Keep loading the Ingress Controller Fake Certificate

#1

Hi,

Cluster Information

Kubernetes version: 1.11.9
Cloud being used: AKS
Client Version: v1.12.2
Server Version: v1.11.9

Background

For secure ingress with TLS certificate, we have referred to below document to create kubernetes secret (TLS).

https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
https://kubernetes.github.io/ingress-nginx/user-guide/tls/

We are confirmed that our certificate is valid, and it has been running without issue for over few months.

At the middle of April, we didn’t have any changes on kubernetes, but it keep load the Ingress Controller Fake Certificate instead of our certificate, this cause we couldn’t access to all services from all namespaces in AKS thought Ingress.

We have to first remove all ingress component by kubectl delete -f IngressProvisionYAML, then re-provision ingress, finally the services resumed. (We didn’t re-create the TLS secret, still leverage the same one)

Would anyone have idea why this is happended and the way to prevent?

Ingress YAML

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: deatest
  namespace: deatest
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    nginx.ingress.kubernetes.io/ssl-passthrough: "false"
spec:
  tls:
  - hosts:
    - ingress201.api.companydomain.com.hk
    secretName: ingress-companydomain-tls
  rules:
  - host: ingress201.api.companydomain.com.hk
    http:
      paths:
      - path: /deatraining
        backend: 
          serviceName: deatraining
          servicePort: 80
      - path: /deatraining06 
        backend: 
          serviceName: deatraining06
          servicePort: 80
      - path: /dotnetwebapi 
        backend: 
          serviceName: dotnetapi-service
          servicePort: 80

Error Log

For the ingress controller log, we found there are 2 related error.

E0414 08:02:15.231803 7 leaderelection.go:252] error retrieving resource lock kube-system/ingress-controller-leader-nginx: configmaps “ingress-controller-leader-nginx” is forbidden: User “system:serviceaccount:kube-system:ingress-service-account” cannot get configmaps in the namespace “kube-system”

E0414 08:02:25.312695 7 backend_ssl.go:161] Error generating CA certificate chain for Secret “deatest/ingress-api-companydomain-com-hk-tls”: Invalid certificate.

Remark

Use companydomain instead of our actual company domain for above YAML and Log

Thanks all.