Reputation: 31
Replace Kubernetes Ingress Controller Fake Certificate fake on nginx-ingress-controller
We are running an application on k8s cluster on GKE.
We are using an nginx-ingress-controller as external load-balancer Service which is reachable on, let's say, https://12.345.67.98 . We are facing an issue that when we directly access the load-balancer on mentioned URL, we get a certificate warning because a self-signed "Kubernetes Ingress Controller Fake Certificate" is used.
We only have Ingress objects that are mapping our domains (e.g. app.our-company.com) to Kubernetes services. The nginx load-balancer is a Kubernetes Service with load-balancer type. For SSL/TLS for our domains cert-manager is used. There is no issue when accessing these domains, only when we directly access the load-balancer on the IP-Address.
Is there a way to somehow replace the certificate on the load-balancer, so it's not using the default fake certificate anymore?
Upvotes: 3
Views: 12179
Answers (2)
Reputation: 61
You can override default SSL certificate during Ingress Controller helm installation. Ref: https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml
## Additional command line arguments to pass to nginx-ingress-controller
## E.g. to specify the default SSL certificate you can use
## extraArgs:
## default-ssl-certificate: "<namespace>/<secret_name>"
extraArgs: {}
Upvotes: 2
Reputation: 3750
You need to define a secret with your CA signed certificate and the private key. These will have to be base64 encoded in the secret. You will then use this secret in the "tls" section of the ingress manifest.
Ensure that the certificate chain (cert -> intermediate CA -> root CA) is established in the certificate above.
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: nginx-test
spec:
tls:
- hosts:
- foo.bar.com
# This assumes tls-secret exists and the SSL
# certificate contains a CN for foo.bar.com
secretName: tls-secret
rules:
- host: foo.bar.com
http:
paths:
- path: /
backend:
# This assumes http-svc exists and routes to healthy endpoints
serviceName: http-svc
servicePort: 80
Upvotes: 2
Related Questions
- Kubernetes ingress controller cannot find TLS certificate secret
- Kubernetes Ingress Controller Fake Certificate error
- openssl giving Kubernetes Ingress Controller Fake Certificate
- How to replace the "Kubernetes fake certificate" with a wildcard certificate (on bare metal private cloud) Nginx Ingress and cert manager
- Why is my k8s Nginx ingress controller serving two certificates (one of which is a Kubernetes Fake Certificate)?
- Ingress nginx cert-manager certificate invalid on browser
- Kubernetes Ingress Controller Fake Certificate on GKE for WSO2 API Management
- Kubernetes nginx ingress unexpected error storing fake SSL Cert: could not create PEM certificate file
- Unable to use cert-manager and nginx ingress controller with SSL termination
- Set ssl_certificate path in conf.d in Nginx ingress controller