Use cert-manager and self signed cert for upstream tls with konghq.com/ca-certificates-secrets

[lucatiozzo91]

Hi all,

I'm trying to configure upstream TLS validation between the Kong Ingress Controller and my backend service, using self-signed certificates managed by cert-manager.

Context

My setup is as follows:

I am using cert-manager to create a self-signed root CA.

I have issued a server certificate for my backend service (let's call it dummy-app-tls), signed by this root CA. This creates a kubernetes.io/tls secret named dummy-app-tls-tls.

The backend service is correctly deployed and serves HTTPS.

I can successfully verify the backend's certificate from within the cluster using curl --cacert /path/to/root-ca.crt https://dummy-app-tls.dummy-app-tls.svc.

If I configure Kong to proxy to the service without TLS validation (e.g., by disabling verification), it works fine.

The Problem

Now, I want to enable strict TLS validation. Following the Kong documentation (like this guide: https://developer.konghq.com/kubernetes-ingress-controller/verify-upstream-tls/), I am trying to use the konghq.com/ca-certificates-secrets='root-ca' annotation on my Kubernetes Service (where root-ca is the secret containing my root CA certificate).

When I do this, the Kong controller logs show the following error:

Invalid CA certificate 'dummy-app-tls/dummy-app-tls-tls': missing 'id' field in data

My Analysis & Question

This error is confusing. Furthermore, looking at the example in the documentation, it seems Kong expects the secret's data section to contain a id=UUID?? as a key, not the standard ca.crt key that cert-manager creates. This seems incompatible with cert-manager's standard output.

How can I resolve this? I want to keep using cert-manager for all my certificates, but I need Kong to trust my self-signed root CA for upstream validation.

Am I using the wrong annotation, or is there a different, modern way to provide the CA to Kong that is compatible with cert-manager?

Thanks in advance!