kubevirt-manager certificate CN not set correctly

Summary

Kubevirt-manager is not presenting the correct SSL certificate.

related references

When the kubevirt-manager is deployed on a workload cluster an ingress object is also created, the ingress has the following FQDN: kubevirt-manager.<cluster_name>.wclusters.sylva

Details

$ kubectl --kubeconfig testcl-kubeconfig get ingress -A
NAMESPACE          NAME               CLASS   HOSTS                                        ADDRESS          PORTS     AGE
kubevirt-manager   kubevirt-manager   nginx   kubevirt-manager.testcl.wclusters.sylva   192.168.242.36   80, 443   93m

The ingress is not pointing to the correct secret name, currently is pointing to kubevirt-manager-certificate which in fact should point to kubevirt-manager-tls secret (output truncated):

---
  spec:
    ingressClassName: nginx
    rules:
    - host: kubevirt-manager.testcl.wclusters.sylva
      http:
        paths:
        - backend:
            service:
              name: kubevirt-manager
              port:
                number: 8080
          path: /
          pathType: ImplementationSpecific
    tls:
    - hosts:
      - kubevirt-manager.testcl.wclusters.sylva
      secretName: kubevirt-manager-certificate
  status:
    loadBalancer:
      ingress:
      - ip: 192.168.242.36
kind: List
metadata:
  resourceVersion: ""

Now if we check the kubevirt-manager certificate we see that the commonName and dnsNames does not match our ingress name:

$ export KUBECONFIG=testcl-kubeconfig
$ kubectl get certificates get certificates -n kubevirt-manager -o yaml
apiVersion: v1
items:
- apiVersion: cert-manager.io/v1
  kind: Certificate
  metadata:
    creationTimestamp: "2024-12-10T09:10:54Z"
    generation: 1
    labels:
      kustomize.toolkit.fluxcd.io/name: kubevirt-manager
      kustomize.toolkit.fluxcd.io/namespace: testcl
    name: kubevirt-manager-certificate
    namespace: kubevirt-manager
    resourceVersion: "3095733"
    uid: da13f958-78ef-49fe-b0f5-06e7e541cb84
  spec:
    commonName: kubevirt-manager.sylva
    dnsNames:
    - kubevirt-manager.sylva
    - localhost
    duration: 2160h0m0s
    emailAddresses:
    - surname.name@sylva.org
    ipAddresses:
    - 127.0.0.1
    issuerRef:
      kind: ClusterIssuer
      name: ca-issuer
    renewBefore: 360h0m0s
    secretName: kubevirt-manager-tls
    subject:
      countries:
      - eu
      organizationalUnits:
      - DEV
      organizations:
      - Sylva
  status:
    conditions:
    - lastTransitionTime: "2024-12-10T09:10:56Z"
      message: Certificate is up to date and has not expired
      observedGeneration: 1
      reason: Ready
      status: "True"
      type: Ready
    notAfter: "2025-03-10T09:10:56Z"
    notBefore: "2024-12-10T09:10:56Z"
    renewalTime: "2025-02-23T09:10:56Z"
    revision: 1
kind: List
metadata:
  resourceVersion: ""

I presume that, because the certificate commonName, dnsNames and the secret name present in the ingress definition does not match, the ingress presents the default nginx SSL certificate which is called Kubernetes Ingress Controller Fake Certificate.

Edited Dec 11, 2024 by Dragos Pop