stackoom
  简体   繁体   中英

Replace Kubernetes Ingress Controller Fake Certificate fake on nginx-ingress-controller

 原文  2021-05-27 16:48:07       nginx/ kubernetes/ certificate/ kubernetes-ingress/ cert-manager

Question

We are running an application on k8s cluster on GKE.

We are using an nginx-ingress-controller as external load-balancer Service which is reachable on, let's say, https://12.345.67.98 . We are facing an issue that when we directly access the load-balancer on mentioned URL, we get a certificate warning because a self-signed "Kubernetes Ingress Controller Fake Certificate" is used.

We only have Ingress objects that are mapping our domains (eg app.our-company.com) to Kubernetes services. The nginx load-balancer is a Kubernetes Service with load-balancer type. For SSL/TLS for our domains cert-manager is used. There is no issue when accessing these domains, only when we directly access the load-balancer on the IP-Address.

Is there a way to somehow replace the certificate on the load-balancer, so it's not using the default fake certificate anymore?

2 answers

solution1
 1  2021-05-27 17:19:21

You need to define a secret with your CA signed certificate and the private key. These will have to be base64 encoded in the secret. You will then use this secret in the "tls" section of the ingress manifest.

Ensure that the certificate chain (cert -> intermediate CA -> root CA) is established in the certificate above.

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: nginx-test
spec:
  tls:
    - hosts:
      - foo.bar.com
      # This assumes tls-secret exists and the SSL
      # certificate contains a CN for foo.bar.com
      secretName: tls-secret
  rules:
    - host: foo.bar.com
      http:
        paths:
        - path: /
          backend:
            # This assumes http-svc exists and routes to healthy endpoints
            serviceName: http-svc
            servicePort: 80

References

solution2
 1  2021-08-01 13:12:28

You can override default SSL certificate during Ingress Controller helm installation. Ref: https://github.com/kubernetes/ingress-nginx/blob/main/charts/ingress-nginx/values.yaml

  ## Additional command line arguments to pass to nginx-ingress-controller
  ## E.g. to specify the default SSL certificate you can use
  ## extraArgs:
  ##   default-ssl-certificate: "<namespace>/<secret_name>"
  extraArgs: {}

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Change Kubernetes nginx-ingress-controller ports Kubernetes Ingress Controller Fake Certificate on GKE for WSO2 API Management Let's Encrypt kubernetes Ingress Controller issuing Fake Certificate Kubernetes's Ingress has no effect on nginx-ingress-controller Unable to access Kubernetes ClusterIP services via nginx-ingress-controller nginx-ingress-controller: Error while initializing connection to Kubernetes apiserver Accessing nginx-ingress-controller error log gRPC in EKS on AWS with Nginx-Ingress-Controller Ingress resource vs NGINX ingress controller on Kubernetes K8S baremetal nginx-ingress-controller
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM