How do I use Search Domains with Kubernetes

10/10/2018

I have an application deployment at foo.example.com running on Kubernetes (GKE). The ingress definition looks like this:

 spec:
  tls:
  - hosts:
    - "foo.example.com"
    secretName: foo-example-com
  rules:
  - host: "foo.example.com"
    http:
      paths:
      - path: /*
        backend:
          serviceName: web
          servicePort: 80

When I navigate to http://foo.example.com/ I get (correctly) redirected to https://foo.example.com/ with the proper certificate in place.

However, I have example.com in my Search Domains. So a ping foo correctly resolves to the Kubernetes ingress.

But when I go to https://foo/ in my browser, I get the following error message in Chrome:

Your connection is not private
Attackers might be trying to steal your information from foo (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID
Subject: Kubernetes Ingress Controller Fake Certificate
Issuer: Kubernetes Ingress Controller Fake Certificate
Expires on: Oct 1, 2019
Current date: Oct 9, 2018

How would you get this working?

Obviously, I can't get a certificate for foo without some self-signing hackery, which I'd rather not attempt.

-- Michael
kubernetes
ssl
tls1.2

2 Answers

10/11/2018

So the way I solved this was to add a redirect ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: redirect-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "false"
    ingress.kubernetes.io/configuration-snippet: |
      if ($host ~ ^foo$) {
        return 301 https://foo.example.com$request_uri;
      }
spec:
  rules:
  - host: "foo"
    http:
      paths:
      - backend:
          serviceName: web
          servicePort: 80

I'm not sure if it's optimal, but it did work.

-- Michael
Source: StackOverflow

10/10/2018

This will work the same even outside of the Kubernetes. First of all each web browser (including Chrome) has a list of Authorities out of the box: enter image description here

and so on.

Your CA certs (in your Secret) are self-signed by your own Certificate Authority , which is not trusted for Chrome, that's why you see the error. You probably can import your CA to Chrome, and your Chrome instance will trust it, but... as you know TLS (SSL) certificate usually issued for a particular domain or a wildcard (CN), so foo likely won't match the wildcard expression of your certificate and you will see another SSL error:NET::ERR_CERT_COMMON_NAME_INVALID. So, you will have to use rewrite rule to make it work.

-- Konstantin Vustin
Source: StackOverflow