How to setup HTTPS access to a local development cluster

Why HTTPS on a Local Dev Cluster

Since Google’s SameSite Cookie Changes Roll-out, you will find it is getting harder to test a local Web UI client with an API backend running in a local K8s dev cluster. Firstly, you need to set your cookie’s SameSite setting to “None” in order to enable cross-origin requests. However, a cookie with “SameSite=None” setting only will also be rejected by Google Chrome unless you set “Secure=true” to make the cookie only available through HTTPS connections. This makes HTTPS access a “must-have” when test your local cluster for the use case above.

Prerequisites

Install Cert Manager

To issue a self-signed certificate for your cluster, you need to install cert-manager first:

kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.7.3/cert-manager.crds.yaml
# If you haven't install jetstack helm chart repo yet
helm repo add jetstack https://charts.jetstack.io

# Create namespace for cert-manager
kubectl create namespace cert-manager

# install cert manager v1.7.3
helm upgrade --namespace cert-manager --version 1.7.3 --install cert-manager jetstack/cert-manager

Create Self-Signed Cert Issuer

Run the following command:

kubectl apply -f https://gist.githubusercontent.com/t83714/51440e2ed212991655959f45d8d037cc/raw/7b16949f95e2dd61e522e247749d77bc697fd63c/selfsigned-issuer.yaml

to create a ClusterIssuer with name selfsigned-issuer.

Setting Up Ingress for deployed MAGDA

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: local-ingress
  annotations:
    cert-manager.io/cluster-issuer: selfsigned-issuer
    # optional allow max file upload size 100M
    nginx.ingress.kubernetes.io/client-body-buffer-size: 100M
    nginx.ingress.kubernetes.io/proxy-body-size: 100M
spec:
  rules:
    - host: minikube.data.gov.au
      http:
        paths:
          - backend:
              service:
                name: gateway
                port:
                  number: 80
            path: /
            pathType: "Prefix"
  tls:
    - hosts:
        - minikube.data.gov.au
      secretName: magda-local-cert-tls

Run:

kubectl -n [my-namespace] apply -f ingress.yaml

to create the ingress in the your MAGDA deployment namespace.

Access your cluster via HTTPS

To make test domain minikube.data.gov.au accessible locally, you also need to add the following entry to file /etc/hosts (on windows, it is c:\Windows\System32\Drivers\etc\hosts):

# Here 192.168.64.1 is your minikube cluster IP.
# You can use command `minikube ip` to find it out.
192.168.64.1    minikube.data.gov.au

Please note: When you use minikube with docker driver (e.g. on an Apple M1 machine), you won’t be able to access the ingress exposed services via minikube IP. You need to run minikube tunnel to make the service avaiable via local ip 127.0.0.1 instead. You will also need to map minikube.data.gov.au to IP 127.0.0.1 instead in /etc/hosts.

Before access your test domain, you also need to make your local machine trust the self-signed certificate issued by local issuer.

Generally, you can: