Kubeflow SSL Config

Kubeflow 사용 시 SSL 설정을 하지 않으면 Http Post 요청 시 아래와 같은 에러 발생함
[403] Could not find CSRF cookie XSRF-TOKEN in the request.

🙆‍♂️ 하나하나 예외처리하기도 번거롭고 실제 운영 환경에 적합하지 않으므로 반드시 SSL 설정 하는 것을 권장함

SSL 인증서 생성

# snap Install
dnf -y install bind-utils
dnf -y install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
dnf -y upgrade --exclude=kubelet,kubeadm,kubectl
yum -y install snapd
systemctl enable --now snapd.socket
ln -s /var/lib/snapd/snap /snap
 
# 인증서 발급을 위한 certbot 설치
snap install certbot --classic
# 아래 에러 발생 시 한번 더 실행
## error: too early for operation, device not yet seeded or device model not acknowledged
sleep 10;
snap install certbot --classic


# 인증서 발급 하고자 하는 도메인의 DNS Query
nslookup kubeflow.wooyoung85.net
dig A kubeflow.wooyoung85.net
 
# bash shell 새로고침
exec bash

# SSL 인증서 생성
## 제가 보유한 wooyoung85.net 도메인을 활용한 예시
$> certbot certonly --manual --preferred-challenges dns -d kubeflow.wooyoung85.net
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Enter email address or hit Enter to skip.
 (Enter 'c' to cancel): wy.seo@***.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please read the Terms of Service at:
https://letsencrypt.org/documents/LE-SA-v1.5-February-24-2025.pdf
You must agree in order to register with the ACME server. Do you agree?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for kubeflow.wooyoung85.net

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Please deploy a DNS TXT record under the name:

_acme-challenge.kubeflow.wooyoung85.net.

with the following value:

GHs9sw9AYJsjvvRc1jC3Cm0sRVMT7YotZlmLFY8V0vs

Before continuing, verify the TXT record has been deployed. Depending on the DNS
provider, this may take some time, from a few seconds to multiple minutes. You can
check if it has finished deploying with aid of online tools, such as the Google
Admin Toolbox: https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.kubeflow.wooyoung85.net.
Look for one or more bolded line(s) below the line ';ANSWER'. It should show the
value(s) you've just added.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Press Enter to Continue

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/kubeflow.wooyoung85.net/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/kubeflow.wooyoung85.net/privkey.pem
This certificate expires on 2025-06-12.
These files will be updated when the certificate renews.

NEXT STEPS:
- This certificate will not be renewed automatically. Autorenewal of --manual certificates requires the use of an authentication hook script (--manual-auth-hook) but one was not provided. To renew this certificate, repeat this same certbot command before the certificate's expiry date.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

• letsencrypt 를 통해 생성한 DNS TXT record AWS Route 53 에 배포

Please deploy a DNS TXT record under the name:
_acme-challenge.kubeflow.wooyoung85.net.

with the following value:
GHs9sw9AYJsjvvRc1jC3Cm0sRVMT7YotZlmLFY8V0vs

• 아래 링크에서 DNS TXT Record 가 잘 배포되었는지 확인
  https://toolbox.googleapps.com/apps/dig/#TXT/_acme-challenge.kubeflow.wooyoung85.net

Kubernetes Ingress 에 인증서 적용

ll /etc/letsencrypt/live/kubeflow.wooyoung85.net/

kubectl create secret tls kubeflow-tls-secret \
--key /etc/letsencrypt/live/kubeflow.wooyoung85.net/privkey.pem \
--cert /etc/letsencrypt/live/kubeflow.wooyoung85.net/fullchain.pem \
-n istio-system

kubectl get secret -n istio-system

# Ingress 설정 
cat <<EOF | tee ~/kf-ingress.yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: kf-ingress
  namespace: istio-system
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /  # 요청 경로를 리다이렉트
    nginx.ingress.kubernetes.io/proxy-body-size: "1000m"
spec:
  tls:
  - hosts:
    - kubeflow.wooyoung85.net
    secretName: kubeflow-tls-secret
  ingressClassName: "nginx"  # NGINX Ingress Controller 사용
  rules:
  - host: kubeflow.wooyoung85.net
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            name: istio-ingressgateway
            port:
              number: 80
EOF
kubectl apply -f ~/kf-ingress.yaml

HAProxy SSL SSL Passthrough 설정

Ingress 에 SSL 인증서 설정되어 있기 때문에 LB 역할을 하는 HAProxy 는 SSL 인증서 처리를 따로 하지 않고 통과시킴

tee /etc/haproxy/haproxy.cfg <<- HAPROXY_CONFIG
#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
    log         /dev/log    local0   debug
    chroot      /var/lib/haproxy
    pidfile     /var/run/haproxy.pid
    maxconn     4000
    user        haproxy
    group       haproxy
    daemon
 
#---------------------------------------------------------------------
# Default settings
#---------------------------------------------------------------------
defaults
    mode                    tcp                                    # 인스턴스가 처리할 프로토콜
    log                     global
    option                  tcplog                                 # TCP 로그 포맷 사용
    option                  dontlognull                            # null connection(health check용 connection)에 대한 로깅 활성화
    timeout connect         10s
    timeout client          30s                                    # client와의 연결 최대 유지 시간
    timeout server          30s                                    # server와의 연결 최대 유지 시간
 
#---------------------------------------------------------------------
# Frontend configuration for HTTP
#---------------------------------------------------------------------
frontend http_front
    bind *:80
    default_backend http_back
 
#---------------------------------------------------------------------
# Frontend configuration for HTTPS (SSL passthrough)
#---------------------------------------------------------------------
frontend https_front
    bind *:443
    mode tcp
    default_backend https_back

#---------------------------------------------------------------------
# Backend configuration for HTTP
#---------------------------------------------------------------------
backend http_back
    balance roundrobin
    server web1 127.0.0.1:31001 check

#---------------------------------------------------------------------
# Backend configuration for HTTPS (SSL passthrough)
#---------------------------------------------------------------------
backend https_back
    balance roundrobin
    server web1 127.0.0.1:31002 check  # HTTPS 서버
HAPROXY_CONFIG
 
systemctl restart haproxy
systemctl status haproxy --no-pager