-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Spring cloud kubernetes watcher calling actuator refresh failing using ssl #1814
Comments
Seems like this might be a configuration issue with the SSL cert, does that cert only allow the use of DNS names and not ip addresses? |
Yes, it allows only DNS, how can we add pod/service endpoint Ip address as they are dynamic. |
It's currently trying the ip address correct? It needs to be using the host name... |
How can I set endpoint to be a hostname and if there are replicas/multiple pods how the actuator/refresh API will be called for all pods? |
Looking at the K8sInstanceIdHostPodNameSupplier.java
The host is only IP address if not using external name. Also, if there is a documentation for how to create docker image after cloning repo that would help. |
Right so if you have multiple instances you will need to use the IP address in which case the SSL cert will need to be configured with those ip addresses. To build the docker image run |
Pods have dynamic IP addresses, so cannot add it to ssl cert |
Do you need to use https for the config watcher to call the actuator endpoint with https? Its an internal call without posting any data to the endpoint |
The actuator endpoints are also used externally, so it has to be https per security policy. |
Honestly I think the best solution for you is to use Kafka or Rabbit and Spring Cloud Bus as opposed to using the actuator endpoint. https://docs.spring.io/spring-cloud-kubernetes/reference/spring-cloud-kubernetes-configuration-watcher.html#_messaging_implementation |
If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed. |
Hi, I have a spring boot application A, using ssl for actuator endpoints and all other APIs. I have configured watcher and set label of service A to secrued: "true" to make https actuator refresh api call to A.
The watcher makes API call as https://XX.XX.XX.XX:XXXX/actuator/refresh but fails.
I am getting error "No subject alternative DNS name matching XX.XX.XX.XX(Ip address of pod) found" in spring cloud kubernetes watcher. The ssl certificate of A does not have Ip addresses of endpoints as they are dynamic.
What is the best way to call the actuator API using ssl from spring cloud configuration watcher?
Sorry for creating this as an issue, this might be more of question. Thank you. Happy to provide more information.
The text was updated successfully, but these errors were encountered: