Use cert-manager and self signed cert for upstream tls with konghq.com/ca-certificates-secrets

[lucatiozzo91]

Hi all,

I'm trying to configure upstream TLS validation between the Kong Ingress Controller and my backend service, using self-signed certificates managed by cert-manager.

Context

My setup is as follows:

I am using cert-manager to create a self-signed root CA.

I have issued a server certificate for my backend service (let's call it dummy-app-tls), signed by this root CA. This creates a kubernetes.io/tls secret named dummy-app-tls-tls.

The backend service is correctly deployed and serves HTTPS.

I can successfully verify the backend's certificate from within the cluster using curl --cacert /path/to/root-ca.crt https://dummy-app-tls.dummy-app-tls.svc.

If I configure Kong to proxy to the service without TLS validation (e.g., by disabling verification), it works fine.

The Problem

Now, I want to enable strict TLS validation. Following the Kong documentation (like this guide: https://developer.konghq.com/kubernetes-ingress-controller/verify-upstream-tls/), I am trying to use the konghq.com/ca-certificates-secrets='root-ca' annotation on my Kubernetes Service (where root-ca is the secret containing my root CA certificate).

When I do this, the Kong controller logs show the following error:

Invalid CA certificate 'dummy-app-tls/dummy-app-tls-tls': missing 'id' field in data

My Analysis & Question

This error is confusing. Furthermore, looking at the example in the documentation, it seems Kong expects the secret's data section to contain a id=UUID?? as a key, not the standard ca.crt key that cert-manager creates. This seems incompatible with cert-manager's standard output.

How can I resolve this? I want to keep using cert-manager for all my certificates, but I need Kong to trust my self-signed root CA for upstream validation.

Am I using the wrong annotation, or is there a different, modern way to provide the CA to Kong that is compatible with cert-manager?

Thanks in advance!

[pmalek]

These ids are required as indicated in: https://developer.konghq.com/api/gateway/admin-ee/3.13/#/operations/create-service-in-workspace

ca_certificates
Array of CA Certificate object UUIDs that are used to build the trust store while verifying upstream server’s TLS certificate. If set to null when Nginx default is respected. If default CA list in Nginx are not specified and TLS verification is enabled, then handshake with upstream server will always fail (because no CA are trusted).

The id field is also mentioned in the linked doc.

---

I'm just speculating but I believe we could add id generation based on cert contents and assigning that inside the ingress controller. I'm not sure about this but I think it would work.

If that could work for you, feel free to create a feature request for this. Do note that further development is happening in https://github.com/Kong/kong-operator/ not in https://github.com/Kong/kubernetes-ingress-controller.