CODEWITHSUNDEEP
sslkuberneteskubernetes-ingressnginx-ingress
yaja6021
yaja6021

Reputation: 161

Adding SSL certificate to ingress controller vs adding it to ingress resource

Ingress controller deployment.yml

    spec:
  containers:
    - args:
        - /nginx-ingress-controller
        - --default-backend-service=stratus/nginx-ingress-default-backend
        - --election-id=ingress-controller-leader
        - --ingress-class=nginx
        - --configmap=ingress-controller-leader-nginx
        - --enable-ssl-passthrough

Ingress resource.yml

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: 'REPOSITORY_NAME'
  namespace: service
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/ssl-passthrough: "false"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  tls:
    - hosts:
        - "xyz-development.com"
    - secretName: ingress-secret-tls
  rules:
    - host: "xyz-development.com" 
      http:
        paths:
        - path: /service/
          backend:
            serviceName: 'REPOSITORY_NAME'
            servicePort: 8080

the secret consists of a signed certificate with the CN as xyz-development.com

endpoint : xyz-development.com/service/swagger-ui.html

If I try to access the endpoint with the above config, I end up with "Your connection is not private" error.

But if I modify the ingress controller deployment.yml to

    spec:
  containers:
    - args:
        - /nginx-ingress-controller
        - --default-backend-service=stratus/nginx-ingress-default-backend
        - --election-id=ingress-controller-leader
        - --ingress-class=nginx
        - --configmap=stratus/ingress-controller-leader-nginx
        - --enable-ssl-passthrough
        - --default-ssl-certificate=service/ingress-secret-tls

Then the site is secure with my valid certificate.

  1. Is this expected behaviour?
  2. Even if the default ssl certificate flag is removed in the controller, shouldn't the secret mentioned in the ingress resource.yml be used?
  3. Any other pointers or better practice would be appreciated

Upvotes: 1

Views: 3137

Answers (2)

Timothy Leung
Timothy Leung

Reputation: 1465

When you getting connection is not private, are you hitting the URL https://xyz-development.com/ or using an IP address instead? If you are using an IP address, NGINX will not load that TLS certificate, it might load other default certificate (kubernetes fake certificate if you are running on k8s)

And when you add that configuration into ingress controller directly, that will become your default TLS certificate, so whatever domain name that you are using, it will give you that certificate.

Upvotes: 0

Bernard Halas
Bernard Halas

Reputation: 1190

There's a minor typo in your manifest that's causing the first option to fail; it should not be a new element in the array of .spec.tls entries:

- secretName: ingress-secret-tls # wrong
  secretName: ingress-secret-tls # correct

Upvotes: 3

Related Questions