We have a custom domain feature, which allows our clients to use our services with their custom DNS records.
For example, our client ACME has a CNAME to ssl.company.com like so login.acme.com -> ssl.company.com. right now we are using a k8s cluster to provide such traffic. On each custom domain, we create an ingress, external service, and a certificate using LetsEncrypt cert-manager.
We started using Cloudflare WAF and they are providing CustomHostname feature which allows us to do the same as our CD cluster but without changing the host header. So
for the example above we get
host: login.acme.com -> login.acme.com
SNI: login.acme.com -> ssl.company.com
The issue is of course how to map a generic k8s ingress to allow such traffic.
when we did the POC we used this method and it worked, but now it stopped. We have also tried default backend and unhosted ingress path.
We are using nginx-ingress controller but migrating to another API gateway like kong.
Any help will be grateful.
Related
We have our frontend application deployed on cloudfront & backend API's are hosted on kubernetes (EKS).
We have use cases where we are using backend APIs from cloudfont (front-end). We don't want to expose Backend API publicly which is obvious.
So now the question is how should we implement above use case? Can someone please help us?
Thansk in advance
You have multiple options to follow however more depends on you.
Option : 1
Change origin of frontend service instead of S3 use EKS as the origin with CloudFront.
This might require extra things to set up and manage so not a good idea.
Option : 2
Set the WAF with Nginx ingress controller or in ingress that will be running inside the EKS.
with WAF you can specify the domain (origin) from a specific domain only request should accepted.
Example : https://medium.com/cloutive/exposing-applications-at-aws-eks-and-integrating-with-other-aws-services-c9eaff0a3c0c
Option : 3
You can keep your EKS behind the API gateway and set auth like basic auth, API key etc, and protect the API that way running in EKS.
https://waswani.medium.com/expose-services-in-eks-via-aws-api-gateway-8f249db372bd
https://aws.amazon.com/blogs/containers/integrate-amazon-api-gateway-with-amazon-eks/
I have an Autopilot GKE cluster set up. There is an Ingress which is an entry point to the app deployed in the cluster. I managed to configure SSL and HTTP -> HTTPS redirection with ease.
I also configured Cloud DNS that resolves my domain name to the cluster's IP (global static IP, let's name it global-front-app-ip).
This works without any problems. I'm able to access the app with the domain I own. My setup is very simillar to the one described in this article.
What I'm trying to achieve now is to redirect all the clients that try to access the app with LB IP global-front-app-ip to the domain name (http://global-front-app-ip -> http://my-domain.com).
I played with LB forwarding rules and Cloud Armor but I haven't found a working solution.
I am using ISTIO for service mesh in Azure kubernetes. I have configured private DNS to setup the FQDN. Currently the application is accessible over http protocol(eg: http://myapp.contoso.com) and I would like to be secured with https protocol(eg: https://myapp.contoso.com).
I know I have to change the service port to 443 to support https protocol however how/where do I install the SSL certificate for the application (eg: https://myapp.contoso.com)? Is there anything else to be done as well?
That will depend on where do you want the SSL termination to happen, if you want that to happen inside the Azure kubernetes network, then you can do SSL termination at ingress layer.
Or otherwise you can also do the termination at application gateway layer of Azure ( if you want to avail this service from azure, the redirection from http to https, basic firewall features and adding the pfx certificates at the listeners can be done), ingress can also take care of these things although.
You can install the let's encrypt certificates by using this helm chart and for further steps you can follow this stack overflow link, it shall help you in creating configurations for Istio, ppl have used this solution for Istio as well before
I found the answer here Securing Your Istio Ingress Gateway with HTTPS
There is istio documentation about that.
My backend and frontend is deployed on Google Kubernetes Engine (GKE). And lets consider these steps -
User opens up browser and points to yyy.yyy.yyy:8080.
Browser loads the login page.
User enters username/password and presses "login" button.
Browser (ReactJS App) sends request to REST backend xxx.xxx.xxx:7070 to do the validation.
Now my question is, how can we inject the backend (in this case xxx.xxx.xxx) ip frontend pod? Because this ip is not static (i dont want to make it static), and will be provided by GKE. I don't want to proxy my backend call through frontend either. Neither I want to use nginx, the reason is, one more POD, and config to maintain. Just don't want to have nginx for only this reason.
Should I create ingress? I mean something like-
`/` <-- serves ReactJS app
`/api` <--- serves REST api
Or there is a way to inject the ip of backend POD?
What is the best approach?
Thanks in advance.
You can't access the pods directly from the outside. The only way in is through a service of type LoadBalancer. External IP you get for such a service is static for GKE (AWS gives a DNS name instead)
For every service of type LoadBalancer the cloud provider will spin up a load balancer that you have to pay for. You can funnel all http traffic through a single ingress service that would fan out your requests based on host DNS or URI path and other options. Which is what pretty much everyone does. If you want to setup something like that google for ingress
I have few services running in multiple namesapces.
My deployment is as follows.
Ingress -> Service(ClusterIP) -> Pods
My application is running as HTTPS due to some restrictions and ingress also running as HTTPS. I have different certificates in both the places.
Trying to find different ways of communicating b/w services.
If both the services are running on the same namesapce,
Using ingress url - This should be used for connecting from outside the cluster. But, still can be used within the cluster also.
https://<INGRESS_NAME>.<NAMESPACE>.ing.lb.<CLUSTER_NAME>.XYZ.com/
Using service url
https://<SVC_NAME>.<NAMESPACE>.svc.int.<CLUSTER_NAME>.XYZ.com/
Using just the svc name
https://SVC_NAME:PORT
Using the svc name and namespace name
https://SVC_NAME.NAMESPACE:PORT
Is there any other way of connecting?
Also, My application is running as HTTPS and Ingress is also with HTTPS.
When I connect using https://<SVC_NAME>:<PORT>, getting the cert error.
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name
'<SERVICE_NAME>' does not match the certificate subject provided by
the peer.
Do I need to include all these names( like URL 2, URL 3, URL 4) in the cert?