I have an issue, I want to use an API Gateway client certificate with my ingress config.
I've created the secret of thi certificate:
kubectl create secret generic api --from-file=api-gateway-client-certificate.crt
--namespace develop
I've added the configuration on my ingress file:
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "default/api"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"`Finally I don't know why I get this error on the ingress-controller:
Error obtaining X.509 certificate: Secret "develop/api" contains no keypair or CA certificate
I use Kubernetes v1.11.1 and nginx-ingress-controller v0.17.1
Yes you are right i don't have the private key, I use the client certificate from API Gateway and it dosen't give me access to the key I just have the CA.
I tried to add the private key from my domain CA but the private key doesn't match public key https://docs.aws.amazon.com/apigateway/latest/developerguide/getting-started-client-side-ssl-authentication.html#certificate-validation
I don't know how i can add the API Gateway client certificate.
Had the same error, it's because of a bad naming of the ca file.
Use this to create your secret:
kubectl create secret generic api --from-file=ca.crt=api-gateway-client-certificate.crt --namespace developSo you are missing the key and/or the CA for your cert. Did you use a private CA in AWS? The regular certificate manage doesn't give you a key file because it creates the CSR under the hood.
Generally, you'd create your tls secret like this:
kubectl -n kube-system create secret tls my-tls-cert --key=tls.key --cert=tls.crtAlso, I would append the CA that begins to with -----BEGIN CERTIFICATE----- to the content of api-gateway-client-certificate.crt