I just installed ingress controller in an aks cluster using this deployment resource :
kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml
specific for azure.
So far everything works fine the issue i am having is, i get this error on my certificate that :
Kubernetes Ingress Controller Fake Certificate
i Know i followed all steps as i should, but i can figure out why my certificate says that. I would appreciate if anyone can help guide on a possible fix for the issue.
issuer manifest
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: "nginx"
name: TargetPods-6dc98445c4-jr6pt
spec:
tls:
- hosts:
- test.domain.io
secretName: TargetPods-tls
rules:
- host: test.domain.io
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: TargetPod-6dc98445c4-jr6pt
port:
number: 80
Below is the result of : kubectl get secrets -n ingress-nginx
> NAME TYPE DATA AGE
default-token-dh88n kubernetes.io/service-account-token 3 45h
ingress-nginx-admission Opaque 3 45h
ingress-nginx-admission-token-zls6p kubernetes.io/service-account-token 3 45h
ingress-nginx-token-kcvpf kubernetes.io/service-account-token 3 45h
also the secrets from cert-manager : kubectl get secrets -n cert-manager
> NAME TYPE DATA AGE
cert-manager-cainjector-token-2m8nw kubernetes.io/service-account-token 3 46h
cert-manager-token-vghv5 kubernetes.io/service-account-token 3 46h
cert-manager-webhook-ca Opaque 3 46h
cert-manager-webhook-token-chz6v kubernetes.io/service-account-token 3 46h
default-token-w2jjm kubernetes.io/service-account-token 3 47h
letsencrypt-cluster-issuer Opaque 1 12h
letsencrypt-cluster-issuer-key Opaque 1 45h
Thanks in advance
4
Answers
The Kubernetes Ingress Controller Fake Certificate is used by default if there is a problem getting/using the certificate desired for an ingress. For example:
It would be helpful to add the YAML manifests for your ingress resource and describe how you’ve created/added your TLS certificate that is to be used with the ingress, and I can hopefully improve my answer to help a bit more.
You’re seeing this as it is the default out of the box TLS certificate. You should replace this with your own certificate.
Here is some information in the documentation
You essentially want to create a TLS certificate (try this method if you are unfamiliar) and then add –default-ssl-certificate=default/XXXXX-tls in the nginx-controller deployment in you yaml. You can add this as an argument, search for "/nginx-ingress-controller" in your yaml and that’ll take you to the relevant section.
I think you missed to annotate
ClusterIssuer
on your ingress:From the yaml files attached, it seems you are trying to create ingress object in default namespace. So in order to consume ingress, the tls certificates (secrets) should exist in same namespace where your ingress object is created.
First of all create secrets using .crt and .key file provided by CA.
Consume these secrets inside your ingress object and add annotations for http to https redirect (optional)