I am having the following issue.
I am new to GCP/Cloud, I have created a cluster in GKE and deployed our application there, installed nginx as a POD in the cluster, our company has a authorized SSL certificate which i have uploaded in Certificates in GCP.
In the DNS Service, i have created an A record which matched the IP of Ingress.
When i call the URL in the browser, it still shows that the website is still unsecure with message "Kubernetes Ingress controller fake certificate".
I used the following guide https://cloud.google.com/load-balancing/docs/ssl-certificates/self-managed-certs#console_1
however i am not able to execute step 3 "Associate an SSL certificate with a target proxy", because it asks "URL Maps" and i am not able to find it in the GCP Console.
Has anybody gone through the same issue like me or if anybody helps me out, it would be great.
Thanks and regards,
4
Answers
You can save your SSL/TLS certificate into the K8s secret and attach it to the ingress.
you need to config the TLS block in ingress, dont forget to add
ingress.class
details in ingressYou can read more at : https://medium.com/avmconsulting-blog/how-to-secure-applications-on-kubernetes-ssl-tls-certificates-8f7f5751d788
You might be seeing something like this in browser :
that’s from the ingress controller and wrong certificate attached to ingress or ingress controller default fake cert.
I was able to fix this problem by adding an extra argument to the ingress-nginx-controller deployment.
For context: my TLS secret was at the default namespace and was named
letsencrypt-secret-prod
, so I wanted to add this as the default SSL certificate for the Nginx controller.My first solution was to edit the
deployment.yaml
of the Nginx controller and add at the end of thecontainers[0].args
list the following line:Which made that section of the yaml look like this:
But I was using the helm chart:
ingress-nginx/ingress-nginx
, so I wanted this config to be in thevalues.yaml
file of that chart so that I could upgrade it later if necessary.So reading the values file I replaced the attribute:
controller.extraArgs
, which looked like this:For this:
This restarted the deployment with the argument in the correct place.
Now I can use ingresses without specifying the
tls.secretName
for each of them, which is awesome.Here’s an example ingress that is working for me with HTTPS:
Also don’t forget to check that Subject Alternative Name actually contains the same value the CN contains. If it does not, the certificate is not valid because the industry moves away from CN. Just learned this now
in my fault, I upgraded new tsl on cattle-system name space, but not in my name-space, therefore some how, ingress recognize with K8s fake cert.
Solution: upgrade all old cert to new cert (only ingress user cert, WARNING – system cert maybe damaged your system – cannot explain)