Get an Azure K8s to trust a self signed certifikate
I run a private aks, this cluster runs services that also connect to other services within the wider company network. In our company we have an internally self-signed root certificate. And there is a service under the domain example.company.internal that we need to access. The certificate for example.company.internal is signed by our self-singed root certificate.
From all the windows PCs this is no problem because some policy adds the root-cert to the windows trusted cert store.
However, from within the cluster, if I run curl https://example.company.internal/ I get the following output
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I so far could not find a way to let the whole cluster trust this self-signed certificate. Any guidance would be appreciated.
Update:
I ended up going with this solution from BenCaldwell.
To get your AKS cluster to trust a self-signed certificate, you'll need to add the root certificate to the trusted store within your cluster environment. This typically involves configuring the trust at the container level, since Kubernetes itself does not directly manage SSL/TLS certificates for outbound connections.
Create a ConfigMap with Your Root Certificate-
kubectl create configmap custom-root-ca --from-file=rootCA.pem -n your-namespace
This stores your root certificate in Kubernetes as a ConfigMap, making it available to be mounted into pods.
update your deployment to Use the Trusted Certificate. example deployment-
apiVersion: apps/v1
kind: Deployment
metadata:
name: nginx-deployment
namespace: default
spec:
selector:
matchLabels:
app: nginx
replicas: 1
template:
metadata:
labels:
app: nginx
spec:
initContainers:
- name: add-ca-cert
image: alpine
command:
- sh
- -c
- >
if [ -f /etc/ssl/certs/ca-certificates.crt ]; then
cat /etc/ssl/certs/custom-root-ca/rootCA.pem >> /etc/ssl/certs/ca-certificates.crt;
elif [ -f /etc/ssl/cert.pem ]; then
cat /etc/ssl/certs/custom-root-ca/rootCA.pem >> /etc/ssl/cert.pem;
else
echo "No known SSL directory found.";
exit 1;
fi
volumeMounts:
- name: custom-root-ca
mountPath: /etc/ssl/certs/custom-root-ca
readOnly: true
containers:
- name: nginx
image: nginx:latest
ports:
- containerPort: 80
volumeMounts:
- name: custom-root-ca
mountPath: /etc/ssl/certs/custom-root-ca
readOnly: true
volumes:
- name: custom-root-ca
configMap:
name: custom-root-ca
apply the same kubectl apply -f <filename.yaml>
then exec into your pod
kubectl exec -it [your-pod-name] -- /bin/sh
Check if the CA certificate is appended (choose the correct cert file based on your system) cat /etc/ssl/certs/ca-certificates.crt | grep "Issuer"
- Openshift: unable to validate against any security > context constraint
- Is possible to pass environment variables to yml manifests while running a Github Action?
- Kubernetes: Unable to create replicaSet: error: no objects passed to create
- How to access kind control plane port from another docker container?
- Multi-Attach error for volume <pvcname> Volume is already exclusively attached to one node and can't be attached to another
- How to use git-sync image as a sidecar in kubernetes that git pulls periodically
- Manage resources generated by other resources
- How to override default chart values in terraform using helm provider?
- Minikube "icacls failed applying permissions "
- Kubectl error : [memcache.go:265] couldn't get current server API group list
- kubectl logs deploy/my-deployment does not show logs from all pods
- Kubernetes worker node is NotReady due to CNI plugin not initialized
- Couldn't proceed with upgrade process as new nodes are not joining node group standard-workers
- Conflicting NetworkPolicies in kubernetes
- Why does my GKE cluster not show any events?
- Kubernetes NFS Persistent Volumes - multiple claims on same volume? Claim stuck in pending?
- Encountering connection problems with PostgreSQL when using psycopg2 on a port that has been forwarded
- The connection to the server localhost:8080 was refused
- GKE gateway API: Control open ports on default firewall rule
- How to use Kubernetes secret object stringData to store base64 encoded privateKey
- K8s cluster deployment error: nc: bad address 'xx'
- Ingress path redirection, helm chart
- fluentd with OpenSearch - where does the @timestamp field come from?
- How can I keep a container running on Kubernetes?
- kubectl logs displays only 'API server listening at: [::]:40000' when remote debugging with dlv is enabled - How do I get my logs back?
- failed calling webhook "vingress.elbv2.k8s.aws"
- Kubernetes - Frontend pod can't reach backend pod
- How to access Kubernetes API when using minkube?
- What is Difference between KubernetesManifest@0 and KubernetesManifest@1 in Yaml pipeline?
- kube-prometheus-stack issue scraping metrics