Default Secret for TLS Ingresses
Overview
By default, AKO expects all ingresses with TLS termination to have key and cert to be specified in the route spec. Sometimes, users may want to apply a common key-cert for multiple ingresses.
To handle such use cases, AKO supports TLS routes without key/cert specified in the ingress spec.
You can apply a common key-cert value for multiple ingresses using the default secret for TLS ingresses. For example, a wild card secret can be used for all host names in the same subdomain.
Using Default Secret for Ingress
Default secret for Ingress can be used to apply a common key-cert for multiple Ingresses. For example, a wild carded secret can be used for all host names in the same subdomain.
To use the wild card secret,
- Create a secret with the name
router-certs-defaultin the same namespace where the AKO pod is running (avi-system). Ensure that the secret has tls.crt and tls.key fields in the data section. - Add the annotation
ako.vmware.com/enable-tlsin the required Ingresses and set its value totrue
An example of the default secret is given below:
apiVersion: v1
kind: Secret
metadata:
name: router-certs-default
namespace: avi-system
type: kubernetes.io/tls
data:
tls.crt:
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
tls.key:
-----BEGIN PRIVATE KEY-----
[...]
-----END PRIVATE KEY-----
The Ingress using this default secret is as shown below:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ingress1
annotations:
ako.vmware.com/enable-tls: "true"
spec:
ingressClassName: avi-lb
rules:
- host: "ingr1.avi.internal"
http:
paths:
- path: /foo
backend:
service:
name: avisvc1
port:
number: 80
Note: The default secret will not be used when:
- If any Host Rule specifies an Avi SSL Key Cert for the same host
- If a secret is specified in the TLS section of the Ingress spec
Related Reading
Document Revision History
| Date | Change Summary |
|---|---|
| April 28, 2021 | Published the article for Default Secret for TLS Ingresses |