How to override Kong Gateway default certificates in Kubernetes

Hello everyone,

I’m trying to set up an SSL certificate for Kong 2.7 installed in Kubernetes but I am not getting this to work as expected. I tried to follow this guide. Even looking for additional help in discussion .

curl -X POST http://kong-admin:8001/certificates -F "cert=kong.lan.pem" -F "key=kong.lan.key" -F "snis[0]=mydomain.net"

This is my response:

{
  "fields": {
    "cert": "invalid certificate: x509.new: asn1/a_d2i_fp.c:197:error:0D06B08E:asn1 encoding routines:asn1_d2i_read_bio:not enough data",
    "key": "invalid key: pkey.new:load_key: asn1/a_d2i_fp.c:197:error:0D06B08E:asn1 encoding routines:asn1_d2i_read_bio:not enough data"
  },
  "message": "2 schema violations (cert: invalid certificate: x509.new: asn1/a_d2i_fp.c:197:error:0D06B08E:asn1 encoding routines:asn1_d2i_read_bio:not enough data; key: invalid key: pkey.new:load_key: asn1/a_d2i_fp.c:197:error:0D06B08E:asn1 encoding routines:asn1_d2i_read_bio:not enough data)",
  "name": "schema violation",
  "code": 2
}

Kong deployed with helm chart:

$ helm repo add kong https://charts.konghq.com
$ helm repo update

$ helm install kong/kong --generate-name --set ingressController.enabled=true --set admin.enabled=True --set admin.http.enabled=True --set ingress.enabled=True --set proxy.ingress.enabled=True --set admin.type=LoadBalancer --set proxy.type=LoadBalancer

Does any of you know how to make this working or how to add tls.crt and tls.key into Deployment?

As you are using Kong Ingress Controller, what you need t o do is to store your certificate in a tls secret and reference it on your ingress. Kong will pick it up automatically.

Can you share some example?

the k8s documentation has good example

Save your tls cert in secret,

apiVersion: v1
kind: Secret
metadata:
  name: testsecret-tls
  namespace: default
data:
  tls.crt: base64 encoded cert
  tls.key: base64 encoded key
type: kubernetes.io/tls

then reference it on ingress object.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tls-example-ingress
spec:
  ingressClassName: kong
  tls:
  - hosts:
      - https-example.foo.com
    secretName: testsecret-tls
  rules:
  - host: https-example.foo.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: service1
            port:
              number: 80