The documentation does not specify how to add an intermediate SSL certificate: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
I suppose the next step would be to read the Kubernetes source code.
The documentation does not specify how to add an intermediate SSL certificate: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
I suppose the next step would be to read the Kubernetes source code.
If you add multiple certificates in tls.cert
key in Kubernetes TLS Ingress Configuration. Please do this like this
-----BEGIN CERTIFICATE-----
<put your certificate value in a single line >
-----END CERTIFICATE-----
-----BEGIN INTERMEDIATE CERTIFICATE-----
<put your certificate value in a single line>
-----END INTERMEDIATE CERTIFICATE-----
Otherwise, you'll get an error in ssl cert chain validation.
Always put main certificate first.
Use this command to create a cert
kubectl create secret generic tlscert_with_ca --from-file=tls.crt=your_cert.crt --from-file=tls.key=your_key.key --from-file=ca.crt=your_ca.crt
BTW, your_ca.crt
could be a intermediate cert as well
It works to me, the cert in nginx-inginx-controller should like this
-----BEGIN CERTIFICATE-----
your_cert
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
your_key
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
your_intermediate
-----END CERTIFICATE-----
Reference official doc
The intermediary SSL cert (ca.intermediate.crt
) is included as a second cert in the k8s tls.crt
field.
tls.crt
includes three files separated by \n
: server.crt
, ca.intermediate.crt
and ca.crt
.
Here is an Ansible task that sets-up the a cert:
- hosts: localhost
connection: local
vars:
wildcard_foo_com_ssl_tls_crt:
- "{{ lookup('file', './ssl_certs/star_foo_com/server.crt') }}"
- "{{ lookup('file', './ssl_certs/star_foo_com/ca.intermediate.crt') }}"
- "{{ lookup('file', './ssl_certs/star_foo_com/ca.crt') }}"
wildcard_foo_com_ssl_tls_key: "{{ lookup('file', './ssl_certs/star_foo_com/server.key') }}"
- name: Set up foo.com Certs
k8s:
state: present
definition:
apiVersion: v1
kind: Secret
metadata:
name: name-com-wildcard-foo-com
namespace: prod
type: kubernetes.io/tls
data:
tls.crt: "{{ wildcard_foo_com_ssl_tls_crt | join('\n') | b64encode }}"
tls.key: "{{ wildcard_foo_com_ssl_tls_key | b64encode }}"
# ca.crt: this key seems to be ignored