Kubernates, Ingress controller and certificate

327 views Asked by At

Good morning at all, my problem is deploy of my application. Before explain my problem i give you a context:

  • I have .net rest api application
  • Scope of my application is make a middleware for final user versus another app (MotherAPP)
  • My application expose REST API to my SPA App (for final user)
  • My application expose 2 SOAP Service to allow MotherAPP to send me notify

Now, MotherAPP force me to create self-signed certificate for this SOAP Service. In this way the communication chanel from and to MotherAPP is safe. My certificate has Common name (CN): xxxxxxx (CN name is forced from MotherAPP. I cannot change it)

I want deploy my app on kubernates/docker.

My problem is:

  • I build my "Deployment". In this moment only one replica
  • I build my clusterIP Service to expose my POD into cluster
  • I want expose two ingress controller. One for my API with certificate of my domain provider and other with self-signed certificate.

i installed nginx controller but seems impossibile build an ingress controller with host different to Common name of certificate. Ingress Controller not return that certificate. Error return from nginx is:

"x509: certificate is not valid for any names, but wanted to match [host]"

How can i expose my cluster outside with my self-signed certificate?

I hope to find solution or alternative of my idea

UPDATE: I try to install also minikube and i follow google step to create ingress controller and ingress [minikube guide][1]

When i add certificate and annotation to bypass common name check ingress controll return however default kubernates certificate.

Annotations used to bypass check are:

  • nginx.ingress.kubernetes.io/proxy-ssl-verify: "off"
  • nginx.ingress.kubernetes.io/proxy-ssl-server-name: "fe.com"
  • nginx.ingress.kubernetes.io/proxy-ssl-name: "fe.com"
2

There are 2 answers

0
findmyname On

I think I somewhat understand what you want to achieve. Please read bellow.

I want expose two ingress controller. One for my API with certificate of my domain provider and other with self-signed certificate.

You rarely need two Ingress Controllers. You need, most likely, one Ingress Controller and two Ingress resources. You can find an explanation about the differences here. Additionally, here is a link to the official documentation for Ingress Class.

Once you have an Ingress Controller, you need to create a TLS Kubernetes secret and deploy an Ingress resource. You need to specify the secret name as part of the Ingress TLS configuration. An example can be found in the official Kubernetes documentation for Ingress.

0
Yvan G. On

Can you try this annotation nginx.ingress.kubernetes.io/proxy-ssl-name then place the CN of your self-signed certificate. Ensure that you also use annotation nginx.ingress.kubernetes.io/proxy-ssl-verify then set to “off”.

If ever these annotations did not work, you can also follow this link as a guidance on how to configure self-signed certificates to nginx-ingress. The link uses nginx-ingress and self-signed certificate as a sample for this configuration.