K
Q

How do I use Search Domains with Kubernetes

10/10/2018

I have an application deployment at foo.example.com running on Kubernetes (GKE). The ingress definition looks like this:

 spec:
  tls:
  - hosts:
    - "foo.example.com"
    secretName: foo-example-com
  rules:
  - host: "foo.example.com"
    http:
      paths:
      - path: /*
        backend:
          serviceName: web
          servicePort: 80

When I navigate to http://foo.example.com/ I get (correctly) redirected to https://foo.example.com/ with the proper certificate in place.

However, I have example.com in my Search Domains. So a ping foo correctly resolves to the Kubernetes ingress.

But when I go to https://foo/ in my browser, I get the following error message in Chrome:

Your connection is not private
Attackers might be trying to steal your information from foo (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_AUTHORITY_INVALID
Subject: Kubernetes Ingress Controller Fake Certificate
Issuer: Kubernetes Ingress Controller Fake Certificate
Expires on: Oct 1, 2019
Current date: Oct 9, 2018

How would you get this working?

Obviously, I can't get a certificate for foo without some self-signing hackery, which I'd rather not attempt.

-- Michael
kubernetes
ssl
tls1.2

Similar Questions

Can't figure out how to change this yaml file on google cloud platform
How to update application code which is deployed to Kubernetes (EKS)?
Pulling from private registry fails - Unsupported docker v1 repository request
How can I use private helm repository with Spinnaker?

2 Answers

10/11/2018

So the way I solved this was to add a redirect ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: redirect-ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    kubernetes.io/tls-acme: "false"
    ingress.kubernetes.io/configuration-snippet: |
      if ($host ~ ^foo$) {
        return 301 https://foo.example.com$request_uri;
      }
spec:
  rules:
  - host: "foo"
    http:
      paths:
      - backend:
          serviceName: web
          servicePort: 80

I'm not sure if it's optimal, but it did work.

-- Michael
Source: StackOverflow
10/10/2018

This will work the same even outside of the Kubernetes. First of all each web browser (including Chrome) has a list of Authorities out of the box: enter image description here

and so on.

Your CA certs (in your Secret) are self-signed by your own Certificate Authority , which is not trusted for Chrome, that's why you see the error. You probably can import your CA to Chrome, and your Chrome instance will trust it, but... as you know TLS (SSL) certificate usually issued for a particular domain or a wildcard (CN), so foo likely won't match the wildcard expression of your certificate and you will see another SSL error:NET::ERR_CERT_COMMON_NAME_INVALID. So, you will have to use rewrite rule to make it work.

-- Konstantin Vustin
Source: StackOverflow