From 5df7ebe9fd2970b3ccfa16990bd9c1dddaca277c Mon Sep 17 00:00:00 2001 From: David Ansari Date: Fri, 8 Jan 2021 11:37:09 +0100 Subject: [PATCH] Add SAN docs --- docs/examples/tls/README.md | 19 ++++++++++++++++++- 1 file changed, 18 insertions(+), 1 deletion(-) diff --git a/docs/examples/tls/README.md b/docs/examples/tls/README.md index 531e8de70..4e5ea1ecd 100644 --- a/docs/examples/tls/README.md +++ b/docs/examples/tls/README.md @@ -9,10 +9,27 @@ Assuming you already have these created and accessible as `server.pem` and `serv kubectl create secret tls tls-secret --cert=server.pem --key=server-key.pem ``` -This secret can also be created by [Cert Manager](https://cert-manager.io/). +Alternatively, this secret can also be created by [Cert Manager](https://cert-manager.io/). Once the secret exists, you can deploy this example as follows: ```shell kubectl apply -f rabbitmq.yaml ``` + +## SAN attributes for certificates + +Make sure that the certificate's Subject Alternative Name (SAN) contains at least the following attributes: +* `*.-nodes..svc.` +* `..svc.` + +If wildcards are not permitted, you must provide a SAN attribute for each RabbitMQ node in your RabbitMQ cluster. +For example, if you deploy a 3-node RabbitMQ cluster named `myrabbit` in namespace `mynamespace` with the default Kubernetes cluster domain `cluster.local`, the SAN must include at least the following attributes: +* `myrabbit-server-0.myrabbit-nodes.mynamespace.svc.cluster.local` +* `myrabbit-server-1.myrabbit-nodes.mynamespace.svc.cluster.local` +* `myrabbit-server-2.myrabbit-nodes.mynamespace.svc.cluster.local` +* `myrabbit.mynamespace.svc.cluster.local` + +Note that the last SAN attribute is the client service DNS name. +Depending on the service type you use (`spec.service.type`), you might need further SAN attributes. +For example if you use service type `NodePort`, you need to include the external IP address of each K8s node to the SAN.