I have started working on istio implementation and able to see some progress. Have got few doubts and I see myself missing something in the documentation....
Currently, I am using a gateway, virtual service, destination rules, authorization services for 2 deployments and I am able to see the graph with mTLS enabled in the kiali dashboard. and it's all working fine.
As I have to use now GoDaddy CA certs, gone through the documentation regarding "Plug in certificates and key into the cluster", looks like during the fresh installation of the istio it's picking custom CA certs but with below errors
2022-02-03T16:23:31.337162Z info initializing mesh networks from mesh config watcher
2022-02-03T16:23:31.337167Z info initializing mesh handlers
2022-02-03T16:23:31.337178Z info creating CA and initializing public key
2022-02-03T16:23:31.337214Z info Use local CA certificate
Error: failed to create discovery service: failed to create CA: failed to create an istiod CA: certificate is not authorized to sign other certificates
2022-02-03T16:23:31.338090Z error failed to create discovery service: failed to create CA: failed to create an istiod CA: certificate is not authorized to sign other certificates
I am a bit stuck in this and exploring for any other approaches if I have to look into anything if I am missing.
Can you please advise with some of the inputs regarding this.
If I am understanding you correctly you are talking about this page and trying to issue certs on behalf of GoDaddy. This will not work (unless you are the owner of GoDaddy..)
You most likely do not need this setup unless perhaps you are running two clusters.
If using AWS you would normally have an ALB connected to your Istio Gateway (NodePort) via HTTPS. Let Istio use self signed certs.
Related
I set up a k8s cluster on GKE.
I want to control it via the k8s REST API (so, looking at deployments on pods and whatnot, but not accessing what is actually running on the k8s cluster over SSL). I have gotten the appropriate bearer token (curl --insecure [request] works) and can make API requests. However, the SSL certificate isn't valid for my client (it's java, if that matters). I can't easily modify the client to accept the new root cert at this time.
I have been digging around and have examine the following three options:
incorporate the cluster's root CA cert into another cert chain (from my limited understanding of TLS, I'm not sure this is possible) that exists in my client already.
replace the cluster root CA cert (so that I can use something my client has in its keystore). This implies you can do this with vanilla k8s, but this implies that you cannot using GKE: "An internal Google service manages root keys for this CA, which are non-exportable."
allow k8s API access without TLS. I haven't seen anything about this in the docs, which are pretty explicit that k8s API access over the network must use TLS
Are any of these viable options? Or is my best choice to modify the client?
There is an article named "Access Clusters Using the Kubernetes API" (https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/) that addresses your concerns about how to query the REST API using a Java Client (https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#java-client)
If you are using the Java app inside a POD, you can import your cluster's CA to your Java Trust Store (https://docs.oracle.com/cd/E19509-01/820-3503/6nf1il6er/index.html). The CA certificate of for your cluster is inside all pods running within your cluster on /var/run/secrets/kubernetes.io/serviceaccount/ca.crt directory. More information in (https://kubernetes.io/docs/tasks/administer-cluster/access-cluster-api/#without-using-a-proxy)
Regarding your questions:
1.- Import the your cluster's CA cert to your trust store.
2.- You can't set your own CA in GKE, but you can rotate the CA certificate if needed (https://cloud.google.com/kubernetes-engine/docs/how-to/credential-rotation)
3.- You can't deactivate TLS communication in GKE (https://cloud.google.com/kubernetes-engine/docs/concepts/cluster-trust)
Your best option is to use the official Java Client or ADD the CA to your current development.
Based on some other feedback (in a slack), I ended up putting a proxy between my GKE cluster and my client. Then I can just add the GKE cluster k8s ca cert to the proxy's keystore (and don't have to modify the client). For my purposes, I didn't need to have the proxy use SSL, but for production I would.
I'm trying to apply SSL to my kubernetes clusters (production & staging environment), but for now only on staging. I successfully installed the cert-manager, and since I have a 5 subdomains, I want to use wildcards, so I want to configure it with dns01. The problem is, we us GoDaddy for DNS management, but it's currently not supported (I think) by cert-manager. There is an issue (https://github.com/jetstack/cert-manager/issues/1083) and also a PR to support this, but I was wondering if there is a workaround for this to use godaddy with cert-manager since there is not a lot of activity on this subject? I want to use ACME so I can use let's encrypt for certificates.
I'm fairly new to kubernetes, so if I missed something let me know.
Is it possible to use let's encrypt with other type of issuers than ACME? Is there any other way where I can use GoDaddy DNS & let's encrypt with kubernetes?
For now I don't have any Ingresses but only 2 services that are external faced. One frontend and one API gateway as LoadBalancer services.
Thanks in advance!
yes definitely you can use the cert-manager with k8s and let's encrypt will be also nice to manage the certificate.
ACME have different api URL to register domain. from there also you can get wildcard * SSl for doamin.
in simple term install cert manager and use ingress controller of nginx and you will be done with it. you have to add the TLS cert on define it on the ingress object.
You can refer this tutorial for setup of cert-manager and nginx ingress controller.
https://docs.cert-manager.io/en/venafi/tutorials/quick-start/index.html
If you are looking to connect publicly-trusted CAs to Kubernetes via cert-manager (such as GlobalSign, DigiCert, Entrust), you can use Venafi Cloud as an issuer with cert-manager to automate certificate renewals for Kubernetes.
Venafi Cloud connects to third-party CAs and is integrated with cert-manager. Venafi Cloud also has a built-in certification authority for privately trusted certificates for internal-facing infrastructure such as containers.
Here are the links that are relevant to get this this set up:
https://cert-manager.io/docs/configuration/venafi/#creating-a-venafi-cloud-issuer
https://www.venafi.com/venaficloud
The accepted solution does work -- a different issuer is one way to go. Though if you want to use the ACME issuer, you'll need to solve challenges. This can be done via either a HTTP01 solver or a DNS01 solver. If you choose to go with the DNS01 solver, you'll either need:
to move your DNS hosting from GoDaddy to one of the supported providers.
or you can try using this GoDaddy Webhook provider, which you may already be aware of. Though I can't guarantee that the project is in working status.
I have certain questions regarding importing the existing certificates.
How are certificates used internally in Kubernetes (e.g. between api server and workers, master controller, etc.)?
Is there a CA in Kubernetes? (how) does it generate certificates for internal use?
What certificates are required at each layer?
Certificates in Kubernetes are primarily used to secure communication from and to the API server. Taken from the official Kubernetes documentation:
Every Kubernetes cluster has a cluster root Certificate Authority
(CA). The CA is generally used by cluster components to validate the
API server’s certificate, by the API server to validate kubelet client
certificates, etc. To support this, the CA certificate bundle is
distributed to every node in the cluster and is distributed as a
secret attached to default service accounts. Optionally, your
workloads can use this CA to establish trust. Your application can
request a certificate signing using the certificates.k8s.io API using
a protocol that is similar to the ACME draft.
When creating a cluster with kubeadm, the tool at first creates a CA in /etc/kubernetes/pki and signs all following certificates with its private key. The ca is later distributed on all nodes for verification and also found base64 encoded in /etc/kubernetes/admin.conf for verification of the api server via kubectl.
It is possible to use your own CA for cluster creation by placing it and your private key as ca.crt and ca.key in /etc/kubernetes/pki before invoking kubeadm init or any folder later specified with --cert-dir.
There are many other ways to install Kubernetes but they all essentially create a CA before any actual Kubernetes code runs or require one to exist beforehand.
I am trying to build an HTTPs proxy server in front of another service in Kubernetes, using either an NginX proxy LoadBalancer server, or Ingress. Either way, I need a certificate and key so that my external requests get authenticated.
I'm looking at how to manage tls in a cluster, and I've noticed that the certificate used to connect to the container cluster is the same one as is mounted at /var/run/secrets/kubernetes.io/serviceaccount/ca.crt on a running pod.
So I'm thinking that my node cluster already has a registered certificate, all I need is the key, throw it into a secret and mount that into my proxy server. But I can't find how.
Is it this simple? How would I do that? Or do I need to create a new certificate, sign it etc etc? Would I then need to replace the current certificate?
If you want an external request to get into your K8s cluster then this is the job of an ingress controller, or configuring the service with a loadbalancer, if your cloud provider supports it.
The certificate discussed in your reference is really meant to be used for intra-cluster communications, as it says:
Every Kubernetes cluster has a cluster root Certificate Authority (CA). The CA is generally used by cluster components to validate the API server’s certificate, by the API server to validate kubelet client certificates, etc.
If you go for an ingress approach then here is the doc for tls. At the bottom a list of alternatives, such as the load balancer approach.
I guess you could use the internal certificate externally if you are able to get all your external clients to trust it. Personally I'd probably use kube-lego, which automates getting certificates from Let's Encrypt, since most browsers trust this CA now.
Hope this helps
Here's my setup
an IdentityServer 4 as a stateless reliable ASP.NET Core service.
a WebAPI as a reliable ASP.NET Core service.
using them with a JS client, it is now working with HTTP. The problem is with HTTPS. The WebAPI needs to request the openID config via htttps [is4URL].well-known/openid-configuration. I'm getting this error
System.InvalidOperationException: IDX10803: Unable to obtain
configuration from:
'https://localhost:9999/.well-known/openid-configuration'. --->
System.IO.IOException: IDX10804: Unable to retrieve document from:
'https://localhost:9999/.well-known/openid-configuration'. --->
System.Net.Http.HttpRequestException: An error occurred while sending
the request. ---> System.Net.WebException: The underlying connection
was closed: Could not establish trust relationship for the SSL/TLS
secure channel. --->
System.Security.Authentication.AuthenticationException: The remote
certificate is invalid according to the validation procedure.
can anybody help me to make this work in localhost with the SF Local Cluster Manager?
Thanks
Here's my two cents worth but it will need to be verified...
I am assuming that you have created a self-signed certificate using following article or similar but the certificate has same properties.
https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-configure-ssl-certificate
This means that the certificate can not be verified via actual CA. Ofcourse with self-signed certificate this is not possible.
Now when you upload the certificate to Azure App Service it installs in CurrentUser - MyStore. With self-signed certificate, it also needs to be installed in LocalMachine Root store.
This is becouse then the machine's Certificate Authority can verify that certificate to be valid. (May be a security expert can correct me if I am wrong but thats my theory). I have got same setup on my locally hosted windows server where the self-signed certificate is installed in Root Certificate Store as well as Personal store and the app works. This is the reason I belive this happens.
So this part which needs to be verified. Following is the article which shows you how you can do this in Azure App service.
https://learn.microsoft.com/en-us/azure/cloud-services/cloud-services-configure-ssl-certificate-portal
AGAIN THIS IS JUST A THEORY THIS NEEDS TO BE VERIFIED. :)
EDIT:
I have just tested this and it is the case. In cloud services you can do as shown in second link above and create Web Job which install certificate in appropriate store.
For Azure App Service unfortunaltly you dont have access to root store. It has to be install in CurrentUser's personal store. Which means the self signed certificate will not work, and you have to purchase a real certificate. :( I think this is a real thumb down to Microsoft. Why should I need to pay for real certificate for my dev/test environment? (Rant Over)
For Service Fabric you will need to find out how to install certificate in Root Store as well as personal store (if thats possible at all). Here's Links that might be useful
http://ronaldwildenberg.com/running-an-azure-service-fabric-cluster-locally-on-ssl/
https://learn.microsoft.com/en-us/azure/service-fabric/service-fabric-cluster-security-update-certs-azure
Hope this helps.