Does Ingress Support Proxy Service Certificate Verification?

[heijian123]

What happened:
Server certificate verification is configured on the ingress, but the ingress fails to verify the server certificate.
The annotation is as follows in ingress:
nginx.ingress.kubernetes.io/proxy-ssl-secret: fst-manage/tenant-management-service-server
nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"

The tenant-management-service-server secret and backend services trust each other. After I run the curl command to access the ingress, an error is reported in the ingress log.

curl -ivk https://ingress-proxy-er.fst-manage.svc.cluster.local:31942/v2/charts

The error message：
2025/02/20 13:41:00 [error] 17473#17473: *8390068 upstream SSL certificate does not match "upstream_balancer" while SSL handshaking to upstream, client: 172.16.0.1, server: _, request: "GET /v2/charts HTTP/2.0", upstream: "https://172.16.0.7:12443/v2/charts", host: "ingress-proxy-er.fst-manage.svc.cluster.local:31942"

What you expected to happen:
Certificate authentication is successful.

NGINX Ingress controller version (exec into the pod and run /nginx-ingress-controller --version):
NGINX Ingress controller
Release: v1.9.4

Kubernetes version (use kubectl version):
v1.28.1

Environment:

• Cloud provider or hardware configuration:

• OS (e.g. from /etc/os-release):

• Kernel (e.g. uname -a):

• Install tools:

  • Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.

• Basic cluster related info:

  • kubectl version
  • Client Version：v1.28.1
  • Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3
  • Server Version: v1.28.1
  • kubectl get nodes -o wide
  • 1 control plane nodes, 1 workers

• How was the ingress-nginx-controller installed:

  • If helm was used then please show output of helm ls -A | grep -i ingress
  • If helm was used then please show output of helm -n <ingresscontrollernamespace> get values <helmreleasename>
  • If helm was not used, then copy/paste the complete precise command used to install the controller, along with the flags and options used
  • if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances

• Current State of the controller:

  • kubectl describe ingressclasses
  • kubectl -n <ingresscontrollernamespace> get all -A -o wide
  • kubectl -n <ingresscontrollernamespace> describe po <ingresscontrollerpodname>
  • kubectl -n <ingresscontrollernamespace> describe svc <ingresscontrollerservicename>

• Current state of ingress object, if applicable:

  • kubectl -n <appnamespace> get all,ing -o wide
  • kubectl -n <appnamespace> describe ing <ingressname>
  • If applicable, then, your complete and exact curl/grpcurl command (redacted if required) and the reponse to the curl/grpcurl command with the -v flag

• Others:

  • Any other related information like ;
    • copy/paste of the snippet (if applicable)
    • kubectl describe ... of any custom configmap(s) created and in use
    • Any other related information that may help

How to reproduce this issue:
Do not use the configuration：
nginx.ingress.kubernetes.io/proxy-ssl-secret: fst-manage/tenant-management-service-server
nginx.ingress.kubernetes.io/proxy-ssl-verify: "on"

Anything else we need to know:

[longwuyuan]

/remove-kind bug
/kind support
/triage needs-information

@heijian123 the information you have provided is not enough to understand or reproduce any problem.

You seem to assume that 2 annotations and one error message is enough fro readers to guess all the small tiny details of the environment but that i snot true.

Please provide answers to all the questions asked in the new bug report template so that readers can know the small tiny details of your environment and your configuration. That way someone can try to reproduce the problem.

[heijian123]

@longwuyuan Is that understandable?