I run a private aks, this cluster runs services that also connect to other services within the wider company network. In our company we have an internally self-signed root certificate. And there is a service under the domain example.company.internal
that we need to access. The certificate for example.company.internal
is signed by our self-singed root certificate.
From all the windows PCs this is no problem because some policy adds the root-cert to the windows trusted cert store.
However, from within the cluster, if I run curl https://example.company.internal/
I get the following output
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I so far could not find a way to let the whole cluster trust this self-signed certificate. Any guidance would be appreciated.
Update:
I ended up going with this solution from BenCaldwell.
To get your AKS cluster to trust a self-signed certificate, you'll need to add the root certificate to the trusted store within your cluster environment. This typically involves configuring the trust at the container level, since Kubernetes itself does not directly manage SSL/TLS certificates for outbound connections.
Create a ConfigMap with Your Root Certificate-
kubectl create configmap custom-root-ca --from-file=rootCA.pem -n your-namespace
This stores your root certificate in Kubernetes as a ConfigMap, making it available to be mounted into pods.
update your deployment to Use the Trusted Certificate. example deployment-
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: default
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
initContainers:
- name: add-ca-cert
image: alpine
command:
- sh
- -c
- >
if [ -f /etc/ssl/certs/ca-certificates.crt ]; then
cat /etc/ssl/certs/custom-root-ca/rootCA.pem >> /etc/ssl/certs/ca-certificates.crt;
elif [ -f /etc/ssl/cert.pem ]; then
cat /etc/ssl/certs/custom-root-ca/rootCA.pem >> /etc/ssl/cert.pem;
else
echo "No known SSL directory found.";
exit 1;
fi
volumeMounts:
- name: custom-root-ca
mountPath: /etc/ssl/certs/custom-root-ca
readOnly: true
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
volumeMounts:
- name: custom-root-ca
mountPath: /etc/ssl/certs/custom-root-ca
readOnly: true
volumes:
- name: custom-root-ca
configMap:
name: custom-root-ca
apply the same kubectl apply -f <filename.yaml>
then exec into your pod
kubectl exec -it [your-pod-name] -- /bin/sh
Check if the CA certificate is appended (choose the correct cert file based on your system) cat /etc/ssl/certs/ca-certificates.crt | grep "Issuer"