Default Secret for TLS Ingresses

Overview

By default, AKO expects all ingresses with TLS termination to have key and cert to be specified in the route spec. Sometimes, users may want to apply a common key-cert for multiple ingresses.

To handle such use cases, AKO supports TLS routes without key/cert specified in the ingress spec.

You can apply a common key-cert value for multiple ingresses using the default secret for TLS ingresses. For example, a wild card secret can be used for all host names in the same subdomain.

Using Default Secret for Ingress

Default secret for Ingress can be used to apply a common key-cert for multiple Ingresses. For example, a wild carded secret can be used for all host names in the same subdomain.

To use the wild card secret,

  1. Create a secret with the name router-certs-default in the same namespace where the AKO pod is running (avi-system). Ensure that the secret has tls.crt and tls.key fields in the data section.
  2. Add the annotation ako.vmware.com/enable-tlsin the required Ingresses and set its value to true

An example of the default secret is given below:


apiVersion: v1
kind: Secret
metadata:
  name: router-certs-default
  namespace: avi-system
type: kubernetes.io/tls
data:
  tls.crt: 
    -----BEGIN CERTIFICATE-----
    [...]
    -----END CERTIFICATE-----
  tls.key:
    -----BEGIN PRIVATE KEY-----
    [...]
    -----END PRIVATE KEY-----

The Ingress using this default secret is as shown below:


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress1
  annotations:
    ako.vmware.com/enable-tls: "true"
spec:
  ingressClassName: avi-lb
  rules:
  - host: "ingr1.avi.internal"
    http:
      paths:
      - path: /foo
        backend:
          service:
            name: avisvc1
            port:
              number: 80

Note: The default secret will not be used when:

  • If any Host Rule specifies an Avi SSL Key Cert for the same host
  • If a secret is specified in the TLS section of the Ingress spec

Document Revision History

Date Change Summary
April 28, 2021 Published the article for Default Secret for TLS Ingresses