I am trying to automate glb configuration with DM scripts. I have been able to accomplish glb configurations with self provided certificate. However, I am now trying to use a Google-managed certificate. It's possible but I'm not able to automate it with a DM script because there are two gcloud commands:
gcloud beta compute ssl-certificates create [SSL_CERTIFICATE_NAME] \
--domains [DOMAIN]
gcloud beta compute [target-https-proxies | target-ssl-proxies] update [NAME] \
--ssl-certificates [SSL-CERTIFICATE-NAME]
from https://cloud.google.com/load-balancing/docs/ssl-certificates --> Creating a Google-managed SSL certificate resource
Is it possible to have some equivalent DM scripts so that I don't need to execute them from command-line or resort to using GCP console?
Related
I want to make use of Consul with Prometheus. But receive the tls:Bad Certificate error.
See:
caller=consul.go:513 level=error component="discovery manager scrape" discovery=consul msg="Error refreshing service" service=NodeExporter tags= err="Get \"https://consul.service.dc1.consul:8500/v1/health/service/NodeExporter?dc=dc1&stale=&wait=120000ms\": remote error: tls: bad certificate"
At the same time when running the same manually with curl, I am able to get an expected output:
curl -v -s -X GET "https://consul.service.dc1.consul:8500/v1/health/service/NodeExporter?dc=dc1&stale=&wait=120000ms" --key /secrets/consul.key --cert /secrets/consul.pem --cacert /secrets/cachain.pem
[{"Node":{"ID":"e53188ef-16ec-xxxx-xxxx-xxxx","Node":"dc1-runner-dev-1.test.io","Address":"30.10.xx.xx","Datacenter":"dc1","TaggedAddresses":{"lan":"30.10.xx.xx","lan_ipv4":"30.10.xx.xx","wan":"30.10.xx.xx","wan_ipv4":"30.10.xx.xx"},"Meta":{"consul-network-segment":""},"CreateIndex":71388,"ModifyIndex":71391},"Service":{"ID":"dc1-runner-dev-1.test.io-NodeExporter","Service":"NodeExporter","Tags":["service=node_exporter","environment=dev","datacenter=dc1"]...
To see more details from curl debug output, please see here:
LINK
The Prometheus is running in Docker. The Prometheus version is 2.31.1
curl command I also execute from the same Docker container.
Here Prometheus config:
# my global config
global:
scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
# A scrape configuration containing exactly one endpoint to scrape:
# Here it's Prometheus itself.
scrape_configs:
- job_name: "node_exporter"
consul_sd_configs:
- server: "consul.service.dc1.consul:8500"
scheme: "https"
datacenter: "dc1"
services: [
"NodeExporter"]
tls_config:
ca_file: "/secrets/cachain.pem"
cert_file: "/secrets/consul.pem"
key_file: "/secrets/consul.key"
The Prometheus is able to access the specified certificates.
I have also tried to add "insecure_skip_verify" property into the prometheus config file. I receive the same error.
The steps how the certificates are created:
I create an offline self-signed root CA by using Ansible modules from community.crypto collection
Create CSR and sign Intermediate CA1 with that root CA
I upload the Intermediate CA1 and the corresponding key into PKI secret engine in Hashicorp Vault.
After that inside Vault PKI I create new CSR and use Intermediate CA1 to sign Intermediate CA2.
Create a PKI role
The certificates in Prometheus are leaf certificates of Intermediate CA2 issued against the mentioned PKI role.
See the output of openssl x509 -text command for the used certificates here
Any ideas what I am missing here?
I am going around in circles for the past hour trying to change the domain for HTTP(S) Load Balancer's SSL certificates.
I can't seem to find an option from the console or CLI to change/update the domains. After created a new one, I cannot delete the old one because it is attached to the load balancer. To remove the old SSL certificate, I have to delete the LB and its dependencies, and to go through all the steps to create the load balancer again.
May I know if it is a bug or expected behavior?
Thanks.
Before you can delete an SSL certificate, you must first update each target proxy that references the certificate. For each target proxy, run the appropriate gcloud update command to update the target proxy's CERTIFICATE_LIST such that it no longer includes the SSL certificate you need to delete.
Please find below steps to replacing SSL certificates.
1.Create a new SSL certificate resource. The new SSL certificate must have a unique name within the project.
2. Update the target proxy so that its list of SSL certificate(s) includes the new SSL certificate in the first position to make it the primary certificate. After the new certificate, include any existing SSL certificates that you want to retain. Make sure to exclude the old SSL certificate that you no longer need. To avoid downtime, run a single gcloud command with the --ssl-certificates flag. For example:
For external HTTP(S) load balancers:
Use the gcloud compute target-https-proxies update command with the --global flag.
gcloud compute target-https-proxies update TARGET_PROXY_NAME
--global
--ssl-certificates=new-ssl-cert,other-certificates
--global-ssl-certificates.
For internal HTTP(S) load balancers:
gcloud compute target-https-proxies update TARGET_PROXY_NAME
--region REGION
--ssl-certificates=new-ssl-cert,other-certificates
--global-ssl-certificates
For SSL proxy load balancers:
Use the gcloud compute target-ssl-proxies update command with the --backend-service flag.
gcloud compute target-ssl-proxies update TARGET_PROXY_NAME
--ssl-certificates=new-ssl-cert,other-certificates
Verify that the load balancer is serving the replacement certificate by running the following OpenSSL command:
echo | openssl s_client -showcerts -connect IP_ADDRESS:443 -verify 99 -verify_return_error
Wait 15 minutes to ensure that the replacement certificate is available to all Google Front Ends (GFEs).
(Optional) Delete the old SSL certificate.
For further reading please follow the links below:
Deleting/ Replacing SSL certificates :
https://cloud.google.com/load-balancing/docs/ssl-certificates/self-managed-certs#delete-ssl-cert-resource
Replacing an existing SSL certificate
https://cloud.google.com/load-balancing/docs/ssl-certificates/google-managed-certs#replace-ssl
I'm in the process of moving web services from one Kubernetes cluster to another. The goal is to do that without service interruption.
This is difficult with cert-manager and HTTP challenges, because cert-manager on the new cluster can only retrieve a certificate once the DNS entry points to that cluster. However, if I switch the DNS entry to the new cluster, clients will potentially talk to the new cluster before a valid certificate has been generated. This is like a chicken-and-egg problem.
How do I move the cert-manager certificates to the new cluster, so that it already has the certs once I make the DNS switch?
Certificates are stored in Kubernetes secrets. Cert-manager will pick up existing secrets instead of creating new ones, if the secret matches the ingress object.
So assuming that the ingress object looks the same on both clusters, and that the same namespace is used, copying the secret is as simple as this:
kubectl --context OLD_CLUSTER -n NAMESPACE get secret SECRET_NAME --output yaml \
| kubectl --context NEW_CLUSTER -n NAMESPACE apply -f -
Replace OLD_CLUSTER and NEW_CLUSTER with the kubectl context names of the respective clusters (see kubectl config get-contexts).
Replace SECRET_NAME with the name of the secret where the certificate is stored. This name can be found in the ingress.
Replace NAMESPACE with the actual namespace that you're using.
The command simply exports the secret in YAML format, and then uses kubectl apply -f to create the same resource in the new cluster.
Once the ingress is in place on the new cluster, you can verify that the cert works by using openssl s_client:
openssl s_client -connect CLUSTER_IP:443 -servername SERVICE_DNS_NAME
Again, replace CLUSTER_IP and SERVICE_DNS_NAME accordingly.
I am trying to send my app to a Google Cloud Cluster using the kubectl command behind a corporative proxy that needs a certificate ".crt" file to be used when doing HTTPS requests.
I already ran the gcloud container clusters get-credentials... command and it also asked for a certificate. I followed the given instructions by Google and I configured my certificate file without any issue and it worked.
But when I try the kubectl get pods I am getting the following message:
"Unable to connect to the server: x509: certificate signed by unknown authority"
How can I configure my certificate file to be used by the kubectl command?
I did a search about this subject but I found too difficult steps. Could I just run something like this:
kubectl --set_ca_file /path/to/my/cert
Thank you
The short answer up to what I know is no.
here[1] you can see the step by step of how to get this done in the easiest way I found so far, is not a one line way but is the closest to that.
after having your cert files you need to run this:
gcloud compute ssl-certificates create test-ingress-1 \ --certificate [FIRST_CERT_FILE] --private-key [FIRST_KEY_FILE]
then you need to create your YAML file with the configuration (in the link there are two examples)
run this command:
kubectl apply -f [NAME_OF_YOUR_FILE].yaml
[1] https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-multi-ssl
I'd like to set up Spark Standalone's Web UI so it can be accessed through HTTPS.
Spark is being run on a cluster external to the computer I'm using to access the browser.
Here's what I've done so far, and it's not working:
Used OpenSSL to make a self-signed certificate and key and then keytool to make a keystore
Packaged the certificate and key as a .p12 file
In Chrome's settings under Manage Certificates, imported said p12 file
In spark-defaults.conf, added options
spark.ui.https.enabled true
spark.ui.ssl.server.keystore.location /path/to/spark.keystore
spark.ui.ssl.server.keystore.keypassword password
spark.ui.ssl.server.keystore.password password
In spark-env.sh, added
export SPARK_MASTER_OPTS="-Dspark.ui.https.enabled=true \
-Dspark.ui.ssl.server.keystore.location=/path/to/spark.keystore \
-Dspark.ui.ssl.server.keystore.keypassword=password \
-Dspark.ui.ssl.server.keystore.password=password"
export SPARK_WORKER_OPTS="-Dspark.ui.https.enabled=true \
-Dspark.ui.ssl.server.keystore.location=/path/to/spark.keystore \
-Dspark.ui.ssl.server.keystore.keypassword=password \
-Dspark.ui.ssl.server.keystore.password=password"
I've tried to connect to the server before, after, and in between each of these steps, and I keep getting the error "This site can’t provide a secure connection". What am I missing here?
According to this line I think that it's not possible to set up the Spark Standalone's web UI with HTTPS.
masterWebUiUrl = "http://" + masterPublicAddress + ":" + webUi.boundPort
My recommendation is to file an issue in Spark's JIRA and find a Spark developer to fix it.
Below config worked for me, try putting this in "spark-defaults.conf" and restart the Spark service. Also check logs for which port Spark UI is listening on, as "spark.ssl.ui.port" is set to "0". In my case, it was running on port 8480.
spark.ssl.enabled true
spark.ssl.ui.port 0
spark.ssl.keyStore <path_to_keystore>
spark.ssl.keyStorePassword <keystore_password>
spark.ssl.keyPassword <key_password>
spark.ssl.trustStore <path_to_truststore>
spark.ssl.trustStorePassword <truststore_password>
spark.ssl.enabledAlgorithms ECDHE-RSA-AES256-SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
spark.ssl.protocol TLSv1.2
spark.ssl.trustStoreType JKS
See the screenshot for reference.