sereneshikari opened a new issue, #2324: URL: https://github.com/apache/apisix-ingress-controller/issues/2324
### Issue description The configuration file specifies a field for the Apisix control plane URL (`apisix.default_cluster_base_url`) but I don't see a field to specify the location to the public certificate of the CA that signed the control plane certificate. I see the following errors in the logs: ``` 2024-11-18T04:36:20Z error apisix/route.go:90 failed to list routes: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca") 2024-11-18T04:36:20Z error apisix/cluster.go:298 failed to list routes in APISIX: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca") 2024-11-18T04:36:20Z error apisix/plugin.go:46 failed to list plugins' names: Get "https://apisix-control-plane:9180/apisix/admin/plugins?all=true": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca") 2024-11-18T04:36:20Z error apisix/cluster.go:483 failed to list plugin names in APISIX: Get "https://apisix-control-plane:9180/apisix/admin/plugins?all=true": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca") 2024-11-18T04:36:20Z error apisix/cluster.go:446 failed to sync schema: Get "https://apisix-control-plane:9180/apisix/admin/plugins?all=true": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca") 2024-11-18T04:36:22Z error apisix/route.go:90 failed to list routes: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca") 2024-11-18T04:36:22Z error apisix/cluster.go:298 failed to list routes in APISIX: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca") 2024-11-18T04:36:25Z error apisix/route.go:90 failed to list routes: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca") 2024-11-18T04:36:25Z error apisix/cluster.go:298 failed to list routes in APISIX: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca") 2024-11-18T04:36:27Z error apisix/route.go:90 failed to list routes: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca") 2024-11-18T04:36:27Z error apisix/cluster.go:298 failed to list routes in APISIX: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca") 2024-11-18T04:36:29Z error apisix/route.go:90 failed to list routes: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca") 2024-11-18T04:36:29Z error apisix/cluster.go:298 failed to list routes in APISIX: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca") 2024-11-18T04:36:29Z error apisix/cluster.go:258 failed to sync cache {"cost_time": "8.110990895s", "cluster": "default"} 2024-11-18T04:36:29Z error providers/controller.go:418 failed to wait the default cluster to be ready: Get "https://apisix-control-plane:9180/apisix/admin/routes": tls: failed to verify certificate: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "apisix-ca") 2024-11-18T04:36:29Z warn providers/controller.go:219 found a new leader apisix-ingress-controller-6976b5d5d5-wqw2f ``` Could you please let me know how to configure secure TLS communication between ingress controller and control plane? ### Environment - your apisix-ingress-controller version (output of apisix-ingress-controller version --long): ``` $ apisix-ingress-controller version --long Version: 1.8.2 Git SHA: 57b5aee Go Version: go1.21.11 Building OS/Arch: linux/amd64 Running OS/Arch: linux/amd64 ``` - your Kubernetes cluster version (output of kubectl version): ``` $ kubectl version Client Version: v1.31.1 Kustomize Version: v5.4.2 Server Version: v1.31.2+rke2r1 ``` - if you run apisix-ingress-controller in Bare-metal environment, also show your OS version (uname -a): N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
