Reputation: 31
Support wildcard domain, kubernetes
My problem is very specific and I dont know how to achieve in kubernetes.
Im trying to configure an application called presto https://prestodb.io/docs/current/security/internal-communication.html
All my nodes should have a certificate to talk to each other a wildcard certificate would be much simpler, but in kubernetes I dont have a pods domain.
I need way to configure a certificate to all my pods.
For example, if I have a way to call my pods like this: pod1.example.com pod2.example.com
I could generate a certificate with *.example.com.
How to achieve that in kubernetes?
Trino is much easier to configure, but I can't use trino yet because Trino doesn't work with metabase.
Upvotes: 0
Views: 150
Answers (1)
Reputation: 30110
You can store or save the certificate in secret and use it also. Instead of creating cert at POD level better to manage for each service level.
However, looks like you are looking for something similar to Mtls :
In mTLS, each microservice in a service mesh verifies the other's certificate and uses the public keys to create encryption keys unique to each conversation. This enables the communications between pairs of microservices to be authenticated and encrypted.
You can read more about it : https://thenewstack.io/mutual-tls-microservices-encryption-for-service-mesh/#:~:text=In%20mTLS%2C%20each%20microservice%20in,to%20be%20authenticated%20and%20encrypted.
Description :
Microservice A sends a request for the certificate of microservice B.
Microservice B replies with its certificate and requests the certificate of Microservice A.
Microservice A checks with the certificate authority that the certificate belongs to Microservice B.
Microservice A sends its certificate to microservice B and also shares a session encryption key (encrypted with the public key of microservice B).
Microservice B checks with the certificate authority that the certificate it received belongs to microservice A.
With both microservices mutually authenticated and a session key created, communication between them can be encrypted and sent via the secure link.
If are looking for the above scenario managing service communication with certs i would recommend using the service mesh with the Mtls.
Upvotes: 1
Related Questions
- Kubernetes ingress rules: How to use wildcard and specific subdomain together
- Wildcard sub-domain mapping in Ambassador API Gateway
- No match, wildcard only covers a single DNS label
- Dynamic wildcard subdomain ingress for Kubernetes
- Does Kubernetes ingress support wildcard domains?
- kubernetes create a service with domain at the end
- Automating wildcard subdomain support for Kubernetes using Helm operator
- Kubernetes custom domain name
- How to set subdomain to a kubernetes pod?
- Kubernetes Ingress controllers for wildcard url mapping