k8s nginx ingress TLS rules: cert vs. paths

Question

I am struggling to get my nginx ingress (on AWS EKS) working with path rules and TLS.

The ingress is from here

A snippet from the Ingress looks like:

spec:
  tls:
  - hosts:
      - example.com
    secretName: ingress-tls
  rules:
  - host: example.com
  - http:
      paths:
      - path: /api
        pathType: Prefix
        backend:
          service:
            name: api-service
            port:
              number: 443

This ingress creates the AWS network load balancer, with a URL like https://xyz.elb.us-west-1.amazonaws.com/

I am updating the ingress-tls secret with a certificate using cert-manager.

When I access the ingress using the NLB URL https://xyz.elb.us-west-1.amazonaws.com/api, I get

GOOD: Correct routing based on the path rules from the ingress definition (i.e. it goes to my api-service as expected)
BAD: Certificate errors since I'm not accessing the ingress with the domain that the certificate is for.

When I access the ingress using the correct domain e.g. https://example.com/api which is what I want to do, I get:

BAD: 404, it doesn't respect my path rules, and goes to upstream-default-backend instead.
GOOD: certificate all good, it’s the one for example.com that cert-manager configured.

I tried removing the host: example.com from the rules:, which gives me:

GOOD: Correct routing based on the path rules from the ingress definition
BAD: Certificate errors, it serves up the default ingress “Fake” certificate instead of the one for example.com, I guess since the host is missing from the rules, though not sure of the exact reason.

Can someone please help me get

GOOD
GOOD

I’m at a loss here.

k8s nginx ingress TLS rules: cert vs. paths

Answers (1)

Related Questions