Default Secret for TLS Ingresses

Overview

By default, AKO expects all ingresses with TLS termination to have key and cert to be specified in the route spec. Sometimes, users may want to apply a common key-cert for multiple ingresses.

To handle such use cases, AKO supports TLS routes without key/cert specified in the ingress spec.

You can apply a common key-cert value for multiple ingresses using the default secret for TLS ingresses. For example, a wild card secret can be used for all host names in the same subdomain.

Using Default Secret for Ingress

Default secret for Ingress can be used to apply a common key-cert for multiple Ingresses. For example, a wild carded secret can be used for all host names in the same subdomain.

To use the wild card secret,

  1. Create a secret with the name router-certs-default in the same namespace where the AKO pod is running (avi-system). Ensure that the secret has tls.crt and tls.key fields in the data section.

  2. Additionally, update the fields alt.crt and alt.key to allow multiple default certificates when trying to configure both RSA and ECC signed certificates. The Controller allows a virtual service to be configured with two certificates at a time, one each of RSA and ECC. This enables Avi Controller to negotiate the optimal algorithm or cipher with the client. If the client supports ECC, in that case the ECC algorithm is preferred, and RSA is used as a fallback in cases where the clients do not support ECC.

  3. Add the annotation ako.vmware.com/enable-tls in the required Ingresses and set its value to true

An example of the default secret is given below:


apiVersion: v1
kind: Secret
metadata:
  name: router-certs-default
  namespace: avi-system
type: kubernetes.io/tls
data:
  tls.key: 
    -----BEGIN PRIVATE KEY-----
    [...]
    -----END PRIVATE KEY-----
  tls.crt:
    -----BEGIN CERTIFICATE-----
    [...]
    -----END CERTIFICATE-----
  alt.key: 
    -----BEGIN PRIVATE KEY-----
    [...]
    -----END PRIVATE KEY-----
  alt.crt:
    -----BEGIN CERTIFICATE-----
    [...]
    -----END CERTIFICATE-----
  

The Ingress using this default secret is as shown below:


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress1
  annotations:
    ako.vmware.com/enable-tls: "true"
spec:
  ingressClassName: avi-lb
  rules:
  - host: "ingr1.avi.internal"
    http:
      paths:
      - path: /foo
        backend:
          service:
            name: avisvc1
            port:
              number: 80

Note: The default secret will not be used when:

  • If any Host Rule specifies an Avi SSL Key Cert for the same host
  • If a secret is specified in the TLS section of the Ingress spec

Document Revision History

Date Change Summary
June 09, 2022 Updated the article for Default Secret for TLS Ingresses
April 28, 2021 Published the article for Default Secret for TLS Ingresses