400 error while calling Upstream with MTLS

I am trying to connect Kong Ingress to an External upstream service which is protected with MTLS but getting below error -

400 Bad Request - No required SSL certificate was sent

I have set below annotations in the ExternalName service -

konghq.com/protocol: https
konghq.com/cert: kong-upstream-tls-secret

When I apply this service yaml I see below error in logs -

level=error msg=“failed to update kong configuration: 1 errors occurred:\n\twhile processing event: {Update} service kong.external-service.443 failed: HTTP status 400 (message: “the foreign key ‘{id=\“d09d3568-8e1e-4de9-b1de-8241ac647cd8\”}’ does not reference an existing ‘certificates’ entity.”)\n” component=controller

I have already created a K8s TLS secret with cert and key. Do I need to create the cert through Admin API and refer the cert id in service annotation or is there any other way to fix this?

This connection works when I set below environment variables for all the services -

nginx_proxy_proxy_ssl_certificate: /etc/secrets/kong-upstream-tls-secret/cert.pem
nginx_proxy_proxy_ssl_certificate_key: /etc/secrets/kong-upstream-tls-secret/key.pem

But when I try to implement this for per service then getting failures. I am referring to the docs from this link.
I am using Kong version 2.4 with ingressController version 1.2.

© 2019 Kong Inc.    Terms  •  Privacy  •  FAQ