Open
Description
What happened:
When attempting to deploy the ingress with an existing TLS certificate, the fake certificate is still being used during startup.
I have an existing TLS secret in the default namespace:
kubectl get secrets -n default | grep tls
tls-crt kubernetes.io/tls 2 44dAccording to the chart values, there's a key which can be used to set the default SSL/TLS certificate:
helm show values ingress-nginx --repo https://kubernetes.github.io/ingress-nginx | grep '## extraArgs' -A1
## extraArgs:
## default-ssl-certificate: "<namespace>/<secret_name>"So I am used helm to deploy the ingress using the following command setting the controller.extraArgs.default-ssl-certificate property to the existing secret:
helm install ingress-nginx ingress-nginx/ingress-nginx --create-namespace --namespace ingress-nginx --set controller.extraArgs.default-ssl-certificate="default/tls-crt"However, from the logs, it seems that the fake certificate is still being used as a default:
❯ kubectl logs -n ingress-nginx ingress-nginx-controller-79c9944898-n4dm2
-------------------------------------------------------------------------------
NGINX Ingress controller
Release: v1.12.1
Build: 51c2b819690bbf1709b844dbf321a9acf6eda5a7
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.25.5
-------------------------------------------------------------------------------
W0424 19:02:56.455834 7 client_config.go:667] Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.
I0424 19:02:56.456838 7 main.go:205] "Creating API client" host="https://10.43.0.1:443"
I0424 19:02:56.461759 7 main.go:248] "Running in Kubernetes cluster" major="1" minor="31" git="v1.31.6+k3s1" state="clean" commit="6ab750f93f790b02553e4e22f7937e1c58e2b7ea" platform="linux/amd64"
F0424 19:02:56.776936 7 ssl.go:389] unexpected error storing fake SSL Cert: could not create PEM certificate file /etc/ingress-controller/ssl/default-fake-certificate.pem: open /etc/ingress-controller/ssl/default-fake-certificate.pem: permission deniedWhat you expected to happen:
The existing TLS certificate be used instead of the fake certificate on startup.
NGINX Ingress controller version
v1.12.1
Kubernetes version :
kubectl version
Client Version: v1.32.2
Kustomize Version: v5.5.0
Server Version: v1.31.6+k3s1Environment:
-
Cloud provider or hardware configuration: GCP VM
-
OS (e.g. from /etc/os-release): Debian 12 (bookworm)
-
Kernel (e.g.
uname -a):Linux kgal-gcp-dev 6.1.0-33-cloud-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.133-1 (2025-04-10) x86_64 GNU/Linux -
Install tools:
helm,k3s -
How was the ingress-nginx-controller installed:
- If helm was used then please show output of
helm ls -A | grep -i ingress
- If helm was used then please show output of
❯ helm ls -A | grep -i ingress
ingress-nginx ingress-nginx 1 2025-04-24 14:41:19.044115 -0400 EDT deployed ingress-nginx-4.12.1 1.12.1- If helm was used then please show output of
helm -n <ingresscontrollernamespace> get values <helmreleasename>
❯ helm -n ingress-nginx get values ingress-nginx
USER-SUPPLIED VALUES:
controller:
extraArgs:
default-ssl-certificate: default/tls-kgal-gcp-dev-crt- Current State of the controller:
❯ kubectl describe ingressclasses.networking.k8s.io
Name: nginx
Labels: app.kubernetes.io/component=controller
app.kubernetes.io/instance=ingress-nginx
app.kubernetes.io/managed-by=Helm
app.kubernetes.io/name=ingress-nginx
app.kubernetes.io/part-of=ingress-nginx
app.kubernetes.io/version=1.12.1
helm.sh/chart=ingress-nginx-4.12.1
Annotations: meta.helm.sh/release-name: ingress-nginx
meta.helm.sh/release-namespace: ingress-nginx
Controller: k8s.io/ingress-nginx
Events: <none>kubectl -n <ingresscontrollernamespace> get all -A -o wide
NAMESPACE NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES
ingress-nginx pod/ingress-nginx-controller-79c9944898-n4dm2 0/1 CrashLoopBackOff 10 (2m30s ago) 29m 10.42.0.21 kgal-gcp-dev <none> <none>
kube-system pod/coredns-ccb96694c-n47n8 1/1 Running 3 (26h ago) 6d2h 10.42.0.2 kgal-gcp-dev <none> <none>
kube-system pod/local-path-provisioner-5b5f758bcf-wbq9d 1/1 Running 3 (26h ago) 6d2h 10.42.0.4 kgal-gcp-dev <none> <none>
kube-system pod/metrics-server-7bf7d58749-q55vh 1/1 Running 3 (26h ago) 6d2h 10.42.0.5 kgal-gcp-dev <none> <none>
kube-system pod/svclb-ingress-nginx-controller-7884ccb5-m5cxm 2/2 Running 0 29m 10.42.0.20 kgal-gcp-dev <none> <none>
NAMESPACE NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE SELECTOR
default service/kubernetes ClusterIP 10.43.0.1 <none> 443/TCP 44d <none>
ingress-nginx service/ingress-nginx-controller LoadBalancer 10.43.168.101 10.150.15.212 80:31018/TCP,443:32390/TCP 29m app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx
ingress-nginx service/ingress-nginx-controller-admission ClusterIP 10.43.5.197 <none> 443/TCP 29m app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx
kube-system service/kube-dns ClusterIP 10.43.0.10 <none> 53/UDP,53/TCP,9153/TCP 44d k8s-app=kube-dns
kube-system service/metrics-server ClusterIP 10.43.78.5 <none> 443/TCP 44d k8s-app=metrics-server
NAMESPACE NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE CONTAINERS IMAGES SELECTOR
kube-system daemonset.apps/svclb-ingress-nginx-controller-7884ccb5 1 1 1 1 1 <none> 29m lb-tcp-80,lb-tcp-443 rancher/klipper-lb:v0.4.10,rancher/klipper-lb:v0.4.10 app=svclb-ingress-nginx-controller-7884ccb5
NAMESPACE NAME READY UP-TO-DATE AVAILABLE AGE CONTAINERS IMAGES SELECTOR
ingress-nginx deployment.apps/ingress-nginx-controller 0/1 1 0 29m controller registry.k8s.io/ingress-nginx/controller:v1.12.1@sha256:d2fbc4ec70d8aa2050dd91a91506e998765e86c96f32cffb56c503c9c34eed5b app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx
kube-system deployment.apps/coredns 1/1 1 1 44d coredns rancher/mirrored-coredns-coredns:1.12.0 k8s-app=kube-dns
kube-system deployment.apps/local-path-provisioner 1/1 1 1 44d local-path-provisioner rancher/local-path-provisioner:v0.0.31 app=local-path-provisioner
kube-system deployment.apps/metrics-server 1/1 1 1 44d metrics-server rancher/mirrored-metrics-server:v0.7.2 k8s-app=metrics-server
NAMESPACE NAME DESIRED CURRENT READY AGE CONTAINERS IMAGES SELECTOR
ingress-nginx replicaset.apps/ingress-nginx-controller-79c9944898 1 1 0 29m controller registry.k8s.io/ingress-nginx/controller:v1.12.1@sha256:d2fbc4ec70d8aa2050dd91a91506e998765e86c96f32cffb56c503c9c34eed5b app.kubernetes.io/component=controller,app.kubernetes.io/instance=ingress-nginx,app.kubernetes.io/name=ingress-nginx,pod-template-hash=79c9944898
kube-system replicaset.apps/coredns-ccb96694c 1 1 1 44d coredns rancher/mirrored-coredns-coredns:1.12.0 k8s-app=kube-dns,pod-template-hash=ccb96694c
kube-system replicaset.apps/local-path-provisioner-5b5f758bcf 1 1 1 44d local-path-provisioner rancher/local-path-provisioner:v0.0.31 app=local-path-provisioner,pod-template-hash=5b5f758bcf
kube-system replicaset.apps/metrics-server-7bf7d58749 1 1 1 44d metrics-server rancher/mirrored-metrics-server:v0.7.2 k8s-app=metrics-server,pod-template-hash=7bf7d58749How to reproduce this issue:
- Create a self-signed certificate and private key:
openssl genrsa -out $DOMAIN_NAME.key 2048
openssl req -x509 -new -nodes -key $DOMAIN_NAME.key -sha256 -days 1825 -out $DOMAIN_NAME.pem- Create a Kubernetes TLS Secret using certificate and private key:
kubectl create secret tls tls-$DOMAIN_NAME-crt --cert=$DOMAIN_NAME.crt --key=$DOMAIN_NAME.key -n default- Deploy ingress:
helm install ingress-nginx ingress-nginx/ingress-nginx --create-namespace --namespace ingress-nginx --set controller.extraArgs.default-ssl-certificate="default/tls-$DOMAIN_NAME-crt"Metadata
Metadata
Assignees
Labels
Type
Projects
Status
No status