I suspect this is more of a question for the EKS team at Amazon but I thought I’d still ask here to see if anyone has a workaround for this, or I’m doing something dumb.
I have Kubernetes clusters running in EKS in various VPCs with their k8s API endpoints set to private, so they can only be accessed via my “access” VPC that contains Boundary.
As boundary is doing TCP level proxying, kubectl and terraform complain of insecure certificates, which makes sense as the self-signed cert that AWS is issuing for the API only contains its IPs as valid names.
Unable to connect to the server: x509: certificate is valid for 172.20.0.1, 10.0.31.62, 172.16.184.187, not 127.0.0.1
It’s easy to work around this by setting the insecure flag everywhere, but it seems dirty and leaves MITM a possibility.
I’m thinking outside of being able to customize the certificate within the EKS service, there isn’t much I’m going to be able to do to get around this?
Would appreciate any ideas!