Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Spring cloud kubernetes watcher calling actuator refresh failing using ssl #1814

Open
saurabhb8984 opened this issue Dec 5, 2024 · 11 comments

Comments

@saurabhb8984
Copy link

Hi, I have a spring boot application A, using ssl for actuator endpoints and all other APIs. I have configured watcher and set label of service A to secrued: "true" to make https actuator refresh api call to A.

The watcher makes API call as https://XX.XX.XX.XX:XXXX/actuator/refresh but fails.

I am getting error "No subject alternative DNS name matching XX.XX.XX.XX(Ip address of pod) found" in spring cloud kubernetes watcher. The ssl certificate of A does not have Ip addresses of endpoints as they are dynamic.

What is the best way to call the actuator API using ssl from spring cloud configuration watcher?

Sorry for creating this as an issue, this might be more of question. Thank you. Happy to provide more information.

@ryanjbaxter
Copy link
Contributor

Seems like this might be a configuration issue with the SSL cert, does that cert only allow the use of DNS names and not ip addresses?

@saurabhb8984
Copy link
Author

Yes, it allows only DNS, how can we add pod/service endpoint Ip address as they are dynamic.

@ryanjbaxter
Copy link
Contributor

It's currently trying the ip address correct? It needs to be using the host name...

@saurabhb8984
Copy link
Author

How can I set endpoint to be a hostname and if there are replicas/multiple pods how the actuator/refresh API will be called for all pods?

@saurabhb8984
Copy link
Author

saurabhb8984 commented Dec 9, 2024

Looking at the K8sInstanceIdHostPodNameSupplier.java

private String host() {
	return Optional.ofNullable(endpointAddress)
		.map(V1EndpointAddress::getIp)
		.orElseGet(() -> service.getSpec().getExternalName());
}

The host is only IP address if not using external name.

Also, if there is a documentation for how to create docker image after cloning repo that would help.

@ryanjbaxter
Copy link
Contributor

Right so if you have multiple instances you will need to use the IP address in which case the SSL cert will need to be configured with those ip addresses.

To build the docker image run ../../mvnw clean install from the spring-cloud-kubernetes-configuration-watcher directory.

@saurabhb8984
Copy link
Author

Pods have dynamic IP addresses, so cannot add it to ssl cert

@ryanjbaxter
Copy link
Contributor

Do you need to use https for the config watcher to call the actuator endpoint with https? Its an internal call without posting any data to the endpoint

@saurabhb8984
Copy link
Author

The actuator endpoints are also used externally, so it has to be https per security policy.

@ryanjbaxter
Copy link
Contributor

Honestly I think the best solution for you is to use Kafka or Rabbit and Spring Cloud Bus as opposed to using the actuator endpoint. https://docs.spring.io/spring-cloud-kubernetes/reference/spring-cloud-kubernetes-configuration-watcher.html#_messaging_implementation

@spring-cloud-issues
Copy link

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

3 participants