K
Q

Kubernetes nginx-ingress TLS issue

1/26/2018

My company has an existing CA certificate for fake.example.com and an A record that maps fake.example.com to the IP of our load balancer

The load balancer is forwarding traffic to our Kubernetes cluster.

In the cluster, I've deployed the nginx-ingress helm chart, exposing NodePort for https at 30200

I've created a k8s TLS secret named test-secret from the above certificate.

I've deployed an app with service 'test' and have installed the following ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  tls:
  - hosts:
    - fake.example.com
    secretName: test-secret
  rules:
    - host: fake.example.com
      http:
        paths:
        - path: /myapp
          backend:
            serviceName: test
            servicePort: 8080

So, if i execute

curl https://{ip for k8s node}:30200/myapp/ping -H 'Host:fake.example.com' -k --verbose

I get the expected response from my app, but I also see

* Server certificate:
*  subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate
*  start date: Jan 25 20:52:16 2018 GMT
*  expire date: Jan 25 20:52:16 2019 GMT
*  issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate

I've confirmed in the nginx.conf file that for server_name fake.exampe.com the ssl_certificate, ssl_certificate_key , and ssl_trusted_certificate are pointing the the correct location

So my question is, is it possible to configure nginx to use the correct certificate in this scenario?

-- Essa Ennab
kubernetes
nginx
ssl

Similar Questions

Kubernetes service with different port types (NodePort / ClisterIP)
Why has Terraform stopped working on GCP project
Flannel failed to start when installing kubernetes
How does multiple replicas/pods scale Kubernetes?

2 Answers

7/14/2018

You have to create a secret named test-secret.

➜  charts git:(master) kubectl describe secret --namespace operation mydomain.cn-cert
Name:         mydomain.cn-cert
Namespace:    operation
Labels:       <none>
Annotations:  <none>

Type:  Opaque

Data
====
tls.crt:  3968 bytes
tls.key:  1678 bytes
-- Kane
Source: StackOverflow
10/6/2018

The ingress controller will default to Kubernetes Ingress Controller Fake Certificate when no certificate is available (which you say is in test-secret), the certificate is invalid, or if the controller can't find a matching host in .spec.tls[], or you hit the default-backend without a default TLS cert configured.

Since you are able to reach your service, then I suspect that either:

  1. Your test-secret is invalid, maybe because you are missing an intermediate, or CA certificate
  2. Your test-secret is in the wrong namespace
  3. The tls secret is not being matched, (maybe because of using https://{ip for k8s node}:30200/myapp/ping -H 'Host:fake.example.com' or the -k flag?)

It's unusual to expose your ingress controller as NodePort when you have a load balancer in front of it. If this is a cloud deployment, then you would use type LoadBalancer. If this is on premise, you might look at MetalLB

-- mpalumbo7
Source: StackOverflow