I need to be able to make requests from pod to service with SSL. What is the easiest way to do it?
In my setting I have configured CoreDNS to rewrite destination of each request from domain.com to service.namespace.svc.cluster.local. This is done because of the limitations of the caller software I am running in Kubernetes and I want these request be routed within Kubernetes.
As per comments my advice is to use an initContainer
to generate a new self-signed certificate on the pod that contains the service, configure your service to use this new certificate and make sure the client app doesn't validate the authority of the certificate.
This is a yaml example you can addapt to your service:
apiVersion: apps/v1
kind: Deployment
metadata:
creationTimestamp: null
labels:
app: alpine
name: alpine
spec:
replicas: 1
selector:
matchLabels:
app: alpine
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: alpine
spec:
initContainers:
- name: ssl-init
image: wolmi/tools:v1.0.0
command: ["sh", "-c", "openssl req -nodes -x509 -newkey rsa:4096 -keyout /tmp/ssl/key.pem -out /tmp/ssl/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Berlin/O=My Inc/OU=DevOps/CN=www.example.com/emailAddress=dev@www.example.com""]
volumeMounts:
- name: ssl-folder
mountPath: /tmp/ssl
containers:
- image: alpine
name: alpine
resources: {}
volumeMounts:
- name: ssl-folder
mountPath: /tmp/ssl
volumes:
- name: ssl-folder
emptyDir: {}
On that Deployment
you create a volume with the emptyDir
parameter to allow containers to mount it and be able to write inside, then the initContainer
generates the key and certificate files inside that folder and is available to all containers on the pod.