How to override Kong Gateway default certificates in Kubernetes

Simon21 · January 19, 2022, 2:30pm

Hello everyone,

I’m trying to set up an SSL certificate for Kong 2.7 installed in Kubernetes but I am not getting this to work as expected. I tried to follow this guide. Even looking for additional help in discussion .

curl -X POST http://kong-admin:8001/certificates -F "cert=kong.lan.pem" -F "key=kong.lan.key" -F "snis[0]=mydomain.net"

This is my response:

{
  "fields": {
    "cert": "invalid certificate: x509.new: asn1/a_d2i_fp.c:197:error:0D06B08E:asn1 encoding routines:asn1_d2i_read_bio:not enough data",
    "key": "invalid key: pkey.new:load_key: asn1/a_d2i_fp.c:197:error:0D06B08E:asn1 encoding routines:asn1_d2i_read_bio:not enough data"
  },
  "message": "2 schema violations (cert: invalid certificate: x509.new: asn1/a_d2i_fp.c:197:error:0D06B08E:asn1 encoding routines:asn1_d2i_read_bio:not enough data; key: invalid key: pkey.new:load_key: asn1/a_d2i_fp.c:197:error:0D06B08E:asn1 encoding routines:asn1_d2i_read_bio:not enough data)",
  "name": "schema violation",
  "code": 2
}

Kong deployed with helm chart:

$ helm repo add kong https://charts.konghq.com
$ helm repo update

$ helm install kong/kong --generate-name --set ingressController.enabled=true --set admin.enabled=True --set admin.http.enabled=True --set ingress.enabled=True --set proxy.ingress.enabled=True --set admin.type=LoadBalancer --set proxy.type=LoadBalancer

Does any of you know how to make this working or how to add tls.crt and tls.key into Deployment?

fomm · January 19, 2022, 11:42pm

As you are using Kong Ingress Controller, what you need t o do is to store your certificate in a tls secret and reference it on your ingress. Kong will pick it up automatically.

Simon21 · January 20, 2022, 8:18am

Can you share some example?

fomm · January 20, 2022, 10:37am

the k8s documentation has good example

Save your tls cert in secret,

apiVersion: v1
kind: Secret
metadata:
  name: testsecret-tls
  namespace: default
data:
  tls.crt: base64 encoded cert
  tls.key: base64 encoded key
type: kubernetes.io/tls

then reference it on ingress object.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: tls-example-ingress
spec:
  ingressClassName: kong
  tls:
  - hosts:
      - https-example.foo.com
    secretName: testsecret-tls
  rules:
  - host: https-example.foo.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: service1
            port:
              number: 80

parth_aggarwal · December 6, 2023, 8:53am

@fomm
did this solution work??
will this also work for ssl certificates??

Topic		Replies	Views
SSL certificate for API requests or /oauth2/token endpoint Kubernetes	2	568	October 11, 2022
[Solved] Kong ingress using own cert instead of Ingress-specified Kubernetes	3	3425	March 5, 2021
Custom SSL Certs not working Installation/Setup	4	1854	March 1, 2019
How to use kong.conf with Kong Ingress Controller Kubernetes	1	858	February 22, 2019
Kong Ingress Controller Default certificate Kubernetes	2	814	January 8, 2022

How to override Kong Gateway default certificates in Kubernetes

Related Topics