Question

My deployment is something like this:

Existing CA certificate for fake.example.com and an A record that maps fake.example.com to the IP of our load balancer

The load balancer is forwarding traffic to our Kubernetes cluster.

In the cluster, I've deployed the nginx-ingress helm chart, exposing NodePort for https at 30200

I've created a k8s TLS secret named test-secret from the above certificate.

I've deployed an app with service 'test' and have installed the following ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  namespace: default
  annotations:
    kubernetes.io/ingress.class: nginx
spec:
  tls:
  - hosts:
    - fake.example.com
    secretName: test-secret
  rules:
    - host: fake.example.com
      http:
        paths:
        - path: /myapp
          backend:
            serviceName: test
            servicePort: 8080

So, if i execute

curl https://{ip for k8s node}:30200/myapp/ping -H 'Host:fake.example.com' -k --verbose

I get the expected response from my app, but I also see

* Server certificate:

*  subject: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate

*  start date: Jan 25 20:52:16 2018 GMT

*  expire date: Jan 25 20:52:16 2019 GMT

*  issuer: O=Acme Co; CN=Kubernetes Ingress Controller Fake Certificate

So my question is, is it possible to configure nginx to use the correct certificate in this scenario?

Answer 1

You have to create a secret named test-secret.

➜  charts git:(master) kubectl describe secret --namespace operation mydomain.cn-cert
Name:         mydomain.cn-cert
Namespace:    operation
Labels:       <none>
Annotations:  <none>
Type:  Opaque
Data
====
tls.crt:  3968 bytes
tls.key:  1678 bytes