OKD: SSL configuration for the load balancers on Digital Ocean

Digital Ocean’s Load Balancers provides 2 options for the SSL configuration:

  • SSL Certificate
  • Passthrough

I just want to make sure that SSL Certificate is the right choice considering that bootstrap’s certificate CN on 6443 is “system:kube-apiserver”.

Thanks!

I assume you’re talking about for OKD?

I just configured them all the same:

ocean

Programmatically I think it would be something like this (untested):

# https://www.digitalocean.com/community/tutorials/how-to-work-with-digitalocean-load-balancers-using-doctl
check="protocol:tcp,port:6443,path:,check_interval_seconds:10,response_timeout_seconds:10,healthy_threshold:2,unhealthy_threshold:10"
rules=''
for port in 80 443 6443 22623; do
    rules+="entry_protocol:tcp,entry_port:${port},target_protocol:tcp,target_port:${port},certificate_id:,tls_passthrough:false "
done
doctl compute load-balancer create \
    --name okdtest --region nyc3   \
    --health-check "${check}"      \
    --forwarding-rules "${rules:0:-1}" # pull off tailing space

And then later after DNS is set up with the IP of the load balancer and you’ve created the droplets:

droplets=$(doctl compute droplet list --no-header --format ID | tr '\n' ',')
lbid=$(doctl compute load-balancer list --no-header --format ID)
doctl compute load-balancer add-droplets \
    "${lbid}" --droplet-ids "${droplets}"
1 Like