dashboard. Select a domain; this domain name will be the primary domain to communicate between Cloudflare and your cluster. Click on SSL/TLS Icon and the select origin server. Choose the following parameters:
Once done click next; on the next page, you will see the private and public key. Save the origin-certificate with a name of your choice. I chose site.cert and Private key as site.key.
Create a TLS secret on your cluster using the following command.
kubectl create secret tls my-site-cert –key site.key –cert site.cert
Create config in traefik to use this cert.
1 | apiVersion: traefik.containo.us/v1alpha1 |
Extending to other domain names
Now with this setup, you can handle multiple domain names. Let’s say you now have a site with sample.com. You add it as a CNAME record to the above endpoint that you have set.
Switch to another domain on Cloudflare.
Add a record with target as the record that you have set previously. In my case (cluster-loadbalancer.gokulakrishna.com).
Make sure encryption mode is full.
Note that if any part of the communication is not encrypted the request might fail