CN missmatch in Securing nginx example

[miteshskj]

In the page - https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#securing-the-service
there are two methods provided, to create certificate for setting up nginx with SSL:

1. Using "make keys KEY=/tmp/nginx.key CERT=/tmp/nginx.crt" inside https://github.com/kubernetes/examples/tree/master/staging/https-nginx/
2. Using openssl command.

In method 1, the subj used is CN=nginxsvc/O=nginxsvc and in method 2 its /CN=my-nginx/O=my-nginx

Further down the document, to access the site without SSL error following command is provided:
kubectl exec curl-deployment-1515033274-1410r -- curl https://my-nginx --cacert /etc/nginx/ssl/tls.crt

This command works fine if the certificate is generated using method 2. However it will give following error if method 1 is used:
kubectl exec curl-deployment-948555475-7mnx9 -- curl https://my-nginx --cacert /etc/nginx/ssl/tls.crt
curl: (51) SSL: certificate subject name 'nginxsvc' does not match target host name 'my-nginx'
command terminated with exit code 51

The subj can be changed in https://github.com/kubernetes/examples/blob/master/staging/https-nginx/Makefile to match my-nginx, however I am not sure if it would impact other examples.

Any suggestions/comments?

[jihoon-seo]

I confirmed that this is reproducible and your suggestion LGTM.
/triage accepted

I searched for "nginxsvc" in kubernetes/website repo, but found nothing.
But in kubernetes/examples repo, a few strings were found.

So it seems that we have to replace all the "nginxsvc" strings with "my-nginx" in kubernetes/examples repo. 😊

[miteshskj]

Thanks @jihoon-seo , will send a PR to examples repo.

[sftim]

Maybe we should leave the examples repo as is, and update the website repo?

[sftim]

Duplicated by #35697

[sftim]

Duplicated by #34322

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[vaibhav2107]

/remove-lifecycle stale

[k8s-triage-robot]

This issue has not been updated in over 1 year, and should be re-triaged.

You can:

• Confirm that this issue is still relevant with /triage accepted (org members only)
• Close this issue with /close

For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/

/remove-triage accepted

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues.

This bot triages un-triaged issues according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue as fresh with /remove-lifecycle stale
• Close this issue with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[divya-mohan0209]

/remove-lifecycle stale
/lifecycle frozen
/triage accepted

[divya-mohan0209]

This is still valuable IMO.

For people who will take up the issue - please note that you need to be making changes to the k/website repo and NOT the examples repo.

/help

[k8s-ci-robot]

@divya-mohan0209:
This request has been marked as needing help from a contributor.

Guidelines

Please ensure that the issue body includes answers to the following questions:

• Why are we solving this issue?
• To address this issue, are there any code changes? If there are code changes, what needs to be done in the code and what places can the assignee treat as reference points?
• Does this issue have zero to low barrier of entry?
• How can the assignee reach out to you for help?

For more details on the requirements of such an issue, please see here and ensure that they are met.

If this request no longer meets these requirements, the label can be removed
by commenting with the /remove-help command.

In response to this:

This is still valuable IMO.

For people who will take up the issue - please note that you need to be making changes to the k/website repo and NOT the examples repo.

/help

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ArvindParekh]

I'd like to help with this. However, I noticed there's no mention of "nginxsvc" in the kubernetes/website repo, and the page at https://kubernetes.io/docs/concepts/services-networking/connect-applications-service/#securing-the-service also doesn't explicitly mention "nginxsvc". It has a few matches only in the kubernetes/examples repo.

Hence, I'm a bit confused about what changes to do in the website repo. Can you guide me more on what kind of help you're looking for? @sftim

Should I replace the occurrence of my-nginx (which would be too many - 54 on that page) with nginxsvc in the website repo to match with the examples repo, or should I just change the occurrence of nginxsvc in the example at nginx https example, as was done in PR #445, so the example matches with the next steps in the docs?

(Just for context, https://kubernetes.io/docs/tutorials/services/connect-applications-service/ links to https://github.com/kubernetes/examples/tree/master/staging/https-nginx/)

[divya-mohan0209]

Hi @ArvindParekh, thank you for volunteering!

The changes to be made to the k/website repo would be to replace my-nginx with nginxsvc.

Also, the 54 replacements that you mention on the page include file names. Therefore, the fix for this issue will not be through a simple find-and-replace operation. You will need to ensure that the replacement is for the relevant entries only.

Our aim is to ensure that once you make the relevant fixes to the YAML files on this page, you should be able to run kubectl exec curl-deployment-1515033274-1410r -- curl https://my-nginx/ --cacert /etc/nginx/ssl/tls.crt using both the methods specified in the description of the issue.

[ArvindParekh]

I understand. Thank you for helping out, Divya. I'll start working on it.
/assign