How to enable easily SSL in pod-to-service calls in Kubernetes

7/29/2019

I need to be able to make requests from pod to service with SSL. What is the easiest way to do it?

In my setting I have configured CoreDNS to rewrite destination of each request from domain.com to service.namespace.svc.cluster.local. This is done because of the limitations of the caller software I am running in Kubernetes and I want these request be routed within Kubernetes.

-- Nordkraft
coredns
kubernetes
ssl

1 Answer

7/29/2019

As per comments my advice is to use an initContainer to generate a new self-signed certificate on the pod that contains the service, configure your service to use this new certificate and make sure the client app doesn't validate the authority of the certificate.

This is a yaml example you can addapt to your service:

apiVersion: apps/v1
kind: Deployment
metadata:
  creationTimestamp: null
  labels:
    app: alpine
  name: alpine
spec:
  replicas: 1
  selector:
    matchLabels:
      app: alpine
  strategy: {}
  template:
    metadata:
      creationTimestamp: null
      labels:
        app: alpine
    spec:
      initContainers:
      - name: ssl-init
        image: wolmi/tools:v1.0.0
        command: ["sh", "-c", "openssl req -nodes -x509 -newkey rsa:4096 -keyout /tmp/ssl/key.pem -out /tmp/ssl/cert.pem -days 365 -subj "/C=DE/ST=NRW/L=Berlin/O=My Inc/OU=DevOps/CN=www.example.com/emailAddress=dev@www.example.com""]
        volumeMounts:
        - name: ssl-folder
          mountPath: /tmp/ssl
      containers:
      - image: alpine
        name: alpine
        resources: {}
        volumeMounts:
        - name: ssl-folder
          mountPath: /tmp/ssl
      volumes:
      - name: ssl-folder
        emptyDir: {}     

On that Deployment you create a volume with the emptyDir parameter to allow containers to mount it and be able to write inside, then the initContainer generates the key and certificate files inside that folder and is available to all containers on the pod.

-- wolmi
Source: StackOverflow