Description
What happened:
Server certificate verification is configured on the ingress, but the ingress fails to verify the server certificate.
The annotation is as follows in ingress:
nginx.ingress.kubernetes.io/proxy-ssl-secret: fst-manage/tenant-management-service-server
nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
The tenant-management-service-server secret and backend services trust each other. After I run the curl command to access the ingress, an error is reported in the ingress log.
curl -ivk https://ingress-proxy-er.fst-manage.svc.cluster.local:31942/v2/charts
The error message:
2025/02/20 13:41:00 [error] 17473#17473: *8390068 upstream SSL certificate does not match "upstream_balancer" while SSL handshaking to upstream, client: 172.16.0.1, server: _, request: "GET /v2/charts HTTP/2.0", upstream: "https://172.16.0.7:12443/v2/charts", host: "ingress-proxy-er.fst-manage.svc.cluster.local:31942"
What you expected to happen:
Certificate authentication is successful.
NGINX Ingress controller version (exec into the pod and run /nginx-ingress-controller --version):
NGINX Ingress controller
Release: v1.9.4
Kubernetes version (use kubectl version):
v1.28.1
Environment:
-
Cloud provider or hardware configuration:
-
OS (e.g. from /etc/os-release):
-
Kernel (e.g.
uname -a): -
Install tools:
Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.
-
Basic cluster related info:
kubectl version- Client Version:v1.28.1
- Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
- Server Version: v1.28.1
kubectl get nodes -o wide- 1 control plane nodes, 1 workers
-
How was the ingress-nginx-controller installed:
- If helm was used then please show output of
helm ls -A | grep -i ingress - If helm was used then please show output of
helm -n <ingresscontrollernamespace> get values <helmreleasename> - If helm was not used, then copy/paste the complete precise command used to install the controller, along with the flags and options used
- if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances
- If helm was used then please show output of
-
Current State of the controller:
kubectl describe ingressclasseskubectl -n <ingresscontrollernamespace> get all -A -o widekubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>
-
Current state of ingress object, if applicable:
kubectl -n <appnamespace> get all,ing -o widekubectl -n <appnamespace> describe ing <ingressname>- If applicable, then, your complete and exact curl/grpcurl command (redacted if required) and the reponse to the curl/grpcurl command with the -v flag
-
Others:
- Any other related information like ;
- copy/paste of the snippet (if applicable)
kubectl describe ...of any custom configmap(s) created and in use- Any other related information that may help
- Any other related information like ;
How to reproduce this issue:
Do not use the configuration:
nginx.ingress.kubernetes.io/proxy-ssl-secret: fst-manage/tenant-management-service-server
nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"
Anything else we need to know:
Metadata
Metadata
Assignees
Labels
Type
Projects
Status
No status