Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

request help: How to configure TLS communication between ingress controller and control plane? #2324

Open
sereneshikari opened this issue Nov 18, 2024 · 0 comments
Open

request help: How to configure TLS communication between ingress controller and control plane? #2324

sereneshikari opened this issue Nov 18, 2024 · 0 comments

Comments

@sereneshikari
Copy link

Issue description

The configuration file specifies a field for the Apisix control plane URL (apisix.default_cluster_base_url) but I don't see a field to specify the location to the public certificate of the CA that signed the control plane certificate. I see the following errors in the logs:

2024-11-18T04:36:20Z    error    apisix/route.go:90    failed to list routes: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca")
2024-11-18T04:36:20Z    error    apisix/cluster.go:298    failed to list routes in APISIX: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca")
2024-11-18T04:36:20Z    error    apisix/plugin.go:46    failed to list plugins' names: Get "https://apisix-control-plane:9180/apisix/admin/plugins?all=true": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca")
2024-11-18T04:36:20Z    error    apisix/cluster.go:483    failed to list plugin names in APISIX: Get "https://apisix-control-plane:9180/apisix/admin/plugins?all=true": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca")
2024-11-18T04:36:20Z    error    apisix/cluster.go:446    failed to sync schema: Get "https://apisix-control-plane:9180/apisix/admin/plugins?all=true": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca")
2024-11-18T04:36:22Z    error    apisix/route.go:90    failed to list routes: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca")
2024-11-18T04:36:22Z    error    apisix/cluster.go:298    failed to list routes in APISIX: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca")
2024-11-18T04:36:25Z    error    apisix/route.go:90    failed to list routes: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca")
2024-11-18T04:36:25Z    error    apisix/cluster.go:298    failed to list routes in APISIX: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca")
2024-11-18T04:36:27Z    error    apisix/route.go:90    failed to list routes: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca")
2024-11-18T04:36:27Z    error    apisix/cluster.go:298    failed to list routes in APISIX: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca")
2024-11-18T04:36:29Z    error    apisix/route.go:90    failed to list routes: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca")
2024-11-18T04:36:29Z    error    apisix/cluster.go:298    failed to list routes in APISIX: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca")
2024-11-18T04:36:29Z    error    apisix/cluster.go:258    failed to sync cache    {"cost_time": "8.110990895s", "cluster": "default"}
2024-11-18T04:36:29Z    error    providers/controller.go:418    failed to wait the default cluster to be ready: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca")
2024-11-18T04:36:29Z    warn    providers/controller.go:219    found a new leader apisix-ingress-controller-6976b5d5d5-wqw2f

Could you please let me know how to configure secure TLS communication between ingress controller and control plane?

Environment

  • your apisix-ingress-controller version (output of apisix-ingress-controller version --long):
$ apisix-ingress-controller version --long
Version: 1.8.2
Git SHA: 57b5aee
Go Version: go1.21.11
Building OS/Arch: linux/amd64
Running OS/Arch: linux/amd64
  • your Kubernetes cluster version (output of kubectl version):
$ kubectl version
Client Version: v1.31.1
Kustomize Version: v5.4.2
Server Version: v1.31.2+rke2r1
  • if you run apisix-ingress-controller in Bare-metal environment, also show your OS version (uname -a): N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@sereneshikari