I have few services running in multiple namesapces.
My deployment is as follows.
Ingress -> Service(ClusterIP) -> Pods
My application is running as HTTPS due to some restrictions and ingress also running as HTTPS. I have different certificates in both the places.
Trying to find different ways of communicating b/w services.
If both the services are running on the same namesapce,
Using ingress url - This should be used for connecting from outside the cluster. But, still can be used within the cluster also.
https://<INGRESS_NAME>.<NAMESPACE>.ing.lb.<CLUSTER_NAME>.XYZ.com/
Using service url
https://<SVC_NAME>.<NAMESPACE>.svc.int.<CLUSTER_NAME>.XYZ.com/
Using just the svc name
https://SVC_NAME:PORT
Using the svc name and namespace name
https://SVC_NAME.NAMESPACE:PORT
Is there any other way of connecting?
Also, My application is running as HTTPS and Ingress is also with HTTPS.
When I connect using https://<SVC_NAME>:<PORT>, getting the cert error.
Caused by: javax.net.ssl.SSLPeerUnverifiedException: Host name
'<SERVICE_NAME>' does not match the certificate subject provided by
the peer.
Do I need to include all these names( like URL 2, URL 3, URL 4) in the cert?
Related
We have a custom domain feature, which allows our clients to use our services with their custom DNS records.
For example, our client ACME has a CNAME to ssl.company.com like so login.acme.com -> ssl.company.com. right now we are using a k8s cluster to provide such traffic. On each custom domain, we create an ingress, external service, and a certificate using LetsEncrypt cert-manager.
We started using Cloudflare WAF and they are providing CustomHostname feature which allows us to do the same as our CD cluster but without changing the host header. So
for the example above we get
host: login.acme.com -> login.acme.com
SNI: login.acme.com -> ssl.company.com
The issue is of course how to map a generic k8s ingress to allow such traffic.
when we did the POC we used this method and it worked, but now it stopped. We have also tried default backend and unhosted ingress path.
We are using nginx-ingress controller but migrating to another API gateway like kong.
Any help will be grateful.
I have an Autopilot GKE cluster set up. There is an Ingress which is an entry point to the app deployed in the cluster. I managed to configure SSL and HTTP -> HTTPS redirection with ease.
I also configured Cloud DNS that resolves my domain name to the cluster's IP (global static IP, let's name it global-front-app-ip).
This works without any problems. I'm able to access the app with the domain I own. My setup is very simillar to the one described in this article.
What I'm trying to achieve now is to redirect all the clients that try to access the app with LB IP global-front-app-ip to the domain name (http://global-front-app-ip -> http://my-domain.com).
I played with LB forwarding rules and Cloud Armor but I haven't found a working solution.
Facing an issue with the below error reason in kubernetes deployment for the HTTPS Certificate
Error : Host name does not match the certificate subject provided by the peer (CN=customer.endpoint.com)
My application is running with Network ip address with port number. Network ip is dynamic for the pods. So how do we alias customer.endpoint.com to avoid the above issue
To access your application first you have to create service for it. Read more here: kubernetes-services.
Then you have to create a TLS certificate for a Kubernetes service accessed through DNS.
Please take a look at tls-certificates. In this documentation you will find how to properly set up certificates.
The flow will be like:
1. Create service to expose you app - for example ClusterIP.
Remember that choosing this value makes the Service only reachable from within the cluster. This is the default ServiceType
2. Download and install CFSSL - source: pkg-cfssl.
3. Create a Certificate Signing Request
4. Create a Certificate Signing Request object to send to the Kubernetes API
5. Get the Certificate Signing Request Approved
6. Download the Certificate and use it
I have a microservice architecture (implemented in Spring Boot) deployed in Google Kubernetes Engine. For this microservice architecture I have setup the following:
domain: comanddev.tk (free domain from Freenom)
a certificate for this domain
the following Ingress config:
The problem is that when I invoke an URL that I know it should be working https://comanddev.tk/customer-service/actuator/health, the response I get is ERR_TIMEDOUT. I checked Ingress Controller and I don't receive any request in the ingress although URL forwarding is set.
Update: I tried to set a "glue record" like in the following picture and the response I get is that the certificate is not valid (i have certificate for comanddev.tk not dev.comanddev.tk) and I get 401 after agreeing to access unsecure url.
I've digged a bit into this.
As I mentioned when you $ curl -IL http://comanddev.tk/customer-service/actuator/health you will received nginx ingress response.
As domain intercepts the request and redirect to the destination server I am not sure if there is point to use TLS.
I would suggest you to use nameserver instead of URL Forwarding, just use IP of your Ingress. In this option you would redirect request to your Ingress. When you are using Port Forwarding you are using Freenom redirection and I am not sure how its handled on their side.
I want to call a REST service running outside OpenShift via a Service and external domain name. This works perfect with a http:// request. The mechanism is described in the documentation : https://docs.okd.io/latest/dev_guide/integrating_external_services.html#saas-define-service-using-fqdn
However the external service is secured with https. In this case I got the following exception:
Host name 'external-test-service' does not match the certificate subject provided by the peer (CN=.xxx, O=xxx, L=xxx, ST=GR, C=CH); nested exception is javax.net.ssl.SSLPeerUnverifiedException: Host name 'external-test-service' does not match the certificate subject provided by the peer (CN=.xxx, O=xxx, L=xxx, ST=GR, C=CH)
The exception is clear to me because we use the Service name from OpenShift. This name does not correspond to the origin host name in the certificate. So currently I see three possibilities to solve this issue:
Add the name of the OpenShift Service to the certificate
Deactivate hostname verification before calling the external REST service
Configure OpenShift (don't know this is possible)
Has anybody solve this or a similar issue?
Currently I used OpenShift v3.9. We are running a simple Spring Boot application in a pod accessing REST services outside OpenShift.
Any hint will be appreciated.
Thank you
Markus
Ugly and might cost you extra $$
Defeats the purpose of TLS.
On Kubernetes 1.10 and earlier you can use ExternalName.
You can also use with OpenShift.
You can also use and Kubernetes Ingress with TLS. Also, documented for OpenShift
Hope it helps!