2

I have deployed Nginx Ingress Controller with Helm in AKS without enabling TLS. Now I want to update the Controller to mount the TLS certificate as Kubernetes secrets, like below -

controller:
  extraVolumes:
      - name: secrets-store-inline
        csi:
          driver: secrets-store.csi.k8s.io
          readOnly: true
          volumeAttributes:
            secretProviderClass: "azure-tls"
  extraVolumeMounts:
      - name: secrets-store-inline
        mountPath: "/mnt/secrets-store"
        readOnly: true

Is there any way to update the Ingress Controller?

Sourav Karmakar
  • 95
  • 3
  • 12
  • Which version of Kubernetes did you use and what exactly did you try? – Mikołaj Głodziak Dec 08 '21 at 15:02
  • K8s version: 1.21.2 I have deployed nginx ingress controller with helm. Now I want to enable TLS on it. The certificate is stored in Azure Key Vault. I'm using 'secrets-store.csi.k8s.io' driver to access the certificate and the certificate needs to be mounted in the nginx controller as TLS secret. [See this.](https://learn.microsoft.com/en-us/azure/aks/csi-secrets-store-nginx-tls) I want to bind the certificate directly to the ingress controller. As I already have deployed it without binding the certificate, looking for a way to update the ingress controller. – Sourav Karmakar Dec 09 '21 at 07:10

1 Answers1

2

Is there any way to update the Ingress Controller?

Yes, based on this official documentation you need to add TLS section to existing Ingress and then reload it (reload should take place automatically):

The next list describes the scenarios when a reload is required:

  • New Ingress Resource Created.
  • TLS section is added to existing Ingress.
  • Change in Ingress annotations that impacts more than just upstream configuration. For instance load-balancer annotation does not require a reload.
  • A path is added/removed from an Ingress.
  • An Ingress, Service, Secret is removed.
  • Some missing referenced object from the Ingress is available, like a Service or Secret.
  • A Secret is updated.

EDIT:

I have reproduced this situation. First I have created simple ingress with following ingress.yaml:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ing-1
spec:
  ingressClassName: nginx
  rules:
    - host: www.example.com
      http:
        paths:
          - backend:
              service:
                name: app-1
                port:
                  number: 80
            path: /
            pathType: Prefix

Then I have run kubectl get ingress and here is the output:

NAME    CLASS   HOSTS             ADDRESS        PORTS     AGE
ing-1   nginx   www.example.com   35.X.X.X       80        3m

In this step I had working ingress without TLS (only working port 80). Then I have created tls.yaml for TLS (I have used self signed certs, you need to use your certs and domain):

apiVersion: v1
kind: Secret
metadata:
  name: tls
data:
  tls.crt: |
    <my cert>
  tls.key: |
    <my key>
type: kubernetes.io/tls

I have run in by kubectl apply -f tls.yaml and then I had changed ingress.yaml as below:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ing-1
spec:
  ingressClassName: nginx
  rules:
    - host: www.example.com
      http:
        paths:
          - backend:
              service:
                name: app-1
                port:
                  number: 80
            path: /
            pathType: Prefix
    # This section is only required if TLS is to be enabled for the Ingress
  tls:
   - hosts:
     - www.example.com
     secretName: tls

I have added the TLS section. Then I have run kubectl apply -f ingress.yaml and after few second I could see this output when running kubectl get ingress:

NAME    CLASS   HOSTS             ADDRESS        PORTS     AGE
ing-1   nginx   www.example.com   35.239.7.126   80, 443   18m

TLS is working. In the logs I can see this message:

Event(v1.ObjectReference{Kind:"Ingress", Namespace:"default", Name:"ing-1", UID:"84966fae-e135-47bb-8110-bf372de912c8", APIVersion:"networking.k8s.io/v1", ResourceVersion:"11306", FieldPath:""}): type: 'Normal' reason: 'Sync' Scheduled for sync

Ingress reloaded automatically :)

Mikołaj Głodziak
  • 4,775
  • 7
  • 28
  • @MikołajGłodziak Could you please provide me any docs link which shows, how to update and reload the Ingress Controller? Thanks in advance. – Sourav Karmakar Dec 11 '21 at 05:51
  • [This one](https://github.com/kubernetes/ingress-nginx/issues/2612) should help you. – Mikołaj Głodziak Dec 11 '21 at 16:13
  • @SouravKarmakar, My previous link showed how to do this manually, but it is not recommended. The Kubernetes Ingress Controller should update automatically. – Mikołaj Głodziak Dec 13 '21 at 09:01
  • @SouravKarmakar, I have edited my answer (I have added reproduction section). Now should be clear ;) – Mikołaj Głodziak Dec 13 '21 at 10:23
  • @MikołajGłodziak Thank you so much for all this hard work. Thing is that I already knew this process of updating the Ingress, but I don't want to do this. I want to update the **Ingress Controller**, not the Ingress. As I previously mentioned that the certificate should be bound to **Ingress Controller**, not to the Ingress. – Sourav Karmakar Dec 15 '21 at 08:58
  • [this doc](https://kubernetes.github.io/ingress-nginx/user-guide/tls/) should help you in this case. – Mikołaj Głodziak Dec 20 '21 at 08:20