1

I have a domain foobar. When I started my project, I knew I would have my webserver handling traffic for foobar.com. Also, I plan on having an elasticsearch server I wanted running at es.foobar.com. I purchased my domain at GoDaddy and I (maybe prematurely) purchased a single site certificate for foobar.com. I can't change this certificate to a wildcard cert. I would have to purchase a new one. I have my DNS record routing traffic for that simple URL. I'm managing everything using Kubernetes.

Questions:

  1. Is it possible to use my simple single-site certificate for the main site and subdomains like my elasticsearch server or do I need to purchase another single-site certificate specifically for the elasticsearch server? I checked earlier and GoDaddy wants $350 for the multisite one.
  2. ElasticSearch complicates this somewhat since if it's being accessed at es.foobar.com and the cert is for foobar.com it's going to reject any requests, right? Elasticsearch needs a cert in order to have solid security.
mj_
  • 6,297
  • 7
  • 40
  • 80

1 Answers1

0

Is it possible to use my simple single-site certificate for the main site and subdomains?

To achieve your goal, you can use Name based virtual hosting ingress, since most likely your webserver foobar.com and elasticsearch es.foobar.com work on different ports and will be available under the same IP.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: name-virtual-host-ingress
spec:
  rules:
  - host: foobar.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: webserver
            port:
              number: 80
  - host: es.foobar.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: elastic
            port:
              number: 9200-9300 #http.port parametr in elastic config

It can also be implemented using TLS private key and certificate and and creating a file for TLS. This is possible for just one level, like *.foobar.com.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: name-virtual-host-ingress
spec:
  tls:
    - hosts:
      - foobar.com
      - es.foobar.com
      secretName: "foobar-secret-tls"
  rules:
  - host: foobar.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: webserver
            port:
              number: 80
  - host: es.foobar.com
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend:
          service:
            name: elastic
            port:
              number: 9200-9300 #http.port parametr in elastic config

Either you need to get a wildcard or separate certificate for another domain.

Mykola
  • 188
  • 7
  • Could you answer me, did my decision help you? If yes, you could follow [Stackoverflow](https://stackoverflow.com/help/someone-answers) recommendations for evaluating responses. – Mykola Mar 25 '22 at 15:57
  • Could your TLS solution work if the domain is identical (foobar.com) just the ports are different? – mj_ Mar 25 '22 at 16:30
  • Above, I propose a subdomain solution based on the Kubernetes and code parts are examples. – Mykola Mar 29 '22 at 12:26