Avi Kubernetes Operator Guide 1.11

AKO 1.13 1.12 1.11 1.10

Default Secret for TLS Ingresses

By default,
AKO
 expects all ingresses with TLS termination to have key and cert to be specified in the route spec. Sometimes, users might want to apply a common key-cert for multiple ingresses.
To handle such use cases,
AKO
 supports TLS routes without key/cert specified in the ingress spec.
You can apply a common key-cert value for multiple ingresses using the default secret for TLS ingresses. For example, a wild card secret can be used for all host names in the same subdomain.

Using Default Secret for Ingress

Default secret for Ingress can be used to apply a common key-cert for multiple Ingresses. For example, a wild carded secret can be used for all host names in the same subdomain.
To use the wild card secret,
  1. Create a secret with the name
    router-certs-default
     in the same namespace where the
    AKO
     pod is running (avi-system). Ensure that the secret has
    tls.crt
     and
    tls.key
     fields in the data section.
  2. Update the fields
    alt.crt
     and
    alt.key
     to allow multiple default certificates when trying to configure both RSA and ECC signed certificates. The Controller allows a virtual service to be configured with two certificates at a time, one each of RSA and ECC. This enables
    NSX Advanced Load Balancer Controller
     to negotiate the optimal algorithm or cipher with the client. If the client supports ECC, in that case the ECC algorithm is preferred, and RSA is used as a fallback in cases where the clients do not support ECC.
  3. Add the annotation
    ako.vmware.com/enable-tls
     in the required Ingresses and set its value to
    true
    .
An example of the default secret is given below:
apiVersion: v1
kind: Secret
metadata:
  name: router-certs-default
  namespace: avi-system
type: kubernetes.io/tls
data:
  tls.key: 
    -----BEGIN PRIVATE KEY-----
    [...]
    -----END PRIVATE KEY-----
  tls.crt:
    -----BEGIN CERTIFICATE-----
    [...]
    -----END CERTIFICATE-----
  alt.key: 
    -----BEGIN PRIVATE KEY-----
    [...]
    -----END PRIVATE KEY-----
  alt.crt:
    -----BEGIN CERTIFICATE-----
    [...]
    -----END CERTIFICATE-----
The Ingress using this default secret is as shown below:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress1
  annotations:
    ako.vmware.com/enable-tls: "true"
spec:
  ingressClassName: avi-lb
  rules:
  - host: "ingr1.avi.internal"
    http:
      paths:
      - path: /foo
        backend:
          service:
            name: avisvc1
            port:
              number: 80
The default secret will not be used when:
  • If any Host Rule specifies an
    NSX Advanced Load Balancer
     SSL Key Cert for the same host.
  • If a secret is specified in the TLS section of the Ingress spec.

Content feedback and comments