[Solved] Kong ingress using own cert instead of Ingress-specified

cws · March 4, 2021, 2:31pm

I’ve set up Kong (Helm chart version 1.14.5 from https://charts.konghq.com) as an ingress controller (db-less with CRDs and ingress definitions for configuration). The issue I’m having is that when I query the SSL port Kong responds with the self-signed certificate instead of the one specified in the ingress resource.

---

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    konghq.com/methods: GET,HEAD
    kubernetes.io/ingress.class: kong
  name: myservice-anonymous
  namespace: myservice
spec:
  rules:
    - host: myservice.domain.dom
      http:
        paths:
          - backend:
              serviceName: {{ .Release.Name }}-myservice
              servicePort: 8080
            path: /
    - host: sub.altdomain.com
      http:
        paths:
          - backend:
              serviceName: {{ .Release.Name }}-myservice
              servicePort: 8080
            path: /
  tls:
    - hosts:
        - myservice.domain.com
      secretName: myservice.domain.com-tls
    - hosts:
        - sub.altdomain.com
      secretName: sub.altdomain.com-tls

curl -vvv -k -H "Host: myservice.domain.com" https://<ingress IP>/
...
* Server certificate:
*  subject: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
*  start date: Mar  2 14:50:59 2021 GMT
*  expire date: Jan 19 03:14:08 2038 GMT
*  issuer: C=US; ST=California; L=San Francisco; O=Kong; OU=IT Department; CN=localhost
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
...

openssl x509 -in cert -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            64:e4:15:26:79:d4:c6:e8:f8:2f:68:cb:30:85:10:47:10:90:f9:1b
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, O = "CloudFlare, Inc.", OU = CloudFlare Origin SSL Certificate Authority, L = San Francisco, ST = California
        Validity
            Not Before: Mar  1 01:24:00 2021 GMT
            Not After : Feb 26 01:24:00 2036 GMT
        Subject: O = "CloudFlare, Inc.", OU = CloudFlare Origin CA, CN = CloudFlare Origin Certificate
...

As you can see Kong is serving its own certificate instead of the one provided by the secret. The ingress-controller container in the Kong pod is not logging any errors (I tried deleting and mangling the secret and Kong detects that). I’m at a loss as to what I may have missed and would appreciate suggestions.

Topic		Replies	Views
Custom SSL Certs not working Questions	4	1972	March 1, 2019
Kong Ingress Controller equivalent for NGINX default-ssl-cert Questions	3	1646	July 28, 2020
Kong Ingress Controller Default certificate Questions kubernetes	2	904	January 8, 2022
How to configure Kong Ingress Controller helm chart so that it generates TLS certificates using cert-manager? Questions kubernetes	0	233	August 25, 2023
HTTPS Backend with Unverified Certificates Questions kubernetes	1	525	September 28, 2022

[Solved] Kong ingress using own cert instead of Ingress-specified

Related Topics