K
Q

Setting the correct hostname in Kubernetes/Nginx for the client

8/3/2018

I'm using a dockerized microservice architecture running on Kubernetes with Nginx, and am encountering an issue with hostnames. How do you correctly add the hostname to Kubernetes (or perhaps Nginx too)?

The problem: When microservice A called admin tries to talk to microservice B called session, admin logs the following error and session is not reached:

{ Error [ERR_TLS_CERT_ALTNAME_INVALID]: Hostname/IP does not match certificate's 
altnames: Host: session. is not in the cert's altnames: DNS:*.example.com, example.com
at Object.checkServerIdentity (tls.js:225:17)
at TLSSocket.onConnectSecure (_tls_wrap.js:1051:27)
at TLSSocket.emit (events.js:160:13)
at TLSSocket._finishInit (_tls_wrap.js:638:8)
  reason: 'Host: session. is not in the cert\'s altnames: 
DNS:*.example.com, example.com',
  host: 'session',
  cert:
   { subject: { OU: 'Domain Control Validated', CN: 
'*.example.com' },
     issuer: ...

In response to this error, I tried to update the hostname in the kubernetes config yaml file unsuccessfully (based on this). See the added hostname below.

apiVersion: apps/v1
kind: Deployment
metadata:
  name: session
  namespace: demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: session
      component: demo
  template:
    metadata:
      labels:
        app: session
        component: demo
    spec:
      hostname: session.example.com . ----> added host name here
      imagePullSecrets:
        - name: docker-secret 
      containers:
      - name: session
       ...

However, when I try to apply this updated config file in Kubernetes, an error emerges that I cannot use a period. If I cannot use a period, and the hostname is *.example.com (i.e. session.example.com), where/how should the hostname be updated.

The Deployment "session" is invalid: spec.template.spec.hostname: 
Invalid value: "session.example.com": a DNS-1123 label must 
consist of lower case alphanumeric characters or '-', and must start and 
end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex 
used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?')

Meanwhile, the server name in the nginx config file is indeed updated with session.example.com.

upstream session {
  server 127.0.0.1:3000;
  keepalive 32;
}

server {
  listen 443 ssl http2 default_server;
  listen [::]:443 ssl http2 default_server;

  server_name "session.example.com";  ---> updated for hostname 

  ssl_certificate      /etc/ssl/nginx/certificate.pem;
  ssl_certificate_key  /etc/ssl/nginx/key.pem;

  location / {
      proxy_pass http://session/;
      proxy_http_version 1.1;
      proxy_set_header Connection "";
  }
}


server {
  listen 80 default_server;
  listen [::]:80 default_server;
  server_name "session.example.com";    ---> updated for hostname 

  return 301 https://$host$request_uri;
}

How do you suggest fixing this? My goal is for admin to successfully communicate with session.

-- tskittles
docker
kubernetes
microservices
nginx
ssl-certificate

Similar Questions

Structuring backend (REST API) into microservices with Kubernetes (or serverless)
Service not exposing in kubernetes
if an application needs several containers running on the same host, why not just make a single container with everything you need?
How to serve Kubernetes backend and Firebase hosting frontend from the same domain name?
How is a service connected to a pod? In yaml, what fields need to match between service and pod?
Custom naming convention for AKS resources
IBM-MQ kubernetes helm chart ImagePullBackOff
Q: Offline Kubernetes
Spring boot logback can not logging to file on kubernetes multiple pods

1 Answer

8/3/2018

You can use kubernetes own dns.

https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/

So you can access your pod using pod dns;

When enabled, pods are assigned a DNS A record in the form of

“pod-ip-address.my-namespace.pod.cluster.local”

With service you can use

my-svc.my-namespace.svc.cluster.local

-- Fahri
Source: StackOverflow