CockroachDB (K8s) Custom Cloudflare Certificate

Hi guys, i’m using the CockroachDB Operator on GKE and i’m wondering how I can use a custom Cloudflare Origin Certificate in my Cluster… so eventually I can go to my CockroachDB UI from https://db.mydomain.com (for example).

I’ve downloaded the origin crt, private key and origin CA that Cloudflare provides:

image

Then I ran the following command to create the secret with my TLS files:

kubectl create secret generic cockroachdb-tls --from-file=tls.key  --from-file=tls.crt --from-file=ca.crt

Currently my cockroachdb.yml file look’s like this:

apiVersion: crdb.cockroachlabs.com/v1alpha1
kind: CrdbCluster
metadata:
  name: cockroachdb
spec:
  clientTLSSecret: cockroachdb-tls
  dataStore:
    pvc:
      spec:
        accessModes:
          - ReadWriteOnce
        resources:
          requests:
            storage: "60Gi"
        volumeMode: Filesystem
  resources:
    requests:
      cpu: 500m
      memory: 2Gi
    limits:
      cpu: 2
      memory: 8Gi
  tlsEnabled: true
  image:
    name: cockroachdb/cockroach:v21.2.0
  nodes: 3
  additionalLabels:
    crdb: is-cool

Unfortunately when I go to https://db.mydomain.com:8080 I get the following error:

This site can’t provide a secure connection 
db.mydomain.com sent an invalid response.
Try running Windows Network Diagnostics.
ERR_SSL_PROTOCOL_ERROR

I guess I would love some insight as to what I could be doing wrong. When I included the nodeTLSSecret field and applied the config… I was getting the following errors from inside my pods:

Error
2021-11-26 22:57:15.313 ESTW211127 03:57:15.313598 26 security/certificate_loader.go:354 ⋮ [-] 21 could not parse certificate for ‹/cockroach/cockroach-certs/client.root.crt›: ‹failed to validate certificate 0 in file client.root.crt: client certificate has principals ["CloudFlare Origin Certificate" "*.mydomain.com" "mydomain.com"], expected "root"›
Error
2021-11-26 22:57:15.313 ESTI211127 03:57:15.313673 69 3@vendor/github.com/cockroachdb/pebble/event.go:639 ⋮ [n?,pebble,s?] 22 [JOB 1] WAL deleted 008171
Error
2021-11-26 22:57:15.313 ESTI211127 03:57:15.313891 69 3@vendor/github.com/cockroachdb/pebble/event.go:639 ⋮ [n?,pebble,s?] 23 [JOB 1] WAL deleted 008184
Error
2021-11-26 22:57:15.314 ESTI211127 03:57:15.314091 69 3@vendor/github.com/cockroachdb/pebble/event.go:639 ⋮ [n?,pebble,s?] 24 [JOB 1] WAL deleted 008185
Error
2021-11-26 22:57:15.314 ESTI211127 03:57:15.314356 69 3@vendor/github.com/cockroachdb/pebble/event.go:639 ⋮ [n?,pebble,s?] 25 [JOB 1] WAL deleted 008186
Error
2021-11-26 22:57:15.315 ESTI211127 03:57:15.315443 69 3@vendor/github.com/cockroachdb/pebble/event.go:639 ⋮ [n?,pebble,s?] 26 [JOB 1] WAL deleted 008187
Error
2021-11-26 22:57:15.316 ESTI211127 03:57:15.316164 69 3@vendor/github.com/cockroachdb/pebble/event.go:639 ⋮ [n?,pebble,s?] 27 [JOB 1] WAL deleted 008188
Error
2021-11-26 22:57:15.318 ESTI211127 03:57:15.316233 71 3@vendor/github.com/cockroachdb/pebble/event.go:587 ⋮ [n?,pebble,s?] 28 [JOB 2] compacting(default) L0 [008191 008192 008193 008194 008195 008196 008197 008198] (1.3 M) + L5 [008174 008175 008176 008177 008178 008179 008180 008181 008182 008183] (37 M)
Error
2021-11-26 22:57:15.319 ESTI211127 03:57:15.319573 69 3@vendor/github.com/cockroachdb/pebble/event.go:639 ⋮ [n?,pebble,s?] 29 [JOB 1] WAL deleted 008189
Error
2021-11-26 22:57:15.320 ESTI211127 03:57:15.320136 69 3@vendor/github.com/cockroachdb/pebble/event.go:639 ⋮ [n?,pebble,s?] 30 [JOB 1] WAL deleted 008190
Error
2021-11-26 22:57:15.320 ESTI211127 03:57:15.320204 69 3@vendor/github.com/cockroachdb/pebble/event.go:615 ⋮ [n?,pebble,s?] 31 [JOB 1] MANIFEST deleted 008169
Error
2021-11-26 22:57:15.327 ESTE211127 03:57:15.327522 1 1@cli/clierror/check.go:35 ⋮ [-] 32 ‹ERROR›: cannot load certificates.
Error
2021-11-26 22:57:15.327 ESTE211127 03:57:15.327522 1 1@cli/clierror/check.go:35 ⋮ [-] 32 +Check your certificate settings, set --certs-dir, or use --insecure for insecure clusters.
Error
2021-11-26 22:57:15.327 ESTE211127 03:57:15.327522 1 1@cli/clierror/check.go:35 ⋮ [-] 32 +failed to start server: ‹problem using security settings: client/server node certificate has principals ["CloudFlare Origin Certificate" "*.mydomain.com" "mydomain.com"], expected "node"›
Error
2021-11-26 22:57:15.327 ESTERROR: cannot load certificates.
Error
2021-11-26 22:57:15.327 ESTCheck your certificate settings, set --certs-dir, or use --insecure for insecure clusters.
Error
2021-11-26 22:57:15.327 EST{}
Error
2021-11-26 22:57:15.327 ESTfailed to start server: problem using security settings: client/server node certificate has principals ["CloudFlare Origin Certificate" "*.mydomain.com" "mydomain.com"], expected "node"
Error
2021-11-26 22:57:15.327 ESTFailed running "start"

Thanks for any assistance in advance!! Would love to know how other people approached using custom Cloudflare certificates!!