I was trying to install my organization client certificate chain (Pair of this certificate is installed on all organization user laptops so only organization users can access the service) in an ingress. I have created a secret with the below command
kubectl create secret generic auth-tls-chain --from-file=org_client_chain.pem --namespace=default
secret/auth-tls-chain created
And created my ingress as follows
metadata:
name: my-new-ingress
annotations:
kubernetes.io/ingress.class: nginx
cert-manager.io/cluster-issuer: "letsencrypt-prod"
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "default/auth-tls-chain"
nginx.ingress.kubernetes.io/auth-tls-verify-depth: "3"
nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true"
spec:
rules:
- host: example.com
http:
paths:
- pathType: Prefix
path: "/"
backend:
service:
name: hello-one
port:
number: 80
tls:
- hosts:
- example.com
secretName: echo-tls
But when I try to access my domain am getting a "403 Forbidden" error. I opened nginx config file and can see the certificate has some issues
kubectl exec ingress-nginx-controller-5fbf49f7d7-sjvpw cat /etc/nginx/nginx.conf
# error obtaining certificate: local SSL certificate default/auth-tls-chain was not found
return 403;
My client certificate chain looks like the one below in .PEM format.
-----BEGIN CERTIFICATE-----
sdfkhdskhflds
...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
saflsafhl
sfadfasdf
-----END CERTIFICATE-----
I tried creating the secret with the following command.
kubectl create secret generic ca-secret --from-file=org_client_chain.pem=org_client_chain.pem
but no luck. Can somebody help me here?
Thanks
As mentioned in the Github link you must use the certificate file name as ca.crt containing the full Certificate Authority chain.