I'm trying to generate wildcard certificate using the latest traefik helm chart version 1.35.0 this is the acme configurations but I can find in the logs that traefik request a certificate for each sub domain and no wildcard certificate seems to get requested
acme:
enabled: true
staging: false
email: info#mydomain.com
logging: true
challengeType: "dns-01"
dnsProvider:
name: cloudflare
cloudflare:
CLOUDFLARE_EMAIL: "<EMAIL>"
CLOUDFLARE_API_KEY: "<KEY>"
persistence:
enabled: true
domains:
enabled: true
domainList:
- main: "*.mydomain.com"
- sans:
- "mydomain.com"
it should be domainsList instead of domainList
Related
We are in process of migrating spring boot 3 from 2.7.7(We did an incremental upgrade from 2.6.8 to 2.7.7 and then to 3.0.0). We have almost got our application working except for the secrets are not read from the vault after migrating to Spring Boot 3 - Getting an error - This method requires either a Token (spring.cloud.vault.token) or a token file at ~/.vault-token. The vault integration worked perfectly fine in the previous version of 2.6.8.
**Specifications - **
JDK - 17
Spring boot - 3.0.0
Spring Cloud - 2022.0.0
spring-cloud-starter-vault-config - 4.0.0
**bootstrap.yml - **
bootstrap.yml: |-
spring:
cloud:
vault:
enabled: true
host: pvault.dummy.local
port: 8200
uri: https://localhost:8200
scheme: https
namespace: rpp
authentication: KUBERNETES
generic:
enabled: false
kv:
enabled: true
backend: kv
profile-separator: '/'
application-name: path1/couchbase
ssl:
trust-store: classpath:config/vault-truststore.p12
trust-store-password: password
#trust-store-type: JKS
kubernetes:
role: b2c-isp-bss-role
kubernetes-path: path1
service-account-token-file: /var/run/secrets/kubernetes.io/serviceaccount/token
application.yml -
application.yml: |-
spring:
cloud:
bootstrap:
enabled: true
The migration guide does not suggest any change w.r.t vault. I'm a bit clueless as to where to start the changes.
I have a domain foobar. When I started my project, I knew I would have my webserver handling traffic for foobar.com. Also, I plan on having an elasticsearch server I wanted running at es.foobar.com. I purchased my domain at GoDaddy and I (maybe prematurely) purchased a single site certificate for foobar.com. I can't change this certificate to a wildcard cert. I would have to purchase a new one. I have my DNS record routing traffic for that simple URL. I'm managing everything using Kubernetes.
Questions:
Is it possible to use my simple single-site certificate for the main site and subdomains like my elasticsearch server or do I need to purchase another single-site certificate specifically for the elasticsearch server? I checked earlier and GoDaddy wants $350 for the multisite one.
ElasticSearch complicates this somewhat since if it's being accessed at es.foobar.com and the cert is for foobar.com it's going to reject any requests, right? Elasticsearch needs a cert in order to have solid security.
Is it possible to use my simple single-site certificate for the main site and subdomains?
To achieve your goal, you can use Name based virtual hosting ingress, since most likely your webserver foobar.com and elasticsearch es.foobar.com work on different ports and will be available under the same IP.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: name-virtual-host-ingress
spec:
rules:
- host: foobar.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: webserver
port:
number: 80
- host: es.foobar.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: elastic
port:
number: 9200-9300 #http.port parametr in elastic config
It can also be implemented using TLS private key and certificate and and creating a file for TLS. This is possible for just one level, like *.foobar.com.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: name-virtual-host-ingress
spec:
tls:
- hosts:
- foobar.com
- es.foobar.com
secretName: "foobar-secret-tls"
rules:
- host: foobar.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: webserver
port:
number: 80
- host: es.foobar.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: elastic
port:
number: 9200-9300 #http.port parametr in elastic config
Either you need to get a wildcard or separate certificate for another domain.
I’m trying to migrate JHipster from using Zuul to Spring Cloud Gateway. JHipster uses Eureka to look up routes and I believe I’ve configured Spring Cloud Gateway correctly to look up routes and propagate the access token to them. Here’s my config:
spring:
cloud:
gateway:
default-filters:
- TokenRelay
discovery:
locator:
enabled: true
lower-case-service-id: true
route-id-prefix: /services/
httpclient:
pool:
max-connections: 1000
The problem I’m experiencing is the access token is not sending an Authorization header to the downstream services.
Here's how things were configured with Zuul in my application.yml:
zuul: # those values must be configured depending on the application specific needs
sensitive-headers: Cookie,Set-Cookie #see https://github.com/spring-cloud/spring-cloud-netflix/issues/3126
host:
max-total-connections: 1000
max-per-route-connections: 100
prefix: /services
semaphore:
max-semaphores: 500
I created a pull request to show what's changed after integrating Spring Cloud Gateway.
https://github.com/mraible/jhipster-reactive-microservices-oauth2/pull/4
Steps to reproduce the issue:
git clone -b reactive git#github.com:mraible/jhipster-reactive-microservices-oauth2.git
Start JHipster Registry, Keycloak, and the gateway app:
cd jhipster-reactive-microservices-oauth2/gateway
docker-compose -f src/main/docker/jhipster-registry.yml up -d
docker-compose -f src/main/docker/keycloak.yml up -d
./mvnw
Start MongoDB and the blog app:
cd ../blog
docker-compose -f src/main/docker/mongodb.yml up -d
./mvnw
Navigate to http://localhost:8080 in your browser, log in with admin/admin, and try to go to Entities > Blog. You will get a 403 access denied error. If you look in Chrome Developer Tools at the network traffic, you'll see the access token isn't included in any headers.
I was able to solve this using this answer.
spring:
cloud:
gateway:
discovery:
locator:
enabled: true
predicates:
- name: Path
args:
pattern: "'/services/'+serviceId.toLowerCase()+'/**'"
filters:
- name: RewritePath
args:
regexp: "'/services/' + serviceId.toLowerCase() + '/(?<remaining>.*)'"
replacement: "'/${remaining}'"
I also had to add .pathMatchers("/services/**").authenticated() to my security config, which wasn't needed for Zuul. You can see my commit here.
This how my bootstrap.yml looks like.
spring:
cloud:
config:
uri: http://xxxx.com
username: ****
password: ****
vault:
host: vault-server
port: 8200
scheme: http
authentication: token
token: ${VAULT_ROOT_TOKEN}
application:
name: service-name
management:
security:
enabled: false
Application is starting when I configure secret as a ENV variable in Deployment Config – OSE, as below.
name: VAULT_ROOT_TOKEN
value: *********
But Configuring secret as a ENV variable and fetching the value from OSE secret is not working.
name: VAULT_ROOT_TOKEN
valueFrom:
secretKeyRef:
name: vault-token
key: roottoken
Error that I am getting is
org.springframework.vault.VaultException: Status 400 secret/service-name/default: 400 Bad Request: missing required Host header
Surprise in this scenario, ENV variable is working within the container/POD but somehow it is not able to fetch during the bootstrap procedure.
env | grep TOKEN
VAULT_ROOT_TOKEN=********
My secret configuration in OSE
oc describe secret vault-token
Name: vault-token
Namespace: ****
Labels: <none>
Annotations: <none>
Type: Opaque
Data
====
roottoken: 37 bytes
What is missing in my deployment-config or secrets in OSE? How to configure to fetch secret as ENV variable and inject in the bootstrap.yml file?
NOTE : I can't move Vault configuration out of bootstrap.yml.
Openshift Enterprise info:
Version:
OpenShift Master:v3.2.1.31
Kubernetes Master:v1.2.0-36-g4a3f9c5
Finally I was able to achieve this. This is what I have done
Provide the token as an arugument:
java $JAVA_OPTS -jar -Dspring.cloud.vault.token=${SPRING_CLOUD_VAULT_TOKEN} service-name.jar
This is how my configuration looks like:
Deployment Config:
- name: SPRING_CLOUD_VAULT_TOKEN
valueFrom:
secretKeyRef:
name: vault-token
key: roottoken
Bootstrap file:
spring:
cloud:
config:
uri: http://xxxx.com
username: ****
password: ****
vault:
host: vault-server
port: 8200
scheme: http
authentication: token
token: ${SPRING_CLOUD_VAULT_TOKEN}
application:
name: service-name
management:
security:
enabled: false
Thanks for my colleagues who has provided the inputs.
I have configured a Spring Cloud Config server to force BASIC authentication and here is my application.yml file:
# Config Repo:
spring:
cloud:
config:
server:
git:
uri: file:///${HOME}/microservices_config_repo
# Show sensitive information for endpoints:
endpoints:
sensitive: true
# Security for endpoints:
management:
security:
enabled: true
security:
user:
name: user1
password: changeme
My issue I am having is that when I start the server up as:
mvn spring-boot:run
The server endpoints FORCE BASIC Authentication.
But when I start the Application.main() method, BASIC Authentication is enabled, but NOT enforced.
Meaning I can access configuration on:
http://localhost:8888/client-config
and
http://user1:changeme#localhost:8888/client-config
Can anyone help me understand why this is occuring and how to enforce BASIC Authentication while running the Application.main(), and not just through the Maven spring-boot plugin?
Note, when I use maven to package the app into a jar, then run the generated jar, BASIC Authentication is enforced, but still not through the IDE running just the Application.main directly.
Maybe the format the oy Yaml for example to me seems works like this:
server:
port:9999
spring:
application:
name: config-server-sample
cloud:
config:
name: ${spring.application.name}
fail-fast: true
server:
git:
uri: url
username: xx
password: zz
default-label: master
basedir: '${user.home}/${spring.application.name}/default'
timeout: 10
clone-on-start: true
force-pull: true
security:
basic:
enabled: true
path: /**
ignored: /health**,/info**,/metrics**,/trace**
user:
name: admin
password: tupassword