I've configured a NGINX Ingress to use SSL. This works fine, but I'm trying to use hostAliases to route all requests from one domain back to my cluster and its failing with the following error:
Error: unable to verify the first certificate
My alias:
hostAliases:
- ip: "MY.CLUSTER.IP"
hostnames:
- "my.domain.com"
Is there a way to use this aliasing and still get ssl working?
According to this host alias is just a record in /etc/hosts file, which overwrites "usual" DNS resolution. If I understand your issue correctly, in this case you just need to have valid TLS certificate for "my.domain.com" installed on MY.CLUSTER.IP
Hope it helps.
Related
I have just set up a kubernetes cluster on bare metal using kubeadm, Flannel and MetalLB. Next step for me is to install ArgoCD.
I installed the ArgoCD yaml from the "Getting Started" page and logged in.
When adding my Git repositories ArgoCD gives me very weird error messages:
The error message seems to suggest that ArgoCD for some reason is resolving github.com to my public IP address (I am not exposing SSH, therefore connection refused).
I can not find any reason why it would do this. When using https:// instead of SSH I get the same result, but on port 443.
I have put a dummy pod in the same namespace as ArgoCD and made some DNS queries. These queries resolved correctly.
What makes ArgoCD think that github.com resolves to my public IP address?
EDIT:
I have also checked for network policies in the argocd namespace and found no policy that was restricting egress.
I have had this working on clusters in the same network previously and have not changed my router firewall since then.
I solved my problem!
My /etc/resolv.conf had two lines that caused trouble:
domain <my domain>
search <my domain>
These lines were put there as a step in the installation of my host machine's OS that I did not realize would affect me in this way. After removing these lines, everything is now working perfectly.
Multiple people told me to check resolv.conf, but I didn't realize what these two lines did until now.
That looks like argoproj/argo-cd issue 1510, where the initial diagnostic was that the cluster is blocking outbound connections to GitHub. And it suggested to check the egress configuration.
Yet, the issue was resolved with an ingress rule configuration:
need to define in values.yaml.
argo-cd default provide subdomain but in our case it was /argocd
ingress:
enabled: true
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/backend-protocol: HTTP
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/rewrite-target: /
path: /argocd
hosts:
- www.example.com
and this I have defined under templates >> argocd-server-deployment.yaml
containers:
- name: argocd-server
image: {{ .Values.server.image.repository }}:{{ .Values.server.image.tag }}
imagePullPolicy: {{ .Values.server.image.pullPolicy }}
command:
- argocd-server
- --staticassets - /shared/app - --repo-server - argocd-repo-server:8081 - --insecure - --basehref - /argocd
The same case includes an instance very similar to yours:
In any case, do check your git configuration (git config -l) as seen in the ArgoCD cluster, to look for any insteadOf which would change automatically github.com into a local URL (as seen here)
Following
Installing nginx ingress in AKS cluster fails with SyncLoadBalancerFailed error
I tried to add TLS to the ingress. I followed
https://learn.microsoft.com/en-us/azure/aks/ingress-own-tls
Everything works as per the documentation, including the curl tests at the end.
My problem is that I expect to be able to browse the application at https://EXTERNAL_IP.
Instead I get
If I try http I get
Also note that if I remove from the Ingress the tls related entries
tls:
- hosts:
- demo.azure.com
secretName: aks-ingress-tls
rules:
- host: demo.azure.com
http access works fine
HTTPS wont work with https://EXTERNAL_IP. Certificates only work with domain names, in your case it would be https://demo.azure.com.
You also need to trust the certificate authority which created this Fake Certificate with your client or browser.
Here you can read about TLS/SSL Certificates.
In Kubernetes, to enable client-certificate authN, the annotation nginx.ingress.kubernetes.io/auth-tls-verify-client can be used in an ingress. Will client-cert authN work even if I don't do TLS termination in that ingress? For instance, in this ingress, will client-cert authN still work if I remove the tls block from the ingress?
tls:
- hosts:
- mydomain.com
secretName: tls-secret
(More info: I have two ingresses for the same host, one which has a TLS section, and another ingress which has rule for a specific api-path, and has a client-cert section but no TLS section).
Also, if the request is sent on http endpoint (not https) I observed that the client-cert is ignored even if the annotation value is set to on. Is this a documented behavior?
If you define two ingresses as described then a certificate will be required unless you specify auth-tls-verify-client as optional. See the documentation mentioned in the comments.
Also TLS is required if you want to do client certificate authentication. The client certificate is used during the TLS handshake which is why specifying client certificates for one ingress applies to all where the host is the same (eg www.example.com)
I'm using minio in Kubernetes and it works great. However, I can't seem to to change the domain and protocol for a pre-signed URL. Minio keeps giving me http://minio.test.svc:9000/delivery/ where as I want https://example.com/delivery. I've tried setting MINIO_DOMIN in the pod but it seems to have not effect; I think I'm misusing this var anyway.
It all depends on how you create your Minio client instance. Specifying host and port as below will make Minio resolve your domain to IP address and use IP rather than the domain. Sample JavaScript code:
import { Client as MinioClient } from 'minio';
const client = new MinioClient(
endPoint: 'yourdomain.com',
port: 9000,
accessKey: process.env.MINIO_ACCESS_KEY,
secretKey: process.env.MINIO_SECRET_KEY,
useSSL: false
);
If you create your minio instance like above, your domain will be resolved to it's corresponding IP address, and thus minio will work with http://x.x.x.x:9000 as opposed to https://yourdomain.com
Also to note, if your client is configured as above, trying to use useSSL: true will throw SSL error as below
write EPROTO 140331355002752:error:1408F10B:SSL routines:ssl3_get_record:wrong
version number:../deps/openssl/openssl/ssl/record/ssl3_record.c:332
For minio to use your domain as https://yourdomain.com, you need to have a web server like nginx to proxy your requests to your minio server. Minio has documented how you can achieve this here. Add SSL to your domain as documented here then proceed to create your minio client as below:
import { Client as MinioClient } from 'minio';
const client = new MinioClient(
endPoint: 'yourdomain.com',
port: 443,
accessKey: process.env.MINIO_ACCESS_KEY,
secretKey: process.env.MINIO_SECRET_KEY,
useSSL: true
);
Note the change in port and useSSL parameters.
Minio will now use https://yourdomain.com in all cases. Signed urls will also be https.
I bashed my head on this problem for a couple of days and managed to resolve it with NGINX in my Kubernetes cluster.
NGINX controller Kubernetes: need to change Host header within ingress
You use the ingress annotations to change the Host header of all incoming traffic to your Minio ingress so that it will always be the same Host name.
I'm trying to use cert-manager to issue a certificate via LetsEncrypt.
I've followed through with the steps here http://docs.cert-manager.io/en/latest/getting-started/index.html
However, my existing ingress is not being modified (I assume it needs to modify it due to adding a path for .well-known/....
Instead I see an ingress created for this with a name like: cm-acme-http-solver-kgpz6? Which is rather confusing?
If I get the yaml for that ingress I see the following for rules:
spec:
rules:
- host: example.com
http:
paths:
- backend:
serviceName: cm-acme-http-solver-2dd97
servicePort: 8089
path: /.well-known/acme-challenge/2T2D_XK1-zIJJ9_f2ANlwR-AcNTm3-WenOExNpmUytY
How exactly is this meant to work? As the documentation seems rather sparse.
The record you are seeing is for the challenge. It needs to succeed to configure the cert. If you are using "example.com" as the domain then it will not succeed. To get this to work you'll need to configure a DNS record for a valid hostname so that LetsEncrypt can resolve the domain and complete the check.
Usually you will not even see the challenge ingress resource. It usually runs the challenge and then removes itself as long as DNS and the hostname have been configured correctly. After it is removed the resource you created will get loaded into your ingress controller.
There are a few ingress controllers that do not support multiple ingress resources per hostname. They will load one ingress resource and ignore the other, so this is sort of a workaround/fix to the issue.