Kubernetes custom CA and certificate between proxy service and deployment

8/12/2019

My Kubernetes cluster has 2 applications.

  • A deployment connecting to an external API through https:// - lets call it Fetcher
  • A proxy service which terminates the HTTPs request to inspect the headers for rate limiting - called Proxy

The deployment uses the mentioned proxy, picture the following architecture

Fetcher deployment <-- private network / Kubernetes --> Proxy <-- Internet --> external API

Before I moved to Kubernetes this was solved by creating a self-signed certificate and certificate authority CA to trust and place them on the Fetcher and proxy. The certificate simply contained the IP address of docker as SAN.

X509v3 Subject Alternative Name: 
DNS:example.com, DNS:www.example.com, DNS:mail.example.com, DNS:ftp.example.com, IP Address:192.168.99.100, IP Address:192.168.56.1, IP Address:192.168.2.75

However I can't do this in Kubernetes, can I? Since the IP addresses of both the deployment and service are not guaranteed, the IP's could change. I am using a Kubernetes CoreDNS solution, could I add the dns addresses in the certificate? I dont know enough about ssl/certificates to understand.

How can I create a certificate and CA in Kubernetes to create a trust between the certificate sent by the proxy with a custom certificate authority on the fetcher?

-- Rien
certificate
kubernetes
proxy
ssl

1 Answer

8/12/2019

If you expose the proxy deployment via a service, then by default it will be assigned a ClusterIP which will be stable even as the IPs of the pods running the proxy may change over time. You will want to generate a cert with an IPSAN corresponding to the ClusterIP of the service, rather than any of the IPs of the pods. Check out the official docs regarding the "service" concept.

-- Amit Kumar Gupta
Source: StackOverflow