Search code examples
kubernetesazure-aksnginx-ingress

Kubernetes Ingress Controller Fake Certificate error

I just installed ingress controller in an aks cluster using this deployment resource :

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml

specific for azure.

So far everything works fine the issue i am having is, i get this error on my certificate that :

Kubernetes Ingress Controller Fake Certificate

i Know i followed all steps as i should, but i can figure out why my certificate says that. I would appreciate if anyone can help guide on a possible fix for the issue.

issuer manifest

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "nginx"
  name: TargetPods-6dc98445c4-jr6pt
spec:
  tls:
  - hosts:
    - test.domain.io
    secretName: TargetPods-tls
  rules:
  - host: test.domain.io
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: TargetPod-6dc98445c4-jr6pt
            port:
              number: 80

Below is the result of : kubectl get secrets -n ingress-nginx

> NAME                                  TYPE                                  DATA   AGE
default-token-dh88n                   kubernetes.io/service-account-token   3      45h
ingress-nginx-admission               Opaque                                3      45h
ingress-nginx-admission-token-zls6p   kubernetes.io/service-account-token   3      45h
ingress-nginx-token-kcvpf             kubernetes.io/service-account-token   3      45h

also the secrets from cert-manager : kubectl get secrets -n cert-manager

> NAME                                  TYPE                                  DATA   AGE
cert-manager-cainjector-token-2m8nw   kubernetes.io/service-account-token   3      46h
cert-manager-token-vghv5              kubernetes.io/service-account-token   3      46h
cert-manager-webhook-ca               Opaque                                3      46h
cert-manager-webhook-token-chz6v      kubernetes.io/service-account-token   3      46h
default-token-w2jjm                   kubernetes.io/service-account-token   3      47h
letsencrypt-cluster-issuer            Opaque                                1      12h
letsencrypt-cluster-issuer-key        Opaque                                1      45h

Thanks in advance

Solution

  • From the yaml files attached, it seems you are trying to create ingress object in default namespace. So in order to consume ingress, the tls certificates (secrets) should exist in same namespace where your ingress object is created.

    First of all create secrets using .crt and .key file provided by CA.

    kubectl create secret tls TargetPods-tls --cert nameOfCertfile.crt --key privateKey.key --namespace default

    Consume these secrets inside your ingress object and add annotations for http to https redirect (optional)

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/ssl-redirect: 'true' # Annotation to redirect http to https.
  name: TargetPods-6dc98445c4-jr6pt
spec:
  tls:
  - hosts:
    - test.domain.io
    secretName: TargetPods-tls
  rules:
  - host: test.domain.io
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: TargetPod-6dc98445c4-jr6pt
            port:
              number: 80