1

I just installed ingress controller in an aks cluster using this deployment resource :

kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml

specific for azure.

So far everything works fine the issue i am having is, i get this error on my certificate that :

Kubernetes Ingress Controller Fake Certificate

i Know i followed all steps as i should, but i can figure out why my certificate says that. I would appreciate if anyone can help guide on a possible fix for the issue.

issuer manifest

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "nginx"
  name: TargetPods-6dc98445c4-jr6pt
spec:
  tls:
  - hosts:
    - test.domain.io
    secretName: TargetPods-tls
  rules:
  - host: test.domain.io
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: TargetPod-6dc98445c4-jr6pt
            port:
              number: 80

Below is the result of : kubectl get secrets -n ingress-nginx

> NAME                                  TYPE                                  DATA   AGE
default-token-dh88n                   kubernetes.io/service-account-token   3      45h
ingress-nginx-admission               Opaque                                3      45h
ingress-nginx-admission-token-zls6p   kubernetes.io/service-account-token   3      45h
ingress-nginx-token-kcvpf             kubernetes.io/service-account-token   3      45h

also the secrets from cert-manager : kubectl get secrets -n cert-manager

> NAME                                  TYPE                                  DATA   AGE
cert-manager-cainjector-token-2m8nw   kubernetes.io/service-account-token   3      46h
cert-manager-token-vghv5              kubernetes.io/service-account-token   3      46h
cert-manager-webhook-ca               Opaque                                3      46h
cert-manager-webhook-token-chz6v      kubernetes.io/service-account-token   3      46h
default-token-w2jjm                   kubernetes.io/service-account-token   3      47h
letsencrypt-cluster-issuer            Opaque                                1      12h
letsencrypt-cluster-issuer-key        Opaque                                1      45h

Thanks in advance

Ribo01
  • 41
  • 6
  • it could be due to the wrong certificate attached to the ingress or else the default cert is getting attached to ingres : https://stackoverflow.com/a/71127454/5525824 & if you are using the cert manage you can check this answer also : https://stackoverflow.com/a/55183209/5525824 – Harsh Manvar Aug 25 '22 at 11:52

4 Answers4

1

You're seeing this as it is the default out of the box TLS certificate. You should replace this with your own certificate.

Here is some information in the documentation

You essentially want to create a TLS certificate (try this method if you are unfamiliar) and then add --default-ssl-certificate=default/XXXXX-tls in the nginx-controller deployment in you yaml. You can add this as an argument, search for "/nginx-ingress-controller" in your yaml and that'll take you to the relevant section.

Sanners
  • 41
  • 4
0

The Kubernetes Ingress Controller Fake Certificate is used by default if there is a problem getting/using the certificate desired for an ingress. For example:

  • Certificate contents aren't suitable
  • Secret holding certificate doesn't exist (wrong namespace, delayed certificate request etc.)

It would be helpful to add the YAML manifests for your ingress resource and describe how you've created/added your TLS certificate that is to be used with the ingress, and I can hopefully improve my answer to help a bit more.

clarj
  • 1,001
  • 4
  • 14
  • I have edited the initial post with my ingress manifest, hoping you can give more context now @clarj – Ribo01 Aug 26 '22 at 08:43
  • 1
    How do you generate `TargetPods-tls`, manual or automated with certmanager? Can you confirm this secret does exist (in the same namespace as the ingress resource) and that it contains the typical data entries (`tls.crt`, `tls.key`)? – clarj Aug 26 '22 at 08:50
  • i have shared the secrets from my cert-manager name space and my ingress controller name space. maybe that would further help? – Ribo01 Aug 26 '22 at 19:47
0

I think you missed to annotate ClusterIssuer on your ingress:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "nginx"
    cert-manager.io/cluster-issuer: letsencrypt-cluster-issuer
  name: TargetPods-6dc98445c4-jr6pt
YK1
  • 7,327
  • 1
  • 21
  • 28
0

From the yaml files attached, it seems you are trying to create ingress object in default namespace. So in order to consume ingress, the tls certificates (secrets) should exist in same namespace where your ingress object is created.

First of all create secrets using .crt and .key file provided by CA.

kubectl create secret tls TargetPods-tls --cert nameOfCertfile.crt --key privateKey.key --namespace default

Consume these secrets inside your ingress object and add annotations for http to https redirect (optional)

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/ssl-redirect: 'true' # Annotation to redirect http to https.
  name: TargetPods-6dc98445c4-jr6pt
spec:
  tls:
  - hosts:
    - test.domain.io
    secretName: TargetPods-tls
  rules:
  - host: test.domain.io
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: TargetPod-6dc98445c4-jr6pt
            port:
              number: 80
iamattiq1991
  • 746
  • 9
  • 11