WEBVTT

00:00.189 --> 00:02.520
-: All right, my friends, if you are still here,

00:02.520 --> 00:03.930
it means that you want to figure out

00:03.930 --> 00:08.310
how to set up HTTPS support on your Kubernetes cluster.

00:08.310 --> 00:10.140
Now, the first thing I want to mention to you,

00:10.140 --> 00:12.000
and I wanna make sure this is really clear,

00:12.000 --> 00:13.860
is that in order to set this stuff up,

00:13.860 --> 00:16.290
you are going to have to purchase a domain name,

00:16.290 --> 00:17.790
which is about 10 US dollars,

00:17.790 --> 00:19.440
although sometimes you can find ones

00:19.440 --> 00:21.300
for a little bit cheaper than that.

00:21.300 --> 00:22.860
So this is a required step.

00:22.860 --> 00:24.780
You have to have a domain name,

00:24.780 --> 00:26.250
either one already purchased,

00:26.250 --> 00:29.610
or you have to buy one to use with your cluster.

00:29.610 --> 00:31.770
Now the second thing I wanna mention is that you and I

00:31.770 --> 00:34.800
are gonna go through the process of setting up https,

00:34.800 --> 00:36.180
but we're not gonna talk very much

00:36.180 --> 00:40.890
about TLS, or HTTPS, or certificates, or anything like that.

00:40.890 --> 00:43.170
There's a ton of resources out there online already

00:43.170 --> 00:47.340
for you to understand exactly what HTTPS is doing for us,

00:47.340 --> 00:50.703
and the benefit of applying it to any given web application.

00:51.690 --> 00:54.150
So with that in mind, let's talk about the overall process

00:54.150 --> 00:56.790
of how all this stuff is going to work.

00:56.790 --> 00:58.500
All right.

00:58.500 --> 01:00.150
So, we're gonna set up a little bit

01:00.150 --> 01:03.000
of interaction between our Kubernetes cluster

01:03.000 --> 01:06.780
and a certificate authority called Let's Encrypt.

01:06.780 --> 01:08.940
I suspect you've probably heard of Let's Encrypt.

01:08.940 --> 01:09.990
If you haven't before,

01:09.990 --> 01:11.820
essentially it's a service that allows us

01:11.820 --> 01:13.890
to get free certificates.

01:13.890 --> 01:16.350
All we have to do is set up a little bit of communication

01:16.350 --> 01:20.040
between our Kubernetes cluster and a Let's Encrypt service.

01:20.040 --> 01:21.480
So here's the sequence of actions

01:21.480 --> 01:23.670
that are going to be going on behind the scenes.

01:23.670 --> 01:27.000
You and I are not going to actually see these steps occur.

01:27.000 --> 01:29.280
We're gonna kind of peripherally see them occur,

01:29.280 --> 01:30.780
but essentially what we're going to be doing

01:30.780 --> 01:33.330
for setup is creating some infrastructure

01:33.330 --> 01:34.890
to allow these steps to happen.

01:34.890 --> 01:36.840
But again, you and I aren't going to very directly

01:36.840 --> 01:38.580
see these things occur.

01:38.580 --> 01:40.710
So the first thing that's gonna happen

01:40.710 --> 01:43.440
is our Kubernetes cluster is going to issue a request

01:43.440 --> 01:45.210
to Lets Encrypt, and it's gonna say,

01:45.210 --> 01:49.320
hey, I own a domain called multi K eights.com,

01:49.320 --> 01:52.560
and I need a certificate from you, Let's Encrypt,

01:52.560 --> 01:55.500
that says that I do in fact own that domain.

01:55.500 --> 01:57.570
And once we get that certificate, we can then use it

01:57.570 --> 02:01.110
to set up HTTPS that is going to be widely supported

02:01.110 --> 02:04.530
or recognized by any given browser such as Chrome,

02:04.530 --> 02:06.810
Internet Explorer, whatever it might be.

02:06.810 --> 02:09.870
In response, Let's Encrypt is going to immediately reply

02:09.870 --> 02:12.810
and say you own multi K eights.com?

02:12.810 --> 02:13.680
I don't believe that.

02:13.680 --> 02:15.720
I don't believe it for a second.

02:15.720 --> 02:16.553
But I'll tell you what,

02:16.553 --> 02:18.030
I'll give you the benefit of the doubt.

02:18.030 --> 02:21.680
If you, Kubernetes cluster, really do own the domain

02:21.680 --> 02:25.380
multi k eights.com, I'm going to make a request

02:25.380 --> 02:29.460
to multi k eights.com slash well known slash

02:29.460 --> 02:31.980
random string of numbers right here.

02:31.980 --> 02:35.670
If you really own that domain, then you will reply

02:35.670 --> 02:38.610
with some information that I expect to hear from you.

02:38.610 --> 02:40.050
So essentially what's going on right here

02:40.050 --> 02:41.758
is Let's Encrypt wants to make sure

02:41.758 --> 02:45.270
that you and I really truly own this domain.

02:45.270 --> 02:47.970
So it's going to tell us that it's going to make a request

02:47.970 --> 02:50.700
to some route like this right here.

02:50.700 --> 02:53.190
And if we truly own this domain,

02:53.190 --> 02:55.440
you and I are gonna set up a route handler

02:55.440 --> 02:56.820
that's going to reply

02:56.820 --> 03:00.870
on specifically this route right here with some information

03:00.870 --> 03:03.210
that is provided to us by Let's Encrypt.

03:03.210 --> 03:05.160
So that is something that is very challenging

03:05.160 --> 03:06.570
for us to fake.

03:06.570 --> 03:10.173
If we said that we own something like, you know google.com,

03:12.060 --> 03:15.120
and Let's Encrypt replied in the same fashion and said,

03:15.120 --> 03:17.370
okay, well if you really own google.com,

03:17.370 --> 03:19.080
I'm gonna make a request to google.com

03:19.080 --> 03:21.360
slash this random route right here.

03:21.360 --> 03:23.490
Chances are you and I are not going to be able

03:23.490 --> 03:25.590
to manipulate Google's infrastructure

03:25.590 --> 03:27.720
to get the appropriate response to that route.

03:27.720 --> 03:29.490
So that's how this authentication process

03:29.490 --> 03:31.800
is essentially going to go down.

03:31.800 --> 03:35.070
Let's Encrypt is then going to make a request to that route.

03:35.070 --> 03:37.860
And then as long as our Kubernetes cluster responds

03:37.860 --> 03:40.350
with the appropriate data, Let's Encrypt is gonna say,

03:40.350 --> 03:41.340
oh, okay, you know what?

03:41.340 --> 03:43.170
I guess you do own this domain.

03:43.170 --> 03:44.340
So I'll tell you what.

03:44.340 --> 03:46.050
You check out, you own the domain,

03:46.050 --> 03:48.030
so I'm going to give you a certificate

03:48.030 --> 03:50.040
that's going to be good for 90 days.

03:50.040 --> 03:53.280
And after that period, or when that time is about to elapse,

03:53.280 --> 03:55.440
you're gonna have to go through the same process

03:55.440 --> 03:56.670
all over again.

03:56.670 --> 03:59.610
So in some number of days, you're going to have to come back

03:59.610 --> 04:01.650
to me and ask for another certificate

04:01.650 --> 04:05.793
and claim that you own the domain multi k eights.com.

04:06.630 --> 04:09.390
So as long as we set up some infrastructure to handle this,

04:09.390 --> 04:12.330
we'll get our certificate, and we'll be good to go.

04:12.330 --> 04:14.460
Now, to give you a little bit more behind the scenes here

04:14.460 --> 04:17.070
of what you and I actually have to do.

04:17.070 --> 04:19.590
You and I are not gonna set up any route handlers

04:19.590 --> 04:21.330
to facilitate this process.

04:21.330 --> 04:23.730
You and I are not going to be making any requests

04:23.730 --> 04:25.140
over to Let's Encrypt.

04:25.140 --> 04:28.260
We are not gonna do any of that stuff whatsoever.

04:28.260 --> 04:31.860
Instead, we're going to set up another little plugin

04:31.860 --> 04:32.910
through the use of Helm.

04:32.910 --> 04:34.908
Remember we installed Helm just a little bit ago.

04:34.908 --> 04:37.380
We're going to use Helm to install something

04:37.380 --> 04:40.110
into our cluster that's going to automatically

04:40.110 --> 04:42.180
facilitate this process for us.

04:42.180 --> 04:44.490
So we're going to install something into our cluster

04:44.490 --> 04:47.880
that's going to automatically reach out to Let's Encrypt.

04:47.880 --> 04:50.790
That's going to say that we own some particular domain,

04:50.790 --> 04:53.220
that's going to automatically set up a route handler

04:53.220 --> 04:54.720
to respond on this route.

04:54.720 --> 04:58.140
It's going to then automatically get a certificate

04:58.140 --> 04:59.220
back from Let's Encrypt.

04:59.220 --> 05:01.920
It's gonna save it into a secret and make it available

05:01.920 --> 05:03.240
to the rest of our application.

05:03.240 --> 05:06.570
And then after some amount of time elapses,

05:06.570 --> 05:08.580
and the add-on decides that it's time

05:08.580 --> 05:11.070
to renew their certificate, it's going to automatically go

05:11.070 --> 05:12.900
through this process again.

05:12.900 --> 05:15.630
So the challenge for you and me is not setting up,

05:15.630 --> 05:17.730
like this stuff right here.

05:17.730 --> 05:20.400
It's setting up the infrastructure to do this stuff

05:20.400 --> 05:21.660
for us automatically.

05:21.660 --> 05:22.650
That's the challenge.

05:22.650 --> 05:24.180
That's what we need to do.

05:24.180 --> 05:26.190
So with that in mind, let's take a quick pause right now.

05:26.190 --> 05:27.390
We're gonna come back the next section,

05:27.390 --> 05:29.190
and we're gonna start going through this setup,

05:29.190 --> 05:32.610
starting first with purchasing a domain.

05:32.610 --> 05:35.110
So quick pause, and I'll see you in just a minute.