skip to Main Content

I am having the following issue.
I am new to GCP/Cloud, I have created a cluster in GKE and deployed our application there, installed nginx as a POD in the cluster, our company has a authorized SSL certificate which i have uploaded in Certificates in GCP.

In the DNS Service, i have created an A record which matched the IP of Ingress.
When i call the URL in the browser, it still shows that the website is still unsecure with message "Kubernetes Ingress controller fake certificate".

I used the following guide https://cloud.google.com/load-balancing/docs/ssl-certificates/self-managed-certs#console_1

however i am not able to execute step 3 "Associate an SSL certificate with a target proxy", because it asks "URL Maps" and i am not able to find it in the GCP Console.

Has anybody gone through the same issue like me or if anybody helps me out, it would be great.

Thanks and regards,

4

Answers


  1. You can save your SSL/TLS certificate into the K8s secret and attach it to the ingress.

    you need to config the TLS block in ingress, dont forget to add ingress.class details in ingress

    apiVersion: extensions/v1beta1
    kind: Ingress
    metadata: 
      name: tls-example-ingress
    spec: 
      rules: 
        - host: mydomain.com
          http: 
            paths: 
              - 
                backend: 
                  serviceName: my-service
                  servicePort: 80
                path: /
      tls: 
        - hosts: 
            - mydomain.com
          secretName: my-tls-secret
    

    You can read more at : https://medium.com/avmconsulting-blog/how-to-secure-applications-on-kubernetes-ssl-tls-certificates-8f7f5751d788

    You might be seeing something like this in browser :

    enter image description here

    that’s from the ingress controller and wrong certificate attached to ingress or ingress controller default fake cert.

    Login or Signup to reply.
  2. I was able to fix this problem by adding an extra argument to the ingress-nginx-controller deployment.

    For context: my TLS secret was at the default namespace and was named letsencrypt-secret-prod, so I wanted to add this as the default SSL certificate for the Nginx controller.

    My first solution was to edit the deployment.yaml of the Nginx controller and add at the end of the containers[0].args list the following line:

    - '--default-ssl-certificate=default/letsencrypt-secret-prod'
    

    Which made that section of the yaml look like this:

          containers:
            - name: controller
              image: >-
                k8s.gcr.io/ingress-nginx/controller:v1.2.0-beta.0@sha256:92115f5062568ebbcd450cd2cf9bffdef8df9fc61e7d5868ba8a7c9d773e0961
              args:
                - /nginx-ingress-controller
                - '--publish-service=$(POD_NAMESPACE)/ingress-nginx-controller'
                - '--election-id=ingress-controller-leader'
                - '--controller-class=k8s.io/ingress-nginx'
                - '--ingress-class=nginx'
                - '--configmap=$(POD_NAMESPACE)/ingress-nginx-controller'
                - '--validating-webhook=:8443'
                - '--validating-webhook-certificate=/usr/local/certificates/cert'
                - '--validating-webhook-key=/usr/local/certificates/key'
                - '--default-ssl-certificate=default/letsencrypt-secret-prod'
    

    But I was using the helm chart: ingress-nginx/ingress-nginx, so I wanted this config to be in the values.yaml file of that chart so that I could upgrade it later if necessary.

    So reading the values file I replaced the attribute: controller.extraArgs, which looked like this:

      extraArgs: {}
    

    For this:

      extraArgs:
        default-ssl-certificate: default/letsencrypt-secret-prod
    

    This restarted the deployment with the argument in the correct place.

    Now I can use ingresses without specifying the tls.secretName for each of them, which is awesome.

    Here’s an example ingress that is working for me with HTTPS:

    apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: some-ingress-name
      annotations:
        kubernetes.io/ingress.class: nginx
        nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
    spec:
      rules:
      - http:
          paths:
          - path: /some-prefix
            pathType: Prefix
            backend:
              service:
                name: some-service-name
                port:
                  number: 80
    
    Login or Signup to reply.
  3. Also don’t forget to check that Subject Alternative Name actually contains the same value the CN contains. If it does not, the certificate is not valid because the industry moves away from CN. Just learned this now

    Login or Signup to reply.
  4. in my fault, I upgraded new tsl on cattle-system name space, but not in my name-space, therefore some how, ingress recognize with K8s fake cert.
    Solution: upgrade all old cert to new cert (only ingress user cert, WARNING – system cert maybe damaged your system – cannot explain)

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search