I have a Java application I am trying to run in a Docker container. The application uses a keystore and truststore to securely communicate with a database (which will also be a container) and an external authentication service mechanism such as LDAP.
The plan is to use Kubernetes/Swarm/Openshift to run and manage the containers. I plan on running multiple instances of the application and would also like to take advantage of how Kubernetes/Docker manages the communication between containers (i.e. I would prefer not to have to set hostnames/IPs on each container instance I run). I’ve seen documentation out there and it looks like I can use a certificate and create a Docker secret based off the certificate. I’ve also seen how to put the secret into place in the correct location in my container.
Question being – what do I put in the certificate used to create the Docker secret? What do I use for the CN? IPs?
When we generate certs we usually put the FQDN in as the CN and put the hostname and IP in under the SANs. I’m new to Docker and secrets and don’t know how this stuff works under the hood, but I would imagine that the Docker dynamically generated IP would not match the IP in my cert unless I specified what the container's hostname and IP was going to be, which I am trying to avoid. Is there a way to create a cert that will work for multiple instances of an application? Or am I going to be required to create a cert for each instance and define the hostname and IP address for each container instance to get certificates/secrets to work. Thanks in advance
Services in Kubernetes have internal DNS names like servicename.namespace.svc.cluster.local
. You can address service using its short name or FQDN. You can issue certificates for that DNS names and store them as secrets, you actually don't need to know service IPs.