K
Q

GKE, NGINX ingress, HTTPS, and certificates

10/31/2019

I have set up a Kubernetes cluster on GCP/GKE and it's all working well except for one thing. When I access the external IP for the service the (default?) "Kubernetes Ingress Controller Fake Certificate" is served.

I am trying to use the NGINX Ingress (https://kubernetes.github.io/ingress-nginx/) and have followed what I believe are the correct instructions for associating a TLS secret with the Ingress. For example:

https://estl.tech/configuring-https-to-a-web-service-on-google-kubernetes-engine-2d71849520d

https://kubernetes.github.io/ingress-nginx/user-guide/tls/

I have created a secret like this:

apiVersion: v1
kind: Secret
metadata:
  name: example-tls
  namespace: default
data:
  tls.crt: [removed]
  tls.key: [removed]
type: kubernetes.io/tls

And associated that secret (which I can confirm is applied correctly and I can see in the cluster config) with the Ingress like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: example-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
    kubernetes.io/ingress.allow-http: "false"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/affinity: "cookie"
spec:
  backend:
    serviceName: example-service
    servicePort: 80
  tls:
  - secretName: example-tls

From the documentation I feel that this should work (but, barring a bug, I am obviously mistaken!).

I've also seen some documentation around requiring target proxies for HTTPS. Perhaps that is the way that I should be doing this?

Many thanks for your help in advance.

Cheers, Ben

PS: This is my load balancer configuration:

kind: Service
apiVersion: v1
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  externalTrafficPolicy: Cluster
  loadBalancerIP: [removed]
  sessionAffinity: ClientIP
  type: LoadBalancer
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  ports:
    - name: http
      port: 80
      targetPort: http
    - name: https
      port: 443
      targetPort: https

Edit 1: Looking at my Ingress I can see this:

➜  gke git:(develop) ✗ kubectl describe ing example-tls-ingress
Name:             example-tls-ingress
Namespace:        default
Address:          [removed]
Default backend:  example-webapp-service:80 ([removed])
TLS:
  example-tls terminates 
Rules:
  Host  Path  Backends
  ----  ----  --------
  *     *     example-webapp-service:80 ([removed])

So it looks like the secret is picked up.

And this makes me think that there is a difference between Ingress-terminated TLS and Load Balancer-terminated TLS?

-- benjimix
google-kubernetes-engine
nginx
ssl

Similar Questions

Kubernetes LoadBalancer service stopped responding after adding new nodes to cluster
Local kubernetes Hello World in nodejs with Docker
Pod is still running after I delete the parent job
Docker - Upgrading base Image

1 Answer

10/31/2019

You can just refer to this stackoverflow post.

You need to install jetstack cert-Manager, create clusterissuer/issuer, along with a certificate in which you have to pass domain name / hostname and jetstack will automatically create the secret for you, by the name you mentioned in the 'Certificate'.

That secret has to be patched to TLS in ingress rule.

-- Tushar Mahajan
Source: StackOverflow