New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS with user provided secret doesn't seem to work #932
Comments
Simple answer here is that the Kong config doesn't have the cert set up. It needs something roughly along the lines of https://github.com/Kong/charts/blob/main/charts/kong/README.md#certificates but for That sets up the server certificate serving on the gateway, but not verification of the client certificate presented by the controller. IIRC that relies on injecting NGINX directives (similar to step 8 in https://docs.nginx.com/nginx-management-suite/admin-guides/configuration/secure-traffic/, the Did you have a doc you were working from? I forget what we created for the rollout of the In classical very backwards fashion I pulled this out by decrypting the comms between the two, which was probably unnecessary (coulda just hit the admin API with curl to see the cert details), but I wanted to confirm how to do it. Golang has no runtime built-in key log dump, and you need to modify code: ingress-controller-key-dump.diff.txt The controller change is the one actually needed, since go-kong lets you provide your own client and we do. Left as a diff archive since I did a hack job and it's one of those things where we probably shouldn't ship it without a global From there you can dump traffic and |
Thanks for pointing me to these envs! I managed to make it works with the following values: gateway:
admin:
tls:
client:
secretName: "ca-cert"
replicaCount: 2
env:
admin_ssl_cert: /etc/secrets/adminapi-cert/tls.crt
admin_ssl_cert_key: /etc/secrets/adminapi-cert/tls.key
secretVolumes:
- adminapi-cert
controller:
ingressController:
image:
repository: kong/kubernetes-ingress-controller
tag: "3.0"
adminApi:
tls:
client:
enabled: true
# If set to true, you are expected to provide your own secret (see secretName, caSecretName).
certProvided: true
# Client TLS certificate/key pair secret name that Ingress Controller will use to authenticate with Kong Admin API.
secretName: "client-adminapi-cert"
# CA TLS certificate/key pair secret name that the client TLS certificate is signed by.
caSecretName: "ca-cert"
env:
gateway_discovery_dns_strategy: pod
log_level: debug
anonymous_reports: "false"
kong_admin_tls_skip_verify: "false"
kong_admin_ca_cert:
valueFrom:
secretKeyRef:
name: ca-cert
key: tls.crt and the slightly modified script for the certs:
(
|
Given the above I wonder if we should close this or consider using this content in a guide in the docs or elsewhere 🤔 ? We don't seem to have a comprehensive guide saying how to configure this. We mostly cover the case of getting and configuring the cert at the ingress level. |
Yeah, this basically becomes a docs ticket. Per Michael we originally had this in https://docs.konghq.com/kubernetes-ingress-controller/2.12.x/guides/using-gateway-discovery/#installation but it hadn't gotten ported yet. |
Problem statement
While trying to make mTLS between KIC and Admin API work I encountered some difficulties so I thought I'd share some of them.
Using the following script to generate certs and create Kubernetes Secrets:
domain.ext
fileand these values.yaml for the
ingress
chart:I keep getting
The certificates I'm able to get from the Admin API seem to be OK:
Trying to access port forwarded Admin API yields:
(I've tried use different hostname to access it via
/etc/hosts
but with the same result)The text was updated successfully, but these errors were encountered: