Custom certificates not being used when upgrading from 2.2.0 to 2.5.0

[jeffyanta]

Summary

• Kong version ($ kong version): 2.5.0
• After upgrading to 2.5.0 from 2.2.0, custom certificate is not used. Kong falls back to its self-signed certificate.

Steps To Reproduce

We are using Kong to proxy gRPC traffic. We've setup a custom certificate by setting the following env variables:

KONG_NGINX_PROXY_SSL_CERTIFICATE:         /etc/secrets/kong-grpc-proxy-ssl-cert/chained.pem
KONG_NGINX_PROXY_SSL_CERTIFICATE_KEY:     /etc/secrets/kong-grpc-proxy-ssl-key/key.pem
KONG_NGINX_PROXY_SSL_CLIENT_CERTIFICATE:  /etc/secrets/kong-grpc-proxy-client-cert/ca.crt

Upon upgrading from 2.2.0 to 2.5.0, Kong is now using its own self-signed certificate, causing clients to fail on TLS.

Additional Details & Logs

• Kong is deployed in k8s using the official Helm chart. We're using version 1.9.1.

[jeffyanta]

I've narrowed down that the issue started in 2.3.0.

[locao]

Hi @jeffyanta! Can you please share the command line used to start Kong and the rendered nginx-kong.conf? If for some reason those environment variable values are not being rendered there, it's not going to work.

[jeffyanta]

@locao We're deploying Kong to k8s via your Helm chart (version 1.9.1), so we're using the default Docker entrypoint. I am seeing the configuration being injected under the nginx_proxy_* directives section in nginx-kong.conf when I exec into a pod.

[jeffyanta]

The values that are being injected:

ssl_certificate /etc/secrets/kong-grpc-proxy-ssl-cert/chained.pem;
ssl_certificate_key /etc/secrets/kong-grpc-proxy-ssl-key/key.pem;
ssl_client_certificate /etc/secrets/kong-grpc-proxy-client-cert/ca.crt;

[scottsweezey]

The fix is to use the ssl_cert and ssl_cert_key helm config options rather than the nginx directives.

[gszr]

@jeffyanta Does the suggestion above solve the issue for you? Please reopen if not.