Using self-signed certificates in nginx Ingress

0
votes

I'm migrating services into a kubernetes cluster on minikube, these services require a self-signed certificate on load, accessing the service via NodePort works perfectly and demands the certificate in the browser (picture below), but accessing via the ingress host (the domain is modified locally in /etc/hosts) provides me with a Kubernetes Ingress Controller Fake Certificate by Acme and skips my self-signed cert without any message.

The SSLs should be decrypted inside the app and not in the Ingress, and the tls-acme: "false" flag does not work and still gives me the fake cert

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    # decryption of tls occurs in the backend service
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/tls-acme: "false"
spec:
  rules:
    - host: admin.domain.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: admin-service
                port:
                  number: 443

when signing in it should show the following before loading: Normal behaviour

minikube version: v1.15.1

kubectl version: 1.19

using ingress-nginx 3.18.0

1
nginxsslkubernetesnginx-ingressclient-certificates
You may need to enable ssl-passthrough, which is disabled by default. This is required to enable passthrough backends in Ingress objects. Try enabling it and let me know if it works - Matt
nginx.ingress.kubernetes.io/ssl-passthrough: "true" exists in the ingress but it didn't work I also added nginx.ingress.kubernetes.io/auth-tls-pass-certificate-to-upstream: "true" but still nothing.. - Eden Dupont
Did you actualy check the link I gave you? - Matt
Yes, I did, but isn't the annotation in the ingress enough to change the value in the nginx controller? I will try to add it manually - Eden Dupont
I saw you created a github issue: github.com/kubernetes/ingress-nginx/issues/6722 I will leave this link here. Maybe it will help somebody one day. Anyway, I tried replicating your issues and can confirm that this is not working for me either. - Matt

1 Answers

0
votes

The problem turned out to be a bug on Minikube, and also having to enable ssl passthrough in the nginx controller (in addition to the annotation) with the flag --enable-ssl-passthrough=true.

I was doing all my cluster testing on a Minikube cluster version v1.15.1 with kubernetes v1.19.4 where ssl passthrough failed, and after following the guidance in the ingress-nginx GitHub issue, I discovered that the issue didn't replicate in kind, so I tried deploying my app on a new AWS cluster (k8 version 1.18) and everything worked great.