Kubernetes Ingress-Controller and AWS API Gateway client certificate

Question

I have an issue, I want to use an API Gateway client certificate with my ingress config.

1. I've generated the certificate on AWS.

2. I've created the secret of thi certificate:

   kubectl create secret generic api --from-file=api-gateway-client-certificate.crt 
   --namespace develop
   

3. I've added the configuration on my ingress file:

   annotations:
   nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
   nginx.ingress.kubernetes.io/auth-tls-secret: "default/api"
   nginx.ingress.kubernetes.io/auth-tls-verify-depth: "1"`
   

Finally I don't know why I get this error on the ingress-controller:

Error obtaining X.509 certificate: Secret "develop/api" contains no keypair or CA certificate

I use Kubernetes v1.11.1 and nginx-ingress-controller v0.17.1

Answer 1

Had the same error, it's because of a bad naming of the ca file.

Use this to create your secret:

kubectl create secret generic api --from-file=ca.crt=api-gateway-client-certificate.crt --namespace develop

Answer 2

So you are missing the key and/or the CA for your cert. Did you use a private CA in AWS? The regular certificate manage doesn't give you a key file because it creates the CSR under the hood.

Generally, you'd create your tls secret like this:

kubectl -n kube-system create secret tls my-tls-cert --key=tls.key --cert=tls.crt

Also, I would append the CA that begins to with -----BEGIN CERTIFICATE----- to the content of api-gateway-client-certificate.crt