We are running an application on k8s cluster on GKE.
We are using an nginx-ingress-controller
as external load-balancer Service which is reachable on, let's say, https://12.345.67.98 . We are facing an issue that when we directly access the load-balancer on mentioned URL, we get a certificate warning because a self-signed "Kubernetes Ingress Controller Fake Certificate" is used.
We only have Ingress objects that are mapping our domains (e.g. app.our-company.com) to Kubernetes services. The nginx load-balancer is a Kubernetes Service with load-balancer type. For SSL/TLS for our domains cert-manager
is used. There is no issue when accessing these domains, only when we directly access the load-balancer on the IP-Address.
Is there a way to somehow replace the certificate on the load-balancer, so it's not using the default fake certificate anymore?
You need to define a secret with your CA signed certificate and the private key. These will have to be base64 encoded in the secret. You will then use this secret in the "tls" section of the ingress manifest.
Ensure that the certificate chain (cert -> intermediate CA -> root CA) is established in the certificate above.
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: nginx-test
spec:
tls:
- hosts:
- foo.bar.com
# This assumes tls-secret exists and the SSL
# certificate contains a CN for foo.bar.com
secretName: tls-secret
rules:
- host: foo.bar.com
http:
paths:
- path: /
backend:
# This assumes http-svc exists and routes to healthy endpoints
serviceName: http-svc
servicePort: 80
You can override default SSL certificate during Ingress Controller helm installation. Ref: https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml
## Additional command line arguments to pass to nginx-ingress-controller
## E.g. to specify the default SSL certificate you can use
## extraArgs:
## default-ssl-certificate: "<namespace>/<secret_name>"
extraArgs: {}