skip to Main Content

I just installed ingress controller in an aks cluster using this deployment resource :

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml

specific for azure.

So far everything works fine the issue i am having is, i get this error on my certificate that :

Kubernetes Ingress Controller Fake Certificate

i Know i followed all steps as i should, but i can figure out why my certificate says that. I would appreciate if anyone can help guide on a possible fix for the issue.

issuer manifest

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "nginx"
  name: TargetPods-6dc98445c4-jr6pt
spec:
  tls:
  - hosts:
    - test.domain.io
    secretName: TargetPods-tls
  rules:
  - host: test.domain.io
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: TargetPod-6dc98445c4-jr6pt
            port:
              number: 80

Below is the result of : kubectl get secrets -n ingress-nginx

> NAME                                  TYPE                                  DATA   AGE
default-token-dh88n                   kubernetes.io/service-account-token   3      45h
ingress-nginx-admission               Opaque                                3      45h
ingress-nginx-admission-token-zls6p   kubernetes.io/service-account-token   3      45h
ingress-nginx-token-kcvpf             kubernetes.io/service-account-token   3      45h

also the secrets from cert-manager : kubectl get secrets -n cert-manager

> NAME                                  TYPE                                  DATA   AGE
cert-manager-cainjector-token-2m8nw   kubernetes.io/service-account-token   3      46h
cert-manager-token-vghv5              kubernetes.io/service-account-token   3      46h
cert-manager-webhook-ca               Opaque                                3      46h
cert-manager-webhook-token-chz6v      kubernetes.io/service-account-token   3      46h
default-token-w2jjm                   kubernetes.io/service-account-token   3      47h
letsencrypt-cluster-issuer            Opaque                                1      12h
letsencrypt-cluster-issuer-key        Opaque                                1      45h

Thanks in advance

4

Answers


  1. The Kubernetes Ingress Controller Fake Certificate is used by default if there is a problem getting/using the certificate desired for an ingress. For example:

    • Certificate contents aren’t suitable
    • Secret holding certificate doesn’t exist (wrong namespace, delayed certificate request etc.)

    It would be helpful to add the YAML manifests for your ingress resource and describe how you’ve created/added your TLS certificate that is to be used with the ingress, and I can hopefully improve my answer to help a bit more.

    Login or Signup to reply.
  2. You’re seeing this as it is the default out of the box TLS certificate. You should replace this with your own certificate.

    Here is some information in the documentation

    You essentially want to create a TLS certificate (try this method if you are unfamiliar) and then add –default-ssl-certificate=default/XXXXX-tls in the nginx-controller deployment in you yaml. You can add this as an argument, search for "/nginx-ingress-controller" in your yaml and that’ll take you to the relevant section.

    Login or Signup to reply.
  3. I think you missed to annotate ClusterIssuer on your ingress:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        kubernetes.io/ingress.class: "nginx"
        cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
      name: TargetPods-6dc98445c4-jr6pt
          
    
    Login or Signup to reply.
  4. From the yaml files attached, it seems you are trying to create ingress object in default namespace. So in order to consume ingress, the tls certificates (secrets) should exist in same namespace where your ingress object is created.

    First of all create secrets using .crt and .key file provided by CA.

    kubectl create secret tls TargetPods-tls --cert nameOfCertfile.crt --key privateKey.key --namespace default
    

    Consume these secrets inside your ingress object and add annotations for http to https redirect (optional)

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      annotations:
        kubernetes.io/ingress.class: "nginx"
        nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
        nginx.ingress.kubernetes.io/ssl-redirect: 'true' # Annotation to redirect http to https.
      name: TargetPods-6dc98445c4-jr6pt
    spec:
      tls:
      - hosts:
        - test.domain.io
        secretName: TargetPods-tls
      rules:
      - host: test.domain.io
        http:
          paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: TargetPod-6dc98445c4-jr6pt
                port:
                  number: 80
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search