My Kubernetes cluster has 2 applications.
https://
- lets call it Fetcher
HTTPs
request to inspect the headers for rate limiting - called Proxy
The deployment uses the mentioned proxy, picture the following architecture
Fetcher deployment <-- private network / Kubernetes --> Proxy <-- Internet --> external API
Before I moved to Kubernetes this was solved by creating a self-signed certificate and certificate authority CA to trust and place them on the Fetcher and proxy. The certificate simply contained the IP address of docker as SAN.
X509v3 Subject Alternative Name:
DNS:example.com, DNS:www.example.com, DNS:mail.example.com, DNS:ftp.example.com, IP Address:192.168.99.100, IP Address:192.168.56.1, IP Address:192.168.2.75
However I can't do this in Kubernetes, can I? Since the IP addresses of both the deployment and service are not guaranteed, the IP's could change. I am using a Kubernetes CoreDNS
solution, could I add the dns addresses in the certificate? I dont know enough about ssl/certificates
to understand.
How can I create a certificate and CA in Kubernetes to create a trust between the certificate sent by the proxy with a custom certificate authority on the fetcher?
If you expose the proxy deployment via a service, then by default it will be assigned a ClusterIP
which will be stable even as the IPs of the pods running the proxy may change over time. You will want to generate a cert with an IPSAN corresponding to the ClusterIP
of the service, rather than any of the IPs of the pods. Check out the official docs regarding the "service" concept.