Accessing kafka from ingress nginx tls problem

[mug3n451]

We have configured external listener with ingress type. We have an nginx ingress-controller. This is the configuration we have used to create kafka resource. We use custom certificate generated by cert-manager but not ExternalDNS. For the configuration we have followed this guide https://strimzi.io/blog/2021/05/07/deploying-kafka-with-lets-encrypt-certif icates/

apiVersion: kafka.strimzi.io/v1beta2
kind: Kafka
metadata:
  name: strimzi-cl0
spec:
  kafka:
    version: 2.8.0
    replicas:3
    resources:
      {{ ... }}
    listeners:
      - name: plain
        port: 9092
        type: internal
        tls: false
      - name: tls
        port: 9093
        type: internal
        tls: true
        authentication:
          type: scram-sha-512
        configuration:
          brokerCertChainAndKey:
            secretName: kafka-cert-cl0
            certificate: tls.crt
            key: tls.key
      - name: external
        port: 9094
        type: ingress
        tls: true
        authentication:
          type: scram-sha-512
        configuration:
          bootstrap:
            host: cl0-bootstrap.example.corp
          brokers:
          - broker: 0
            host: cl0-kafka-0.example.corp
          - broker: 1
            host: cl0-kafka-1.example.corp
          - broker: 2
            host: cl0-kafka-2.example.corp
	      class: nginx
          brokerCertChainAndKey:
            secretName: kafka-cert-cl0
            certificate: tls.crt
            key: tls.key
    authorization:
      superUsers:
        - kafka-user-cl0
      type: simple
    config:
      {...}
    storage:
      type: jbod
      volumes:
      {...}
  zookeeper:
    {...}

The issue is that when we try the command
openssl s_client -connect cl0-bootstrap.example.corp:443 -servername cl0-bootstrap.example.corp

we have a tls error about the commonname of the certificate that not match. infact when we examine the certificate we see that ingress use the ones created by kubernetes (Kubernetes Fake certificate) and not the ones we provide.
Also in tge ingress configuration we don't see any reference to the certificate's secrets.
Is there an error in the configuration? How can we solve the issue?
Thanks to all.

[scholzj]

If it presents the Kubernetes Fake Certificate, it suggests you did not enabled the TLS passthrough in your Kubernetes Nginx Ingress Ingress Controller.

[rajjaiswalsaumya]

This is the exact same problem in my case too. I have enabled ssl pass through in nginx still getting tls error from nginx

[treyhendon]

We had difficulty early on getting the passthrough configured because of some nginx configuration differences (ingress vs vanilla). Here are the scripts for how we installed nginx to get this working.

helm repo add ingress-nginx https://kubernetes.github.io/ingress-nginx
helm repo update

helm upgrade --install ingress-nginx-strimzi ingress-nginx/ingress-nginx \
    --set controller.extraArgs.enable-ssl-passthrough=true \
    --set controller.service.enableHttp=false