3

I have set up a Kubernetes cluster on GCP/GKE and it's all working well except for one thing. When I access the external IP for the service the (default?) "Kubernetes Ingress Controller Fake Certificate" is served.

I am trying to use the NGINX Ingress (https://kubernetes.github.io/ingress-nginx/) and have followed what I believe are the correct instructions for associating a TLS secret with the Ingress. For example:

https://estl.tech/configuring-https-to-a-web-service-on-google-kubernetes-engine-2d71849520d

https://kubernetes.github.io/ingress-nginx/user-guide/tls/

I have created a secret like this:

apiVersion: v1
kind: Secret
metadata:
  name: example-tls
  namespace: default
data:
  tls.crt: [removed]
  tls.key: [removed]
type: kubernetes.io/tls

And associated that secret (which I can confirm is applied correctly and I can see in the cluster config) with the Ingress like this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: example-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: "nginx"
    kubernetes.io/ingress.allow-http: "false"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/affinity: "cookie"
spec:
  backend:
    serviceName: example-service
    servicePort: 80
  tls:
  - secretName: example-tls

From the documentation I feel that this should work (but, barring a bug, I am obviously mistaken!).

I've also seen some documentation around requiring target proxies for HTTPS. Perhaps that is the way that I should be doing this?

Many thanks for your help in advance.

Cheers, Ben

PS: This is my load balancer configuration:

kind: Service
apiVersion: v1
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  externalTrafficPolicy: Cluster
  loadBalancerIP: [removed]
  sessionAffinity: ClientIP
  type: LoadBalancer
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  ports:
    - name: http
      port: 80
      targetPort: http
    - name: https
      port: 443
      targetPort: https

Edit 1: Looking at my Ingress I can see this:

➜  gke git:(develop) ✗ kubectl describe ing example-tls-ingress
Name:             example-tls-ingress
Namespace:        default
Address:          [removed]
Default backend:  example-webapp-service:80 ([removed])
TLS:
  example-tls terminates 
Rules:
  Host  Path  Backends
  ----  ----  --------
  *     *     example-webapp-service:80 ([removed])

So it looks like the secret is picked up.

And this makes me think that there is a difference between Ingress-terminated TLS and Load Balancer-terminated TLS?

Community
  • 1
  • 1
benjimix
  • 609
  • 7
  • 18

1 Answers1

1

You can just refer to this stackoverflow post.

You need to install jetstack cert-Manager, create clusterissuer/issuer, along with a certificate in which you have to pass domain name / hostname and jetstack will automatically create the secret for you, by the name you mentioned in the 'Certificate'.

That secret has to be patched to TLS in ingress rule.

Tushar Mahajan
  • 2,044
  • 1
  • 7
  • 18
  • 1
    Sorry, I should have said that I have self-managed certificates. I have created a secret for them and that sites in the cluster. I feel like I should be able to associate that secret with the LB service somehow... is that not possible? – benjimix Oct 31 '19 at 05:07
  • Never mind! I tried this and had some success! My certificate requests are “pending” though... do I need to update my DNS before the request? And I had to set up without webhooks (because of GKE restrictions) so I hope that’s Ok... – benjimix Oct 31 '19 at 14:53
  • Follow up question: https://stackoverflow.com/questions/58657873/jetstack-cert-manager-and-gke-private-cluster-failed-to-verify-acme-account – benjimix Nov 01 '19 at 10:44